diff --git a/.github/ISSUE_TEMPLATE/issue-template.md b/.github/ISSUE_TEMPLATE/issue-template.md new file mode 100644 index 0000000000..f3a4b40547 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/issue-template.md @@ -0,0 +1 @@ +Please describe the issue. \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000000..cc2e81069e --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,32 @@ +# Contributing to the OSCAL Project + +This page is for potential contributors to the OSCAL project. It provides basic information on the OSCAL project, describes the main ways people can make contributions, explains how to report issues with OSCAL, and lists pointers to additional sources of information. + +## Project approach + +The approach we’re taking with OSCAL is agile. We’re adopting the philosophy of implementing the 20% of the functionality that solves 80% of the problem. We’re trying to focus on the core capabilities that are needed to provide the greatest amount of benefit. Because we’re working on a small set of capabilities, that allows us to make very fast progress. We’re building the features that we believe solve the biggest problems, so we’re providing the most value. + +## Contribution options + +The OSCAL project is producing several types of deliverables, including the following: + * *XML schemas* for the OSCAL component models + * *Schematron definitions*, which are basically an extension of the XML schemas that provide more validation capabilities + * *XSL templates* for production of human-readable versions of OSCAL XML content + * *CSS*, so people who are developing catalogs and profiles using XML tools can use CSS for data entry, which offers a much more usable interface + * *Documentation* to define the OSCAL component models, capture the operational model of how to use OSCAL, and explain how you can convert existing content (catalogs, profiles, etc.) into OSCAL formats + +Contributions are welcome in any of these areas. For information on the project's current needs and priorities, see the project's GitHub issue tracker (discussed below). + +## Issue reporting and handling + +All requests for changes and enhancements to OSCAL are initiated through the project's GitHub issue tracker (https://github.com/usnistgov/OSCAL/issues). To initiate a request, please create a new issue. The core OSCAL project team regularly reviews the open issues, prioritizes their handling, and updates the issue statuses and comments as needed. + +## Communications mechanisms + +There are two mailing lists for the project: + * *oscal-dev@nist.gov* for communication among parties interested in contributing to the development of OSCAL or exchanging ideas. Subscribe by visiting https://email.nist.gov/mailman/listinfo/oscal-dev. + * *oscal-updates@nist.gov* for low-frequency updates on the status of the OSCAL project. To subscribe, visit https://email.nist.gov/mailman/listinfo/oscal-updates. + +## Setup instructions + +As the OSCAL project matures, instructions will be posted here for how to get the latest OSCAL files from the GitHub repository, set up your environment for OSCAL development/testing, etc. At this time, instructions are limited to README files in the repository that explain what’s on the repository, how the repository is organized, etc. diff --git a/OSCAL-dev.xpr b/OSCAL-dev.xpr index a76aab71cb..b393cc1d28 100644 --- a/OSCAL-dev.xpr +++ b/OSCAL-dev.xpr @@ -1,9 +1,9 @@ - + - + - + key.editor.document.checking.pane @@ -14,11 +14,11 @@ - examples/FedRAMP/FedRAMP-HIGH-edited.xml + examples/mini-testing/10_some-params-profile.xml - Profile: resolve and render (saving HTML) + Profile: resolve and render (show only) @@ -29,11 +29,11 @@ - schema/xml/XSD/oscal-core-interim.xsd + examples/mini-testing/dinosaur-testing.xml - Refresh schema module (run on interim XSD) + Profile: resolve and render (show only) @@ -44,11 +44,11 @@ - schema/xml/XSD/schema-production.xpl + working/lib/XSLT/OSCAL-finalize.xsl - Refresh schema module (run on interim XSD) + ISO 27002 to OSCAL XProc (convert and refine) @@ -59,11 +59,11 @@ - schema/xml/XSD/oscal-profile-interim.xsd + working/ISO-27002/Convert-ISO-epub-to-OSCAL.xsl - Refresh schema module (run on interim XSD) + ISO 27002 to OSCAL XProc (convert and refine) @@ -74,11 +74,11 @@ - examples/SP800-53/SP800-53-MODERATE-baseline.xml + working/ISO-27002/ISO-27002-extraction.xpl - Profile: resolve and render (saving HTML) + ISO 27002 to OSCAL XProc (convert and refine) @@ -89,11 +89,11 @@ - examples/SP800-53/SP800-53-LOW-baseline.xml + examples/mini-testing/dinosaur-profile.xml - Profile: resolve and render (saving HTML) + Profile: resolve and render (show only) @@ -104,11 +104,11 @@ - examples/SP800-53/SP800-53-HIGH-baseline.xml + examples/mini-testing/04_exclude1-profile.xml - Profile: resolve and render (saving HTML) + Profile: resolve and render (show only) @@ -119,11 +119,11 @@ - working/FedRAMP/FedRAMP-LOW-working.xml + working/JSON-mapping/docker-ee-opencontrol-oscal.json - Profile: resolve and render (saving HTML) + Run this JSON file through Acquisition @@ -134,11 +134,11 @@ - working/FedRAMP/FedRAMP-HIGH-working.xml + examples/mini-testing/mini-testing-catalog.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -149,11 +149,11 @@ - working/FedRAMP/lib/excel-HIGH-extract.xml + examples/mini-testing/dinosaur-catalog.xml - Produce an editable profile from FedRAMP Excel XML export + SVG Sketch @@ -164,11 +164,11 @@ - working/FedRAMP/lib/excel-MODERATE-extract.xml + examples/mini-testing/99includeRAx3-profile.xml - Produce an editable profile from FedRAMP Excel XML export + SVG Sketch @@ -179,11 +179,11 @@ - working/FedRAMP/lib/excel-LOW-extract.xml + examples/mini-testing/99includeACx2-profile.xml - Produce an editable profile from FedRAMP Excel XML export + SVG Sketch @@ -194,11 +194,11 @@ - examples/mini-testing/11_more-params-profile.xml + examples/mini-testing/42_invoke-exceptions-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -209,11 +209,11 @@ - examples/mini-testing/30_patched-profile.xml + examples/mini-testing/41_exceptions-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -224,26 +224,26 @@ - working/SP800-53/rev5/SP800-53rev5-OSCAL.xml + examples/mini-testing/32_invalid-profile.xml - OSCAL simple PDF + SVG Sketch - XSL + XPROC - working/lib/XSLT/profile-resolver.xsl + examples/mini-testing/31_patched-messy-profile.xml - Profile: resolve and render (show only) + SVG Sketch @@ -254,11 +254,11 @@ - examples/mini-testing/99includeACx2-profile.xml + examples/mini-testing/30_patched-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -273,7 +273,7 @@ - Profile: resolve and render (saving HTML) + SVG Sketch @@ -284,11 +284,11 @@ - examples/mini-testing/01_identity-profile.xml + examples/mini-testing/11_more-params-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -299,11 +299,11 @@ - examples/mini-testing/10_some-params-profile.xml + examples/mini-testing/05_exclude2-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -314,11 +314,11 @@ - examples/mini-testing/mini-testing-catalog.xml + examples/mini-testing/03_all-with-enh-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -329,11 +329,11 @@ - examples/mini-testing/01a_param-only-profile.xml + examples/mini-testing/02_all-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -344,11 +344,11 @@ - examples/mini-testing/42_invoke-exceptions-profile.xml + examples/mini-testing/01a_param-only-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -359,11 +359,11 @@ - examples/mini-testing/41_exceptions-profile.xml + examples/mini-testing/01_identity-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -374,41 +374,41 @@ - examples/mini-testing/32_invalid-profile.xml + working/FedRAMP/FedRAMP-HIGH-working.xml - Profile: resolve and render (saving HTML) + Update profile to new model 20171219 - XPROC + XSL - examples/mini-testing/31_patched-messy-profile.xml + examples/FedRAMP/FedRAMP-MODERATE-crude.xml - Profile: resolve and render (saving HTML) + Resolve profile (debug) - XPROC + XSL - examples/mini-testing/05_exclude2-profile.xml + working/FedRAMP/lib/excel-MODERATE-extract.xml - Profile: resolve and render (saving HTML) + Produce an editable profile from FedRAMP Excel XML export @@ -419,11 +419,11 @@ - examples/mini-testing/04_exclude1-profile.xml + working/JSON-mapping/acquire-JSON.xpl - Profile: resolve and render (saving HTML) + Run sample JSON file through Acquisition @@ -434,11 +434,11 @@ - examples/mini-testing/03_all-with-enh-profile.xml + working/JSON-mapping/enhance.xsl - Profile: resolve and render (saving HTML) + Run sample JSON file through Acquisition @@ -449,11 +449,11 @@ - examples/mini-testing/02_all-profile.xml + working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal.json - Profile: resolve and render (saving HTML) + Run this JSON file through Acquisition @@ -464,11 +464,11 @@ - working/FedRAMP/excel-LOW-extract.xml + working/JSON-mapping/param-insert.xsl - Produce an editable profile from FedRAMP Excel XML export + Run sample JSON file through Acquisition @@ -479,11 +479,11 @@ - working/FedRAMP/excel-MODERATE-extract.xml + working/JSON-mapping/index-to-catalog.xsl - Produce an editable profile from FedRAMP Excel XML export + Run sample JSON file through Acquisition @@ -494,116 +494,116 @@ - working/FedRAMP/excel-HIGH-extract.xml + examples/FedRAMP/FedRAMP-LOW-crude.xml - Produce an editable profile from FedRAMP Excel XML export + Update profile to new model 20171219 - XPROC + XSL - working/FedRAMP/profile-produce.xpl + examples/FedRAMP/FedRAMP-HIGH-crude.xml - Produce an editable profile from FedRAMP Excel XML export + Update profile to new model 20171219 - XPROC + XSL - working/CSF/produce-and-enhance-framework.xpl + examples/FedRAMP/FedRAMP-HIGH-edited.xml - Produce and enhance CSF framework + Update profile to new model 20171219 - XPROC + XSL - examples/SP800-53/SP800-53-rev4-catalog.xml + working/SP800-53/profile-with-filter.xsl - Profile: resolve and render (saving HTML) + Produce SP800-53 Profile with filter - XPROC + XSL - examples/mini-testing/99includeRAx3-profile.xml + working/SP800-53/rev4/SP800-53-OSCAL-refined.xml - Profile: resolve and render (saving HTML) + Produce SP800-53 Profile with filter - XPROC + XSL - examples/mini-testing/01a_param-only.xml + working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml - Profile: resolve and render (saving HTML) + Update profile to new model 20171219 - XPROC + XSL - working/lib/XSLT/HTML/oscal-with-nav-display.xsl + schema/xml/XSD/oscal-profile-interim.xsd - OSCAL simple PDF + Refresh schema module (run on interim XSD) - XSL + XPROC - working/lib/XSLT/HTML/oscal-fancy-display.xsl + docs/graphics/diagrams/mini-testing-catalog.svg - OSCAL simple PDF + SVG rasterize (PNG) @@ -614,11 +614,11 @@ - working/CSF/flat-csf.xml + new_examples/SP800-53/SP800-53-rev4-catalog.xml - Produce and enhance CSF framework + Profile: resolve and render (saving HTML) @@ -629,26 +629,26 @@ - examples/mini-testing/99includeAC-profile.xml + working/lib/XSLT/HTML/oscal-with-nav-display.xsl - Profile: resolve and render (saving HTML) + OSCAL simple PDF - XPROC + XSL - examples/mini-testing/04_exclude2-profile.xml + new_examples/mini-testing/mini-testing-catalog.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -659,56 +659,56 @@ - examples/mini-testing/04_all-except-profile.xml + examples/SP800-53/SP800-53-MODERATE-baseline.xml - Profile: resolve and render (saving HTML) + Update profile to new model 20171219 - XPROC + XSL - examples/patch-profile.xml + examples/SP800-53/SP800-53-LOW-baseline.xml - Profile: resolve and render (saving HTML) + Update profile to new model 20171219 - XPROC + XSL - examples/mini-testing/01_all-with-enh-profile.xml + examples/SP800-53/SP800-53-HIGH-baseline.xml - Profile: resolve and render (saving HTML) + Update profile to new model 20171219 - XPROC + XSL - examples/mini-testing/all-profile.xml + new_examples/mini-testing/99includeRAx3-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -719,11 +719,11 @@ - examples/mini-testing/identity-profile.xml + new_examples/mini-testing/20_compound-profile.xml - Profile: resolve and render (saving HTML) + SVG Sketch @@ -734,11 +734,11 @@ - sources/800-53/rev5/sp800-53-controls-indented.xml + examples/mini-testing/20_compound-profile.json - SP800-53 to OSCAL (convert and refine) - rev5 + SVG Sketch @@ -749,41 +749,41 @@ - working/lib/XSLT/OSCAL-simple-fo.xsl + examples/SP800-53/SP800-53-rev4-catalog.xml - OSCAL simple PDF + Profile: resolve and render (saving HTML) - XSL + XPROC - working/lib/XSLT/OSCAL-finalize.xsl + working/JSON-mapping/json-abstract-map.xsl - ISO 27002 to OSCAL XProc (convert and refine) + Run XSLT 3.0 on itself - XPROC + XML - working/SP800-53/SP800-53-extraction.xpl + working/CSF/produce-and-enhance-framework.xpl - SP800-53 to OSCAL (convert and refine) - rev5 + Produce and enhance CSF framework @@ -794,11 +794,11 @@ - working/SP800-53/Tuneup-SP800-53-oscal.xsl + working/JSON-mapping/map-refine.xsl - SP800-53 to OSCAL (convert and refine) - rev5 + Run sample JSON file through Acquisition @@ -809,71 +809,71 @@ - working/SP800-53/Convert-SP800-53-to-oscal.xsl + vault/docker-ee-opencontrol-oscal.json - OSCAL simple XSLT (open) + Run this JSON file through Acquisition - XSL + XPROC - working/SP800-53/rev5/SP800-53-OSCAL-fresh.xml + working/JSON-mapping/element-report.xsl - Profile: resolve and render (saving HTML) + Run XSLT 3.0 on itself - XPROC + XML - working/FedRAMP/fedramp-annotated-wrt-MODERATEbaseline.xml + schema/xml/XSD/oscal-core-interim.xsd - Produce profile from linked worksheet + Refresh schema module (run on interim XSD) - XSL + XPROC - working/FedRAMP/fedramp-annotated-wrt-SP800-53catalog.xml + schema/xml/XSD/schema-production.xpl - Produce profile from linked worksheet + Refresh schema module (run on interim XSD) - XSL + XPROC - working/FedRAMP/fedramp-refined-profile.xml + working/FedRAMP/lib/excel-HIGH-extract.xml - Profile: resolve and render (saving HTML) + Produce an editable profile from FedRAMP Excel XML export @@ -884,41 +884,41 @@ - working/FedRAMP/fedramp-edited-miniframework.xml + working/FedRAMP/lib/excel-LOW-extract.xml - Produce profile from linked worksheet + Produce an editable profile from FedRAMP Excel XML export - XSL + XPROC - working/SP800-53/MODERATE-baseline-profile-oscal.xml + working/SP800-53/rev5/SP800-53rev5-OSCAL.xml - Profile: resolve and render (saving HTML) + OSCAL simple PDF - XPROC + XSL - working/SP800-53/testing2-profile.xml + working/FedRAMP/excel-LOW-extract.xml - Profile: resolve and render (saving HTML) + Produce an editable profile from FedRAMP Excel XML export @@ -929,11 +929,11 @@ - working/SP800-53/testing-profile.xml + working/FedRAMP/excel-MODERATE-extract.xml - Profile: resolve and render (saving HTML) + Produce an editable profile from FedRAMP Excel XML export @@ -944,11 +944,11 @@ - working/SP800-53/HIGH-baseline-profile-oscal.xml + working/FedRAMP/excel-HIGH-extract.xml - Profile: resolve and render (saving HTML) + Produce an editable profile from FedRAMP Excel XML export @@ -959,11 +959,11 @@ - working/SP800-53/LOW-baseline-profile-oscal.xml + working/FedRAMP/profile-produce.xpl - Profile: resolve and render (saving HTML) + Produce an editable profile from FedRAMP Excel XML export @@ -974,11 +974,11 @@ - working/lib/XSLT/html-finalize.xsl + examples/mini-testing/01a_param-only.xml - ISO 27002 to OSCAL XProc (convert and refine) + Profile: resolve and render (saving HTML) @@ -989,26 +989,26 @@ - working/ISO-27002/ISO-27002-extraction.xpl + working/lib/XSLT/HTML/oscal-fancy-display.xsl - ISO 27002 to OSCAL XProc (convert and refine) + OSCAL simple PDF - XPROC + XSL - working/ISO-27002/Enhance-ISO-27002-oscal.xsl + working/CSF/flat-csf.xml - ISO 27002 to OSCAL XProc (convert and refine) + Produce and enhance CSF framework @@ -1019,11 +1019,11 @@ - working/ISO-27002/ISO-27002-OSCAL-refined-save.xml + examples/mini-testing/99includeAC-profile.xml - ISO 27002 to OSCAL XProc (convert and refine) + Profile: resolve and render (saving HTML) @@ -1034,11 +1034,11 @@ - working/ISO-27002/Convert-ISO-epub-to-OSCAL.xsl + examples/mini-testing/04_exclude2-profile.xml - ISO 27002 to OSCAL XProc (convert and refine) + Profile: resolve and render (saving HTML) @@ -1049,41 +1049,41 @@ - working/lib/util/utility.xq + examples/mini-testing/04_all-except-profile.xml - Run XQuery + Profile: resolve and render (saving HTML) - XQUERY + XPROC - working/lib/XSD/oscal-oscal.xml + examples/patch-profile.xml - OSCAL simple XSLT (open) + Profile: resolve and render (saving HTML) - XSL + XPROC - working/lib/XSL/OSCAL-finalize.xsl + examples/mini-testing/01_all-with-enh-profile.xml - ISO 27002 to OSCAL XProc (convert and refine) + Profile: resolve and render (saving HTML) @@ -1094,194 +1094,453 @@ - working/lib/utility.xq + examples/mini-testing/all-profile.xml - Run XQuery + Profile: resolve and render (saving HTML) - XQUERY + XPROC - working/ISO-27002/iso-27002toOSCALmapping.xml + examples/mini-testing/identity-profile.xml - OSCAL simple XSLT (open) + Profile: resolve and render (saving HTML) - XSL + XPROC - working/SP800-53/SP800-53-handmade.xml + sources/800-53/rev5/sp800-53-controls-indented.xml - OSCAL simple XSLT (open) + SP800-53 to OSCAL (convert and refine) - rev5 - XSL + XPROC - working/lib/make-xslt.xq + working/lib/XSLT/OSCAL-simple-fo.xsl - Run XQuery + OSCAL simple PDF - XQUERY + XSL - working/SP800-53/SP800-53-enhanced.xml + working/SP800-53/SP800-53-extraction.xpl - OSCAL simple XSLT (open) + SP800-53 to OSCAL (convert and refine) - rev5 - XSL + XPROC - - - - scenarios - - - - - - - OSCAL simple PDF + + + working/SP800-53/Tuneup-SP800-53-oscal.xsl - - + + + SP800-53 to OSCAL (convert and refine) - rev5 + - - + + + XPROC + - - pdf + + + + working/SP800-53/Convert-SP800-53-to-oscal.xsl - - Apache FOP + + + OSCAL simple XSLT (open) + - - + + + XSL + - - ${pdu}/working/lib/XSLT/OSCAL-simple-fo.xsl + + + + working/SP800-53/rev5/SP800-53-OSCAL-fresh.xml - - ${currentFileURL} + + + Profile: resolve and render (saving HTML) + - - false + + + XPROC + - - true + + + + working/FedRAMP/fedramp-annotated-wrt-MODERATEbaseline.xml - - XSL + + + Produce profile from linked worksheet + - - true + + + XSL + - - true + + + + working/FedRAMP/fedramp-annotated-wrt-SP800-53catalog.xml - - ${cfn}-simple.pdf + + + Produce profile from linked worksheet + - - ${cfn}-simple.pdf + + + XSL + - - false + + + + working/FedRAMP/fedramp-refined-profile.xml - - + + + Profile: resolve and render (saving HTML) + - - false + + + XPROC + - - false + + + + working/FedRAMP/fedramp-edited-miniframework.xml - - false + + + Produce profile from linked worksheet + - - false + + + XSL + - - false + + + + working/SP800-53/MODERATE-baseline-profile-oscal.xml - - true + + + Profile: resolve and render (saving HTML) + - - + + + XPROC + - - + + + + working/SP800-53/testing2-profile.xml - - Saxon-EE + + + Profile: resolve and render (saving HTML) + - - + + + XPROC + - - - - + + + + working/SP800-53/testing-profile.xml - - OSCAL simple XSLT (open) + + + Profile: resolve and render (saving HTML) + - - + + + XPROC + - - + + + + working/SP800-53/HIGH-baseline-profile-oscal.xml - - pdf + + + Profile: resolve and render (saving HTML) + - - Apache FOP + + + XPROC + - - + + + + working/SP800-53/LOW-baseline-profile-oscal.xml + + + + Profile: resolve and render (saving HTML) + + + + + XPROC + + + + + + working/lib/XSLT/html-finalize.xsl + + + + ISO 27002 to OSCAL XProc (convert and refine) + + + + + XPROC + + + + + + working/ISO-27002/Enhance-ISO-27002-oscal.xsl + + + + ISO 27002 to OSCAL XProc (convert and refine) + + + + + XPROC + + + + + + working/ISO-27002/ISO-27002-OSCAL-refined-save.xml + + + + ISO 27002 to OSCAL XProc (convert and refine) + + + + + XPROC + + + + + + working/lib/util/utility.xq + + + + Run XQuery + + + + + XQUERY + + + + + + working/lib/XSD/oscal-oscal.xml + + + + OSCAL simple XSLT (open) + + + + + XSL + + + + + + working/lib/XSL/OSCAL-finalize.xsl + + + + ISO 27002 to OSCAL XProc (convert and refine) + + + + + XPROC + + + + + + working/lib/utility.xq + + + + Run XQuery + + + + + XQUERY + + + + + + working/ISO-27002/iso-27002toOSCALmapping.xml + + + + OSCAL simple XSLT (open) + + + + + XSL + + + + + + working/SP800-53/SP800-53-handmade.xml + + + + OSCAL simple XSLT (open) + + + + + XSL + + + + + + working/lib/make-xslt.xq + + + + Run XQuery + + + + + XQUERY + + + + + + working/SP800-53/SP800-53-enhanced.xml + + + + OSCAL simple XSLT (open) + + + + + XSL + + + + + + + scenarios + + + + + + + OSCAL simple PDF + + + + + + + + + pdf + + + Apache FOP + + + - ${pdu}/working/lib/XSLT/HTML/oscal-fancy-display.xsl + ${pdu}/working/lib/XSLT/OSCAL-simple-fo.xsl ${currentFileURL} @@ -1290,7 +1549,7 @@ false - false + true XSL @@ -1302,10 +1561,10 @@ true - ${cfn}.html + ${cfn}-simple.pdf - ${cfn}.html + ${cfn}-simple.pdf false @@ -1338,7 +1597,7 @@ - Saxon6.5.5 + Saxon-EE @@ -1349,7 +1608,7 @@ - Produce profile from linked worksheet + OSCAL simple XSLT (open) @@ -1367,7 +1626,7 @@ - ${pdu}/working/FedRAMP/profile-from-linked-worksheet.xsl + ${pdu}/working/lib/XSLT/HTML/oscal-fancy-display.xsl ${currentFileURL} @@ -1385,13 +1644,13 @@ true - false + true - + ${cfn}.html - + ${cfn}.html false @@ -1406,7 +1665,7 @@ false - true + false false @@ -1424,7 +1683,7 @@ - Saxon-PE + Saxon6.5.5 @@ -1435,7 +1694,7 @@ - Run XSLT on OSCAL docs (oscal) + Produce SP800-53 Profile with filter @@ -1453,10 +1712,10 @@ - ${currentFileURL} + ${pdu}/working/SP800-53/profile-with-filter.xsl - ${pdu}/working/doc/schema/oscal-oscal.xml + ${currentFileURL} false @@ -1465,10 +1724,10 @@ false - XML + XSL - false + true false @@ -1489,7 +1748,7 @@ false - true + false true @@ -1504,141 +1763,67 @@ true - + + + + + + value + + + + + + + + + + + ${ask('Baseline impact?', string, 'LOW')} + + + false + + + - Saxon6.5.5 + Saxon-PE - - - - - - source - - - - ${pdu}/vault/ISO/Untitled-43.html - - - - - - - - - - _A_converted - - - - - - true - - - - - _B_enhanced - - - - - - true - - - - - _C_tuned - - - - - - true - - - - - final - - - ${pdu}/working/ISO-27002/ISO-27002-OSCAL-refined.xml - - - true - - - - - _0_input - - - - - - true - - - - - - - - - - - - parameters - - - - - - - - * - - - - - - - + - ISO 27002 to OSCAL XProc (convert and refine) + Produce profile from linked worksheet - + - + - + pdf - + Apache FOP - + - ${pdu}/working/ISO-27002/ISO-27002-extraction.xpl + ${pdu}/working/FedRAMP/profile-from-linked-worksheet.xsl - + ${currentFileURL} false @@ -1647,10 +1832,10 @@ false - XPROC + XSL - false + true false @@ -1683,7 +1868,7 @@ false - false + true @@ -1692,168 +1877,39 @@ - Calabash XProc + Saxon-PE - - - - - - - source - - - - ${currentFileURL} - - - - - - - - - - _0_input - - - - - - true - - - - - _A_WORKSHEET - - - - - - true - - - - - _B_PROFILE_SIMPLE - - - - - - true - - - - - _C_PROFILE-ALLOCATED - - - - - - true - - - - - _D_PROFILE-ENHANCED - - - - - - true - - - - - final - - - - - - true - - - - - _C_PROFILE_ALLOCATED - - - - - - true - - - - - _D_PROFILE_ENHANCED - - - - - - true - - - - - - - - - - - - parameters - - - - - - - - * - - - - - - - + + - Produce an editable profile from FedRAMP Excel XML export + Resolve profile (debug) - + - + - + pdf - + Apache FOP - + - ${pdu}/working/FedRAMP/lib/profile-produce.xpl + ${pdu}/working/lib/XSLT/profile-resolver.xsl - + ${currentFileURL} false @@ -1862,10 +1918,10 @@ false - XPROC + XSL - false + true false @@ -1898,7 +1954,7 @@ false - false + true @@ -1907,145 +1963,60 @@ - Calabash XProc + Saxon-PE - - - - - - - source - - - - ${pdu}/working/CSF/flat-csf.xml - - - - - - - - - - _0_input - - - - - - true - - - - - _A_OSCALIZED - - - - - - true - - - - - _B_enhanced - - - - - - true - - - - - _C_csf-enhanced - - - - - - true - - - - - - - - - - - - parameters - - - - - - - - * - - - - - - - + + - Produce and enhance CSF framework + SVG rasterize (PNG) - + - + - + png - + Apache FOP - + - ${pdu}/working/CSF/produce-and-enhance-framework.xpl + ${pdu}/working/lib/XSLT/svg-rasterize-fo.xsl - + ${currentFileURL} false - false + true - XPROC + XSL - false + true - false + true - + ${cfn}.png - + ${cfn}.png false @@ -2060,7 +2031,7 @@ false - true + false false @@ -2069,7 +2040,7 @@ false - false + true @@ -2078,135 +2049,39 @@ - Calabash XProc + Saxon-PE - - - - - - - source - - - - ${currentFileURL} - - - - - - - - - - _0_input_profile - - - - - - true - - - - - _A_resolved - - - - - - true - - - - - _B_rendered - - - - - - true - - - - - final - - - pub/${cfn}-rendered.html - - - true - - - - - _0_input - - - - - - true - - - - - - - - - - - - * - - - - - - - - parameters - - - - - - - + + - Profile: resolve and render (saving HTML) + Update profile to new model 20171219 - + - + - + pdf - + Apache FOP - + - ${pdu}/working/lib/XProc/profile-resolve-and-display.xpl + ${pdu}/examples/migrate-profile.xsl - + ${currentFileURL} false @@ -2215,19 +2090,19 @@ false - XPROC + XSL - false + true false - + ${cfn}-newprofile.xml - + ${cfn}-newprofile.xml false @@ -2242,7 +2117,7 @@ false - true + false false @@ -2251,7 +2126,7 @@ false - false + true @@ -2260,124 +2135,182 @@ - Calabash XProc + Saxon-PE - - - - - - - source - - - - ${currentFileURL} - - - - + + + + + + Saxon-PE + + + true + + + true + + + false + + + false + + + false + + + false + + + false + + + + + + + + + true + + + true + + + saxon.recover.with.warning + + + saxon.strip.ws.none + + + 10 + + + false + + + + + + + + + + - - - - - _0_input - - - - - - true - - - - - _A_resolved - - - - - - true - - - - - _B_rendered - - - - - - true - - - - - final - - - - - - true - - - + + Run XSLT 3.0 on itself - - + + - - - - - * - - - - - - - - parameters - - - - - - + + + + + pdf + + + Apache FOP + + + + + + ${currentFileURL} + + + ${currentFileURL} + + + false + + + false + + + XML + + + true + + + false + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + true + + + + + + + + + Saxon-PE + + + + + + - Profile: resolve and render (show only) + Run XSLT on OSCAL docs (oscal) - + - + - + pdf - + Apache FOP - + - ${pdu}/working/lib/XProc/profile-resolve-and-display.xpl + ${currentFileURL} - + ${pdu}/working/doc/schema/oscal-oscal.xml false @@ -2386,7 +2319,7 @@ false - XPROC + XML false @@ -2410,7 +2343,7 @@ false - false + true true @@ -2422,7 +2355,7 @@ false - false + true @@ -2431,33 +2364,22 @@ - Calabash XProc + Saxon6.5.5 - + - source-xsds - - - - ${pdu}/schema/xml/XSD/oscal-core-interim.xsd - ${pdu}/schema/xml/XSD/oscal-profile-interim.xsd - - - - - - source-xsd + source - ${currentFileURL} + ${pdu}/vault/ISO/Untitled-43.html @@ -2467,18 +2389,7 @@ - _0_input - - - - - - true - - - - - _OSCAL_docs + _A_converted @@ -2489,7 +2400,7 @@ - _XSD_input + _B_enhanced @@ -2500,7 +2411,7 @@ - documented-xsd + _C_tuned @@ -2511,10 +2422,10 @@ - html-docs + final - + ${pdu}/working/ISO-27002/ISO-27002-OSCAL-refined.xml true @@ -2522,7 +2433,7 @@ - markdown-docs + _0_input @@ -2534,19 +2445,7 @@ - - - - - - - oscal-doc-file - - - - - - + @@ -2572,7 +2471,7 @@ - Refresh schema module (run on interim XSD) + ISO 27002 to OSCAL XProc (convert and refine) @@ -2590,7 +2489,7 @@ - ${pdu}/schema/xml/XSD/schema-production.xpl + ${pdu}/working/ISO-27002/ISO-27002-extraction.xpl @@ -2662,7 +2561,7 @@ - ${pdu}/sources/800-53/rev5/sp800-53-controls.xml + ${currentFileURL} @@ -2672,7 +2571,7 @@ - _A_converted + _0_input @@ -2683,7 +2582,7 @@ - _B_enhanced + _A_WORKSHEET @@ -2694,7 +2593,29 @@ - _C_tuned + _B_PROFILE_SIMPLE + + + + + + true + + + + + _C_PROFILE-ALLOCATED + + + + + + true + + + + + _D_PROFILE-ENHANCED @@ -2708,7 +2629,7 @@ final - ${pdu}/working/SP800-53/rev5/SP800-53rev5-OSCAL.xml + true @@ -2716,7 +2637,18 @@ - _0_input + _C_PROFILE_ALLOCATED + + + + + + true + + + + + _D_PROFILE_ENHANCED @@ -2754,7 +2686,7 @@ - SP800-53 to OSCAL (convert and refine) - rev5 + Produce an editable profile from FedRAMP Excel XML export @@ -2772,7 +2704,7 @@ - ${pdu}/working/SP800-53/SP800-53-extraction.xpl + ${pdu}/working/FedRAMP/lib/profile-produce.xpl @@ -2835,33 +2767,118 @@ - + + + + + + source + + + + ${pdu}/working/CSF/flat-csf.xml + + + + + + + + + + _0_input + + + + + + true + + + + + _A_OSCALIZED + + + + + + true + + + + + _B_enhanced + + + + + + true + + + + + _C_csf-enhanced + + + + + + true + + + + + + + + + + + + parameters + + + + + + + + * + + + + + + + - Run XQuery + Produce and enhance CSF framework - + - + - pdf + - Apache FOP + - + - ${currentFileURL} + ${pdu}/working/CSF/produce-and-enhance-framework.xpl - + false @@ -2870,10 +2887,10 @@ false - XQUERY + XPROC - true + false false @@ -2884,61 +2901,1898 @@ - - false + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + source + + + + ${currentFileURL} + + + + + + + + + + _0_input_profile + + + + + + true + + + + + _A_resolved + + + + + + true + + + + + _B_rendered + + + + + + true + + + + + final + + + pub/${cfn}-rendered.html + + + true + + + + + _0_input + + + + + + true + + + + + + + + + + + + * + + + + + + + + parameters + + + + + + + + + + + + Profile: resolve and render (saving HTML) + + + + + + + + + + + + + + + + + + ${pdu}/working/lib/XProc/profile-resolve-and-display.xpl + + + + + + false + + + false + + + XPROC + + + false + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + source + + + + ${currentFileURL} + + + + + + + + + + _0_input + + + + + + true + + + + + _A_resolved + + + + + + true + + + + + _B_rendered + + + + + + true + + + + + final + + + + + + true + + + + + + + + + + + + * + + + + + + + + parameters + + + + + + + + + + + + Profile: resolve and render (show only) + + + + + + + + + + + + + + + + + + ${pdu}/working/lib/XProc/profile-resolve-and-display.xpl + + + + + + false + + + false + + + XPROC + + + false + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + source-xsds + + + + ${pdu}/schema/xml/XSD/oscal-core-interim.xsd + ${pdu}/schema/xml/XSD/oscal-profile-interim.xsd + + + + + + source-xsd + + + + ${currentFileURL} + + + + + + + + + + _0_input + + + + + + true + + + + + _OSCAL_docs + + + + + + true + + + + + _XSD_input + + + + + + true + + + + + documented-xsd + + + + + + true + + + + + html-docs + + + + + + true + + + + + markdown-docs + + + + + + true + + + + + + + + + + + + oscal-doc-file + + + + + + + + + + + + parameters + + + + + + + + * + + + + + + + + + + + + Refresh schema module (run on interim XSD) + + + + + + + + + + + + + + + + + + ${pdu}/schema/xml/XSD/schema-production.xpl + + + + + + false + + + false + + + XPROC + + + false + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + + + + _0_input + + + + + + true + + + + + _100_exposed + + + + + + true + + + + + _200_mapped + + + + + + true + + + + + final + + + + + + true + + + + + _300_refined + + + + + + true + + + + + _400_enhanced + + + + + + true + + + + + _500_analyzed + + + + + + true + + + + + + + + + + + + json-file + + + file:/home/wendell/Documents/OSCAL/vault/docker-ee-opencontrol-oscal.json + + + + + + + + + parameters + + + + + + + + * + + + + + + + + + + + + Run sample JSON file through Acquisition + + + + + + + + + + + + + + + + + + ${pdu}/working/JSON-mapping/acquire-JSON.xpl + + + + + + false + + + false + + + XPROC + + + false + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + + + + _0_input + + + + + + true + + + + + _100_exposed + + + + + + true + + + + + _200_mapped + + + + + + true + + + + + final + + + + + + true + + + + + _300_refined + + + + + + true + + + + + _400_enhanced + + + + + + true + + + + + _500_analyzed + + + + + + true + + + + + _000_resolved-resource + + + + + + true + + + + + _410_linked + + + + + + true + + + + + _420_amended + + + + + + true + + + + + + + + + + + + json-file + + + ${currentFileURL} + + + + + + + + resource-file + + + file:/home/wendell/Documents/OSCAL/examples/SP800-53/SP800-53-rev4-catalog.xml + + + + + + + + + parameters + + + + + + + + * + + + + + + + + + + + + Run this JSON file through Acquisition + + + + + + + + + + + + + + + + + + ${pdu}/working/JSON-mapping/acquire-JSON.xpl + + + + + + false + + + false + + + XPROC + + + false + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + source + + + + ${pdu}/sources/800-53/rev5/sp800-53-controls.xml + + + + + + + + + + _A_converted + + + + + + true + + + + + _B_enhanced + + + + + + true + + + + + _C_tuned + + + + + + true + + + + + final + + + ${pdu}/working/SP800-53/rev5/SP800-53rev5-OSCAL.xml + + + true + + + + + _0_input + + + + + + true + + + + + + + + + + + + parameters + + + + + + + + * + + + + + + + + + + + + SP800-53 to OSCAL (convert and refine) - rev5 + + + + + + + + + + + + + + + + + + ${pdu}/working/SP800-53/SP800-53-extraction.xpl + + + + + + false + + + false + + + XPROC + + + false + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + source + + + + ${currentFileURL} + + + + + + + + + + result + + + ${pdu}/docs/graphics/diagrams/${cfn}.svg + + + true + + + + + mapped + + + + + + true + + + + + + + + + + + + * + + + + + + + + parameters + + + + + + + + + + + + SVG Sketch + + + + + + + + + + + + + + + + + + ${pdu}/working/lib/sketch/docsketch-svg.xpl + + + + + + false + + + false + + + XPROC + + + false + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + false + + + + + + + + + Calabash XProc + + + + + + + + + + + Run XQuery + + + + + + + + + pdf + + + Apache FOP + + + + + + ${currentFileURL} + + + + + + false + + + false + + + XQUERY + + + true + + + false + + + + + + + + + false + + + + + + false + + + false + + + true + + + false + + + false + + + true + + + + + + + + + Saxon-PE XQuery + + + + + + + + + validate.max.errors.number + 500 + + + validation.scenario.associations + + + + working/ISO-27002/ISO-27002-OSCAL-refined.xml + + + + OSCAL core RNC (standalone) + OSCAL against its declarations + + + + + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/dinosaur-testing.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/10_some-params-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/dinosaur-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/mini-testing-catalog.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/dinosaur-catalog.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/99includeRAx3-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/99includeACx2-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/42_invoke-exceptions-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/41_exceptions-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/32_invalid-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/30_patched-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/20_compound-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/11_more-params-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/05_exclude2-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/04_exclude1-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/03_all-with-enh-profile.xml + + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/02_all-profile.xml - - + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + - - false + + + Validation_scenario + Validation_scenario + Validation_scenario + - - false + + + + examples/mini-testing/01a_param-only-profile.xml - - true + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + - - false + + + Validation_scenario + Validation_scenario + Validation_scenario + - - false + + + + examples/mini-testing/01_identity-profile.xml - - true + + + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) + - - + + + Validation_scenario + Validation_scenario + Validation_scenario + - - + + + + working/FedRAMP/FedRAMP-LOW-working.xml - - Saxon-PE XQuery + + + OSCAL profile (XSD) + OSCAL profile links (standalone) + OSCAL profile against its source(s) + - - + + + Validation_scenario + Validation_scenario + Validation_scenario + - - - - - validate.max.errors.number - 500 - - - validation.scenario.associations - + - examples/FedRAMP/FedRAMP-MODERATE-working.xml + working/FedRAMP/FedRAMP-LOW-working-newprofile.xml OSCAL profile (XSD) - OSCAL profile links (standalone) OSCAL profile against its source(s) + OSCAL profile links (standalone) @@ -2951,7 +4805,7 @@ - examples/FedRAMP/FedRAMP-LOW-working.xml + working/FedRAMP/FedRAMP-HIGH-working.xml @@ -2989,13 +4843,32 @@ - working/FedRAMP/FedRAMP-LOW-working.xml + working/FedRAMP/FedRAMP-MODERATE-working-newprofile.xml OSCAL profile (XSD) + OSCAL profile against its source(s) OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + examples/mini-testing/31_patched-messy-profile.xml + + + + OSCAL profile (XSD) OSCAL profile against its source(s) + OSCAL profile links (standalone) @@ -3008,13 +4881,32 @@ - working/FedRAMP/FedRAMP-HIGH-working.xml + working/SP800-53/rev4/SP800-53-MODERATE-baseline.xml OSCAL profile (XSD) + OSCAL profile against its source(s) OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + Validation_scenario + + + + + + working/SP800-53/rev4/SP800-53-LOW-baseline.xml + + + + OSCAL profile (XSD) OSCAL profile against its source(s) + OSCAL profile links (standalone) @@ -3027,56 +4919,64 @@ - working/SP800-53/rev5/SP800-53rev5-OSCAL.xml + working/SP800-53/rev4/SP800-53-HIGH-baseline.xml - OSCAL core RNC (standalone) + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) Validation_scenario + Validation_scenario + Validation_scenario - working/SP800-53/rev4/SP800-53-OSCAL-refined.xml + working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml - OSCAL core RNC (standalone) - OSCAL against its declarations + OSCAL profile (XSD) + OSCAL profile links (standalone) + OSCAL profile against its source(s) Validation_scenario Validation_scenario + Validation_scenario - docs/schema/oscal-oscal.xml + working/SP800-53/rev4/MODERATE-baseline-profile-oscal-newprofile.xml - OSCAL core RNC (standalone) - OSCAL against its declarations + OSCAL profile (XSD) + OSCAL profile against its source(s) + OSCAL profile links (standalone) Validation_scenario Validation_scenario + Validation_scenario - working/ISO-27002/ISO-27002-OSCAL-refined.xml + working/SP800-53/rev4/SP800-53-OSCAL-refined.xml @@ -3093,12 +4993,12 @@ - working/COBIT5/cobit5-selection-oscal.xml + new_examples/mini-testing/working-testing.xml - OSCAL core RNC (standalone) - OSCAL against its declarations + OSCAL profile links (standalone) + OSCAL profile against its source(s) @@ -3110,16 +5010,18 @@ - examples/SP800-53/SP800-53-oscal-declarations.xml + docs/schema/oscal-oscal.xml OSCAL core RNC (standalone) + OSCAL against its declarations Validation_scenario + Validation_scenario @@ -3140,14 +5042,13 @@ - examples/mini-testing/mini-testing-catalog.xml + examples/FedRAMP/FedRAMP-MODERATE-working.xml - OSCAL against XSD - OSCAL links - OSCAL strict - OSCAL core RNC (standalone) + OSCAL profile (XSD) + OSCAL profile links (standalone) + OSCAL profile against its source(s) @@ -3155,13 +5056,12 @@ Validation_scenario Validation_scenario Validation_scenario - Validation_scenario - working/FedRAMP/profile-HIGH-edited.xml + examples/FedRAMP/FedRAMP-LOW-working.xml @@ -3180,28 +5080,54 @@ - examples/SP800-53/SP800-53-rev4-catalog.xml + working/SP800-53/rev5/SP800-53rev5-OSCAL.xml - OSCAL against its declarations - OSCAL links - OSCAL strict OSCAL core RNC (standalone) Validation_scenario + + + + + + working/COBIT5/cobit5-selection-oscal.xml + + + + OSCAL core RNC (standalone) + OSCAL against its declarations + + + + Validation_scenario Validation_scenario + + + + + + examples/SP800-53/SP800-53-oscal-declarations.xml + + + + OSCAL core RNC (standalone) + + + + Validation_scenario - working/FedRAMP/fedramp-high-edited.xml + working/FedRAMP/profile-HIGH-edited.xml @@ -3220,24 +5146,28 @@ - working/FedRAMP/profile-HIGH-rough.xml + examples/SP800-53/SP800-53-rev4-catalog.xml - OSCAL profile (XSD) - OSCAL profile links (standalone) + OSCAL against its declarations + OSCAL links + OSCAL strict + OSCAL core RNC (standalone) Validation_scenario Validation_scenario + Validation_scenario + Validation_scenario - working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml + working/FedRAMP/fedramp-high-edited.xml @@ -3254,6 +5184,23 @@ + + + working/FedRAMP/profile-HIGH-rough.xml + + + + OSCAL profile (XSD) + OSCAL profile links (standalone) + + + + + Validation_scenario + Validation_scenario + + + working/FedRAMP/worksheet-HIGH-oscal.xml diff --git a/README.md b/README.md index 401fe2d18c..4a21259ec6 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,10 @@ NIST is proposing the development of the Open Security Controls Assessment Langu This repository consists of the following directories pertaining to the OSCAL project: * [docs](docs): Documentation graphics, prose, progress updates, and presentation slides - * [working](working): Development artifacts (e.g., XML, XSLT, CSS, script, Markdown, and sample files, plus supporting files); additional documentation is posted under [working/doc](working/doc): + * [examples](examples): OSCAL examples, including both demo (unit test) and "real world" examples + * [schema](schema): OSCAL schemas and validation tools * [sources](sources): Resources used to produce OSCAL artifacts that are not maintained by the OSCAL project (e.g., a copy of the NIST SP 800-53 control data feed schema) + * [working](working): Development artifacts (e.g., XML, XSLT, CSS, script, Markdown, and sample files, plus supporting files); additional documentation is posted under [working/doc](working/doc): See [docs/prose/OSCAL-Overview.md](docs/prose/OSCAL-Overview.md) for an introduction to OSCAL and [docs/schema/oscal-tag-library.md](docs/schema/oscal-tag-library.md) for detailed information on the OSCAL data models and XML schema compositions. diff --git a/USERS.md b/USERS.md new file mode 100644 index 0000000000..ac7e93a81d --- /dev/null +++ b/USERS.md @@ -0,0 +1,9 @@ +# Documentation for users of OSCAL tools and content + +The following types of users are most likely to benefit from consuming OSCAL tools and content when they are available: + * *Operations personnel*, who will be able to rapidly verify that systems comply with organizational security requirements + * *Security and privacy personnel*, who will be able to automatically identify problems and address them quickly before loss or damage occur; for example, a profile could be used to identify incorrect parameter values that are weakening security + * *Auditors/assessors*, who will be able to perform audits/assessments on demand with minimal effort + * *Policy personnel*, who will be able to better identify systemic problems that necessitate changes to organization security policy + +At this time, we do not have information available on using OSCAL tools and content because the initial components of OSCAL are still under development and are not yet ready for operational use. As OSCAL development continues, we will add pointers here to examples of OSCAL content so you can get an idea for what operational OSCAL content will look like. diff --git a/docs/graphics/diagrams/01_identity-profile.svg b/docs/graphics/diagrams/01_identity-profile.svg new file mode 100644 index 0000000000..e5f05c02f6 --- /dev/null +++ b/docs/graphics/diagrams/01_identity-profile.svg @@ -0,0 +1,41 @@ + + + + profile + + Identity profile (an entire catalog, implicitly) + + import mini-testing-catalog.xml + + diff --git a/docs/graphics/diagrams/01a_param-only-profile.svg b/docs/graphics/diagrams/01a_param-only-profile.svg new file mode 100644 index 0000000000..12e9c63cb1 --- /dev/null +++ b/docs/graphics/diagrams/01a_param-only-profile.svg @@ -0,0 +1,107 @@ + + + + profile + + Parameter This + + import mini-testing-catalog.xml + + include + + all + + modify + + set-param + + desc + + value + + diff --git a/docs/graphics/diagrams/02_all-profile.svg b/docs/graphics/diagrams/02_all-profile.svg new file mode 100644 index 0000000000..9e980889a2 --- /dev/null +++ b/docs/graphics/diagrams/02_all-profile.svg @@ -0,0 +1,63 @@ + + + + profile + + Calling All Controls + + import mini-testing-catalog.xml + + include + + all + + diff --git a/docs/graphics/diagrams/03_all-with-enh-profile.svg b/docs/graphics/diagrams/03_all-with-enh-profile.svg new file mode 100644 index 0000000000..2cecd040d6 --- /dev/null +++ b/docs/graphics/diagrams/03_all-with-enh-profile.svg @@ -0,0 +1,63 @@ + + + + profile + + Once Again, with Feeling + + import mini-testing-catalog.xml + + include + + all + + diff --git a/docs/graphics/diagrams/04_exclude1-profile.svg b/docs/graphics/diagrams/04_exclude1-profile.svg new file mode 100644 index 0000000000..170e82dcde --- /dev/null +++ b/docs/graphics/diagrams/04_exclude1-profile.svg @@ -0,0 +1,96 @@ + + + + profile + + Being Exclusive + + import mini-testing-catalog.xml + + include + + all + + exclude + + call ra.7 + + call ra.9 + + diff --git a/docs/graphics/diagrams/05_exclude2-profile.svg b/docs/graphics/diagrams/05_exclude2-profile.svg new file mode 100644 index 0000000000..946332c8c1 --- /dev/null +++ b/docs/graphics/diagrams/05_exclude2-profile.svg @@ -0,0 +1,107 @@ + + + + profile + + Being More Exclusive + + import mini-testing-catalog.xml + + include + + all + + exclude + + call ra.7 + + call ra.8 + + call ra.9 + + diff --git a/docs/graphics/diagrams/10_some-params-profile.svg b/docs/graphics/diagrams/10_some-params-profile.svg new file mode 100644 index 0000000000..bc4fb808ea --- /dev/null +++ b/docs/graphics/diagrams/10_some-params-profile.svg @@ -0,0 +1,129 @@ + + + + profile + + Some Parameters + + import mini-testing-catalog.xml + + include + + all + + exclude + + call ra.9 + + modify + + set-param + + desc + + value + + diff --git a/docs/graphics/diagrams/11_more-params-profile.svg b/docs/graphics/diagrams/11_more-params-profile.svg new file mode 100644 index 0000000000..4a500d8022 --- /dev/null +++ b/docs/graphics/diagrams/11_more-params-profile.svg @@ -0,0 +1,327 @@ + + + + profile + + More Paramters, More + + import mini-testing-catalog.xml + + include + + all + + exclude + + call ac.6.7 + + call ac.6.8 + + call ac.6.9 + + call ra.9 + + modify + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + diff --git a/docs/graphics/diagrams/20_compound-profile.png b/docs/graphics/diagrams/20_compound-profile.png new file mode 100644 index 0000000000..3dc2111f05 Binary files /dev/null and b/docs/graphics/diagrams/20_compound-profile.png differ diff --git a/docs/graphics/diagrams/20_compound-profile.svg b/docs/graphics/diagrams/20_compound-profile.svg new file mode 100644 index 0000000000..26f408f4d4 --- /dev/null +++ b/docs/graphics/diagrams/20_compound-profile.svg @@ -0,0 +1,129 @@ + + + + profile + + A Compound Profile + + import mini-testing-catalog.xml + + include + + call ac.5 + + import 99includeRAx3-profile.xml + + merge + + modify + + set-param + + desc + + value + + diff --git a/docs/graphics/diagrams/30_patched-profile.svg b/docs/graphics/diagrams/30_patched-profile.svg new file mode 100644 index 0000000000..26dc3f5c2b --- /dev/null +++ b/docs/graphics/diagrams/30_patched-profile.svg @@ -0,0 +1,191 @@ + + + + profile + + Patching profile example + + import mini-testing-catalog.xml + + exclude + + call ra.9 + + modify + + set-param + + desc + + value + + alter + + remove + + augment + + part + 27 + prop + + part + 175 + diff --git a/docs/graphics/diagrams/31_patched-messy-profile.svg b/docs/graphics/diagrams/31_patched-messy-profile.svg new file mode 100644 index 0000000000..93cc93fd21 --- /dev/null +++ b/docs/graphics/diagrams/31_patched-messy-profile.svg @@ -0,0 +1,265 @@ + + + + profile + + Patching profile example + + import mini-testing-catalog.xml + + exclude + + call ra.9 + + modify + + set-param + + desc + + value + + alter + + remove + + augment + + part + 28 + prop + + part + 642211117292132 + part + 10 + diff --git a/docs/graphics/diagrams/32_invalid-profile.svg b/docs/graphics/diagrams/32_invalid-profile.svg new file mode 100644 index 0000000000..266dbc541a --- /dev/null +++ b/docs/graphics/diagrams/32_invalid-profile.svg @@ -0,0 +1,331 @@ + + + + profile + + Patching profile example + + import mini-testing-catalog.xml + + include + + all + + call ac.5 + + exclude + + call ra.10 + + modify + + set-param + + desc + + value + + set-param + + desc + + value + + alter + + remove + + augment + + part + 28 + prop + + part + 641261117292132 + part + 10 + diff --git a/docs/graphics/diagrams/41_exceptions-profile.svg b/docs/graphics/diagrams/41_exceptions-profile.svg new file mode 100644 index 0000000000..0e9ed7f6bc --- /dev/null +++ b/docs/graphics/diagrams/41_exceptions-profile.svg @@ -0,0 +1,246 @@ + + + + profile + + Exceptions profile example + + import mini-testing-catalog.xml + + include + + call ra.9 + + call ra.9 + + call controlX + + exclude + + call ra.9 + + import mini-testing-catalog.xml + + modify + + set-param + + desc + + value + + alter + + remove + + augment + + part + 27 + prop + + part + 175 + diff --git a/docs/graphics/diagrams/42_invoke-exceptions-profile.svg b/docs/graphics/diagrams/42_invoke-exceptions-profile.svg new file mode 100644 index 0000000000..c4ad972a2e --- /dev/null +++ b/docs/graphics/diagrams/42_invoke-exceptions-profile.svg @@ -0,0 +1,52 @@ + + + + profile + + More exceptions profile example + + import mini-testing-catalog.xml + + import 99includeRAx3-profile.xml + + diff --git a/docs/graphics/diagrams/99includeACx2-profile.svg b/docs/graphics/diagrams/99includeACx2-profile.svg new file mode 100644 index 0000000000..f4f052c1c1 --- /dev/null +++ b/docs/graphics/diagrams/99includeACx2-profile.svg @@ -0,0 +1,492 @@ + + + + profile + + Two controls from AC, with parameters on subcontrols + + import mini-testing-catalog.xml + + include + + call ac.5 + + call ac.6 + + call ac.6.1 + + call ac.6.2 + + call ac.6.3 + + call ac.6.4 + + call ac.6.5 + + call ac.6.6 + + call ac.6.7 + + call ac.6.8 + + call ac.6.9 + + call ac.6.10 + + modify + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + set-param + + desc + + value + + diff --git a/docs/graphics/diagrams/99includeRAx3-profile.svg b/docs/graphics/diagrams/99includeRAx3-profile.svg new file mode 100644 index 0000000000..d9ca099ef4 --- /dev/null +++ b/docs/graphics/diagrams/99includeRAx3-profile.svg @@ -0,0 +1,162 @@ + + + + profile + + Three RA controls with parameters + + import mini-testing-catalog.xml + + include + + call ra.7 + + call ra.8 + + call ra.9 + + modify + + set-param + + desc + + value + + set-param + + desc + + value + + diff --git a/docs/graphics/diagrams/dinosaur-catalog.svg b/docs/graphics/diagrams/dinosaur-catalog.svg new file mode 100644 index 0000000000..1001e1f54c --- /dev/null +++ b/docs/graphics/diagrams/dinosaur-catalog.svg @@ -0,0 +1,230 @@ + + + + catalog + + Skeleton catalog + + section + + This catalog + 58 + group + + Dinosaurs + + group + + Predators + + control + + control + + subcontrol + + control + + group + + Herbivores + + control + + control + + group + + Proto-avians + + control + + diff --git a/docs/graphics/diagrams/dinosaur-profile.svg b/docs/graphics/diagrams/dinosaur-profile.svg new file mode 100644 index 0000000000..e45456120a --- /dev/null +++ b/docs/graphics/diagrams/dinosaur-profile.svg @@ -0,0 +1,74 @@ + + + + profile + + Dinosaur Profile + + import dinosaur-catalog.xml + + include + + call allosaur + + call triceratops + + diff --git a/docs/graphics/diagrams/dinosaur-testing.svg b/docs/graphics/diagrams/dinosaur-testing.svg new file mode 100644 index 0000000000..fbd0136f9d --- /dev/null +++ b/docs/graphics/diagrams/dinosaur-testing.svg @@ -0,0 +1,107 @@ + + + + profile + + A Compound Profile + + import dinosaur-profile.xml + + import dinosaur-catalog.xml + + include + + call triceratops + + call tyrannosaur + + call archeopteryx + + merge + + diff --git a/docs/graphics/diagrams/mini-testing-catalog.png b/docs/graphics/diagrams/mini-testing-catalog.png new file mode 100644 index 0000000000..93ec8f6b92 Binary files /dev/null and b/docs/graphics/diagrams/mini-testing-catalog.png differ diff --git a/docs/graphics/diagrams/mini-testing-catalog.svg b/docs/graphics/diagrams/mini-testing-catalog.svg new file mode 100644 index 0000000000..684cf7a6f9 --- /dev/null +++ b/docs/graphics/diagrams/mini-testing-catalog.svg @@ -0,0 +1,2269 @@ + + + + catalog + + MINI TESTING catalog + + section + + This catalog + 155 + group + + FAKE(S) + + control + + EVERYTHING ALL MIXED TOGETHER + + param + + desc + + value + + prop + + part + 69 + part + + prop + 34 + part + + prop + 166 + part + + prop + 431183017104 + part + 53 + part + 142 + part + + prop + + prop + + prop + + group + + ACCESS CONTROL + + control + + SEPARATION OF DUTIES + + param + + desc + + value + + prop + + part + + part + + prop + 10 + part + + prop + 49 + part + + prop + 92 + part + 859 + control + + LEAST PRIVILEGE + + prop + + part + 301 + part + 658 + subcontrol + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS + + param + + desc + + value + + prop + + part + 32 + part + 834 + subcontrol + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS + + param + + desc + + value + + prop + + part + 189 + part + 624 + subcontrol + + NETWORK ACCESS TO PRIVILEGED COMMANDS + + param + + desc + + value + + param + + desc + + value + + prop + + part + 166 + part + 157 + subcontrol + + SEPARATE PROCESSING DOMAINS + + prop + + part + 114 + part + 515 + subcontrol + + PRIVILEGED ACCOUNTS + + param + + desc + + value + + prop + + part + 47 + part + 802 + subcontrol + + PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS + + prop + + part + 93 + part + 5 + subcontrol + + REVIEW OF USER PRIVILEGES + + param + + desc + + value + + param + + desc + + value + + prop + + part + + part + + prop + 137 + part + + prop + 136 + part + 526 + subcontrol + + PRIVILEGE LEVELS FOR CODE EXECUTION + + param + + desc + + value + + prop + + part + 133 + part + 499 + subcontrol + + AUDITING USE OF PRIVILEGED FUNCTIONS + + prop + + part + 44 + part + 552 + subcontrol + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS + + prop + + part + 89 + part + 687 + group + + RISK ASSESSMENT + + control + + RISK RESPONSE + + prop + + part + 102 + part + 1093 + references + + ref + + citation + + ref + + citation + + ref + + citation + + ref + + citation + + ref + + citation + + control + + PRIVACY IMPACT ASSESSMENTS + + prop + + part + 130 + part + + prop + 185 + part + + prop + 48 + part + + prop + 108 + part + + prop + 419 + part + 1171 + control + + CRITICALITY ANALYSIS + + param + + desc + + value + + param + + desc + + value + + prop + + part + 116 + part + 2448 + diff --git a/docs/prose/Merge-Diagrams-scratch.html b/docs/prose/Merge-Diagrams-scratch.html new file mode 100644 index 0000000000..b57f17cc94 --- /dev/null +++ b/docs/prose/Merge-Diagrams-scratch.html @@ -0,0 +1,112 @@ + + + + OSCAL Profile Invocation Merge Specification (Diagrams) + + + +
+
Example profile +
Invocation A +

Control A1

+

Subcontrol A1.1

+
+
Invocation B +

Control B3

+
+
+
+
+
CQ Controls Catalog +
Group CC +

Control CCA

+

Control CCB

+

Control CCC

+
+
Group QQ +

Control QQA

+

Control QQB

+

Control QQC

+
+
+
+
+
+ KK (CQ) Profile +
+ Invoke CQ controls catalog +

Control CCC

+

Control QQB

+

Control QQA

+
+
+
+
+
Resolution of KK (CQ) Profile +
Invoke CQ controls catalog +
+ Group CC +

Control CCC

+
+
+ Group QQ +

Control QQA

+

Control QQB

+
+
+
+
+
+
+ MM (CQ) Profile +
+ Invoke CQ controls catalog +

Control CCA

+

Control QQC

+

Control QQA

+
+
+
+
+
Resolution of MM (CQ) Profile +
Invoke CQ controls catalog +
+ Group CC +

Control CCA

+
+
+ Group QQ +

Control QQA

+

Control QQC

+
+
+
+
+ + + \ No newline at end of file diff --git a/docs/prose/Merge-Diagrams.html b/docs/prose/Merge-Diagrams.html new file mode 100644 index 0000000000..04af58dbae --- /dev/null +++ b/docs/prose/Merge-Diagrams.html @@ -0,0 +1,1277 @@ + + + + OSCAL Profile Import and Merge Specification (Diagrams) + + + + +
+

Catalog import and control selection

+
+

A profile may have more than one import.

+
+
+ OK Profile +
+ Import Catalog A +
+
+ Import Catalog B +
+
+
+ Resolution +
+ Import Catalog A +

(Results of import)

+
+
+ Import Catalog B +

(Results of import)

+
+
+
+
+

Each import calls a catalog or profile

+

An import is bound to a single catalog or profile, its resource, by URI. + If the resource is an OSCAL profile, it is implicitly resolved (with its own + imports and modification) according to these rules. Because profiles must be + bound to either catalogs or profiles, and because circular references are + inoperable (see below), all profiles resolve eventually to collections of + controls as represented in catalogs (including the empty collection, i.e. no + controls).

+

References to URI targets not identifiable as OSCAL (catalogs, profiles or + document types tbd with resolution rules of their own) must return nothing.

+

Note that the same catalog may appear at multiple leaf positions in the + import tree.

+
+
+ OK Profile +
+ Import Catalog A +
+
+ Import Profile B1 +
+
+
+ B1 Profile +
+ Import Catalog B +
+
+
+ OK Profile Resolution +
+ Import Catalog A +

(Results of import)

+
+
+ Import Profile B1 +
+ Import Catalog B +

(Results of import)

+
+
+
+
+
+ Also OK Profile +
+ Import Catalog A +
+
+ Import Profile A1 +
+
+
+ A1 Profile +
+ Import Catalog A +
+
+ Also OK Profile Resolution +
+ Import Catalog A +

(Results of import)

+
+
+ Import Profile A1 +
+ Import Catalog A +

(Results of import)

+
+
+
+
+
+
+

Circular references are inoperable

+

If an OSCAL profile includes, directly or indirectly, any imports of itself as a + resource, such imports are inoperable. Such circular reference is an error. A + processor may fall back by ignoring circular calls (i.e. imports of resources + that have already been imported higher in the stack).

+
+
+ Perplex Profile +
+ Import Plexper profile +
+
+
+ Plexper Profile +
+ Import Perplex profile +
+
+
+ Resolution of Perplex Profile +
+ Import Plexper profile +
+ Import Perplex profile +
+
+
+
+
+
+

Including controls from a resource (catalog or profile) by ID

+

An import can identify controls (as given in and by the resource) for inclusion + in either of two ways. The first method is by an explicit call using the + ID of the desired control or subcontrol.

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+ AAS Profile (with selection from AA Catalog) +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+
+ Resolution of AAS Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.3

+
+
+
+
+
+
+
+

Including all controls from a resource

+

Alternatively, an import can indicate that all controls from the resource + (catalog or upstream profile) should be included.

+
+
+ AAA Profile selecting all controls from AA Catalog +
+ Import AA Catalog +

All

+
+
+
+ Resolution of AAA Profile (selecting all) +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+
+
+ AAA Profile, this time expressed using calls +
+ Import CQ Catalog +

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+

A profile that imports all controls from a single catalog, without modification, + would be an identity profile.

+
+
+

No inclusion statement implies include all

+

Note that if no explicit inclusion instruction is given (irrespective of + exclusions), a processor should include all as the fallback:

+
+
+ Implicit inclusion AAA Profile is effectively All +
+ Import AA Catalog +
+
+
+ Resolution of AAA Profile (selecting "all") +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+
+
+
+
+

Excluding a control by ID

+

It is more common to use "include/all" with an exclusion rule – or to use + exclusion rules with only an implicit call to "all" (which will be inferred when + no other inclusion is given):

+
+
+ "Almost All" profile of AA +
+ Import AA Catalog +

All

+

Control AA.2

+
+
+ "Almost All" profile of AA (implicit "all") +
+ Import CQ Catalog +

Control AA.2

+
+
+
+ Resolution of (either) "Almost All" Profile of Catalog AA +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.3

+
+
+
+
+

Note that the profile expressed here is the same as the AAS profile + above (except it selects controls by exclusion not inclusion).

+
+
+
+

Exception: a control is included more than once

+

Multiple inclusions of a single control within the same import, result in a + single copy of the control in the resolved profile.

+

An application may produce a warning when this occurs.

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+ AAZ Profile +
+ Import AA Catalog +

Control AA.3

+

Control AA.3

+
+
+
+ Resolution of AAZ Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+
+
+

Exception: including or excluding a control that is not found in its + catalog

+

An inclusion of a control that is not found in its catalog is inoperable. An + implementation may report a warning when unknown controls are included or + excluded.

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+ AAZ Profile +
+ Import AA Catalog +

Control ZZ.1

+

Control AA.3

+

Control ZZ.0

+
+
+
+ Resolution of AAZ Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+
+
+

Exception: a control is included more than once, then also excluded

+

A control identified for exclusion is excluded, no matter how many times it is + included.

+

An application may produce a warning when a control is both included (by ID) and + excluded. Ordinarily, exclusions of controls (not subcontrols) should not be + used unless include has all.

+
+
+ AAZ Profile +
+ Import AA Catalog +

Control AA.3

+

Control AA.3

+

Control AA.3

+
+
+
+ Resolution of AAZ Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+

Along the same lines, multiple exclusions all mean exclude, so more than a + single one is superfluous.

+
+
+
+

Selecting subcontrols

+

Because each subcontrol is dependent on a control and may not appear without it, + there are special features for the selection and exclusion of subcontrols.

+

Note that this dependency is strict and applies to subcontrols and controls as named + within the same import tree. That is, it is not possible for a profile to select + subcontrols without their controls, within a single import. When controls however, + are included, their subcontrols may also be included either by ID or other means as + described.

+
+

Selecting subcontrols by ID

+

Subcontrols are not included by default when their controls are included. + However, like controls they may be included by ID.

+
+ BBB Controls Catalog +
+

Control BBB.1

+

Subcontrol BBB.1a

+

Subcontrol BBB.1b

+

Subcontrol BBB.1c

+

Control BBB.2

+

Control BBB.3

+

Subcontrol BBB.3a

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3b

+
+
+
+ Resolving the BBB Catalog profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3b

+
+
+
+
+
+

Note that in this example, subcontrols of control BBB.1 are not included, because + none are designated.

+
+
+

Including subcontrols with their controls

+

Alternatively, an instruction with the control can indicate to include (all) its + subcontrols. (Subcontrols not associated with the control will not be + included.)

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

Control BBB.1

+

Control BBB.3

+
+
+
+ Resolving the BBB Catalog profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3a

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+
+
+

Again, subcontrols of control BBB.1 are not included.

+
+
+

Including subcontrols with all controls

+

Additionally, the all inclusion instruction may be configured to include + subcontrols.

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

All

+
+
+
+ Resolution of AAS Profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Subcontrol BBB.1a

+

Subcontrol BBB.1b

+

Subcontrol BBB.1c

+

Control BBB.2

+

Control BBB.3

+

Subcontrol BBB.3a

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+
+
+
+
+

Excluding subcontrols

+

Subcontrols may also be (explicitly) excluded.

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

All

+

Subcontrol BBB.3a

+
+
+
+ Resolution of BBB Profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Subcontrol BBB.1a

+

Subcontrol BBB.1b

+

Subcontrol BBB.1c

+

Control BBB.2

+

Control BBB.3

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+
+
+

The same logic applies when subcontrols are included by other means (such as + "Include all controls with subcontrols").

+
+
+

Exception: including or excluding a subcontrol without its control

+

XXX ISSUE - related to below (subcontrols must be imported with controls)

+

If a subcontrol is included, its control will be implicitly included if it is not + explicitly included. Such an implicit inclusion of a control should be taken to + have a @with-subcontrols "no", that is only subcontrols that are + actually called, come with such a control.

+

Was: An instruction to include a subcontrol without its control is inoperable. A + system may produce a warning when this occurs. In the resolved profile, the + included subcontrol will not appear.

+

Similarly, an instruction to exclude a subcontrol, whose control is not included + (by some means, if only by default), is inoperable; such exclusions might be + flagged with warnings – as might exclusions of subcontrols, that would not have + been included in any case (by virtue of settings or defaults).

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

Control BBB.1

+

Subcontrol BBB.3a

+
+
+
+ Resolution of BBB Profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3a

+
+
+
+
+
+
+
+
+

Merging

+

Merging in OSCAL profile resolution is a simple process of aggregation of + controls from catalogs together in a structure reflecting (a) their original order + in their catalogs, arranged within (b) their order of import.

+

A more comprehensive merger operation to regroup controls (from a resolved profile) + may be offered by applications as a post-process, if and as appropriate to address + requirements.

+
+

A profile with more than one import resolves them separately

+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ BB Controls Catalog +
+

Control BB.1

+

Control BB.2

+

Control BB.3

+
+
+ AB Profile (selections from AA and BB) +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+ Import BB Catalog +

Control BB.1

+

Control BB.3

+
+
+ Resolution of AB Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.3

+
+
+
+
+ Import BB Catalog +
+ BB Controls Catalog +
+

Control BB.1

+

Control BB.3

+
+
+
+
+
+
+

Recursive profile resolution is reflected in the import hierarchy

+
+ BB Controls Catalog +
+

Control BB.1

+

Control BB.2

+

Control BB.3

+
+
+ B-minus Profile selected from BB catalog +
+ Import BB Catalog +

Control BB.1

+

Control BB.3

+
+
+ A/B-minus Profile +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+ Import B-minus Profile +

Control BB.1

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ Resolution of A/B-minus Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.3

+
+
+
+
+ Import B-minus Profile +
+ Import BB Catalog +
+ BB Controls Catalog +
+

Control BB.1

+
+
+
+
+
+
+
+

The same catalog can appear at multiple terminals in an import hierarchy

+

There is no error here, nor any reason to consider this condition a problem + unless the multiple imports actually conflict.

+

A post-process or downstream transformation or rendering might opt to collapse, + regroup or rearrange hierachies – or to normalize controls against their + hierarchies thereby rendering the latter implicit.

+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ A-minus Profile selected from AA catalog +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+ A/A-minus Profile +
+ Import AA Catalog +

Control AA.2

+
+
+ Import A-minus Profile +

Control AA.3

+
+
+ Resolution of A/A-minus Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.2

+
+
+
+
+ Import A-minus Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+

It is the business of a receiving application to collapse this if and as wanted + (for example, if no further conflicts or issues are detected).

+
+
+

Among controls selected in an import, a catalog's grouping organization is + retained

+

When controls from a catalog are included in resolution, a proxy of the catalog + structure is included, including any group in which selected controls appear. + This permits structured representation of contents of the catalog outside of the + groups containing selected controls.

+

Note that one consequence of this is that certain information from catalogs, + specifically titles and text at the top level and group levels, will be + represented in resolved profiles of those catalogs, but may decay as + their contents (controls) are selected and modified (in the sense that their + semantic relations and representations will be less and less applicable). Good + catalog design will help mitigate this.

+
+
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+

Control CCC

+
+
+ Group QQ +

Control QQA

+

Control QQB

+

Control QQC

+
+
+ Group ZZ +

Control ZZA

+

Control ZZB

+

Control ZZC

+
+
+
+ A profile CQ/Z "slim" +
+ Import CQZ controls catalog +

Control CCA

+

Control CCB

+

Control QQC

+
+
+
+ Resolution of CQ/Z "slim" profile +
+ Import CQZ controls catalog +
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+
+
+ Group QQ +

Control QQC

+
+
+
+
+
+

A warning might be produced for a second direct import of a resource from a + profile – simply because its calls could have been included along with the + others; but it does not produce an error unless multiple inclusions (of any + control or subcontrol) occur across the imports. Even in that case, a processor + should copy the controls in question, while flagging them as contested (see + below).

+
+
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+

Control A_I_2

+

Control A_I_3

+
+
+ Alpha_II +

Control A_II_48

+

Control A_II_49

+

Control A_II_50

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1

+

Control B_I_2

+

Control B_I_3

+
+
+ Beta_II +

Control B_II_48

+

Control B_II_49

+

Control B_II_50

+
+
+
+
+ A combining profile +
+ Import CQZ Catalog +

Control CCA

+

Control CCB

+

Control QQC

+
+
+ Import BTW Catalog +

Control A_I_1

+

Control A_II_48

+
+
+ Import BTW Catalog +

Control B_I_1

+

Control B_II_50

+

Control A_II_50

+
+
+ Resolution of combining profile +
+ Import CQZ Catalog +
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+
+
+ Group QQ +

Control QQC

+
+
+
+
+ Import BTW Catalog +
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+
+
+ Alpha_II +

Control A_II_48

+
+
+
+
+
+ Import BTW Catalog +
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_II +

Control A_II_50

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1

+
+
+ Beta_II +

Control B_II_50

+
+
+
+
+
+ Better combination +
+ Import CQZ Catalog +

Control CCA

+

Control CCB

+

Control QQC

+
+
+ Import BTW Catalog +

Control A_I_1

+

Control A_II_48

+

Control B_I_1

+

Control B_II_50

+

Control A_II_50

+
+
+
+ Resolution of better combination +
+ Import CQZ Catalog +
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+
+
+ Group QQ +

Control QQC

+
+
+
+
+ Import BTW Catalog +
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+
+
+ Alpha_II +

Control A_II_48

+

Control A_II_50

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1

+
+
+ Beta_II +

Control B_II_50

+
+
+
+
+
+
+
+
+

Exception: competing calls

+

The first of the examples given shows no conflicts. The second shows control AA.2 + in doubt – competing – because it appears in two import hierarchies. If + either import is marked for modifications the other is not, they will be + (moreover) conflicting.

+

An OSCAL processor may fail to copy one or both, or may copy (and then modify) + both occurrences of a control, while also alerting consuming applications of + apparent or likely conflicts. (In a simple implementation this might be signaled + by an ID collision.)

+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ A-2 Profile +
+ Import AA Catalog +

All

+

AA.3

+
+
+ A2A Profile +
+ Import A-2 +

(All AA controls except AA.3)

+
+
+ Import AA Catalog +

Control AA.3

+
+
+ Resolution of A2A Profile +
+ Import A-2 Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+
+
+
+
+
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+ A2B Profile +
+ Import A-2 +

(All AA controls except AA.3)

+
+
+ Import AA Catalog +

Control AA.2

+
+
+ Resolution of A2B Profile +
+ Import A-2 Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+
+
+
+
+
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.2

+
+
+
+
+

Processors should signal an error. (However, processing does not have to end, if + the processor has means or rules for dealing with the situation.)

+
+
+

Exception: subcontrols must go with controls in the same import

+

XXX ISSUE - we appear to have at least one real-world use case for a subcontrol + reference without a control reference, when a control has already been included + from another resource and only needs to be "amended" with additional + subcontrols. (e.g. in FedRAMP Moderate, when it includes subcontrols additional + to those in its primary resource) we need to revisit this XXX

+

+
Zelda Profile
+ Import AA Catalog +

Control AA.2

+
+ Import AA Catalog +

Control AA.1

+

Subcontrol AA.2

+
+ Resolution of Zelda +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.2

+
+
+
+
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+
+
+
+
+
+
+

Modification

Modification permits further configuration of + profiles in two ways: parameters that are declared in catalogs, may be set (in + either or both values, and descriptions); or controls may be modified directly + (altered). Parameters are a mechanism used in SP800-53 (and possibly + other catalog types) for dynamic assignment of values to settings defined in + catalogs. A profile may (and is often expected to) provide values to parameters + stipulated in controls; additionally the profiling mechanism allows parameter + descriptions to be written over, a feature of particular use when + making profiles that are expected to be further profiled at higher "layers" (which + can then seen the emended or augmented description as well as any nominal default + value).

Parameters are a minimal intervention. Arbitrary modifications of control + and subcontrols contents can also be provided for using a more general-purpose + alterelements.
+

Parameters

+
+

Alterations

+
+ + diff --git a/docs/prose/New-Merge-Diagrams.html b/docs/prose/New-Merge-Diagrams.html new file mode 100644 index 0000000000..a2f9bb1851 --- /dev/null +++ b/docs/prose/New-Merge-Diagrams.html @@ -0,0 +1,1172 @@ + + + + OSCAL Profile Import and NEW (JANUARY) MODEL Merge Specification (Diagrams) + + + + +

Critical for understanding this document: "control identity" is established by formal ID + (@id) values, not against nominal "names", "codes", or "numbers" of controls in their + respective standards. Notations given here are fanciful and for illustration.

+
+

Resource (catalog or profile) import

+
+

A profile may have more than one import.

+
+
+ OK Profile +
+ Import Catalog A +
+
+ Import Catalog B +
+
+
+ Resolution +
+ Results of importing from Catalog A +
+
+ Results of importing from Catalog B +
+
+
+

One alternative would be to reduce even further from the start – complications being + that all the weight then falls on a 'modify/trace' option to expand on import + provenance … still it would simplify still further what appears here – and expose + things such as ID clashes earlier --

+
+

Each import calls a catalog or profile

+

An import is bound to a single catalog or profile, its resource, by URI. + If the resource is an OSCAL profile, it is implicitly resolved (with its own + imports and modification) according to these rules. Because profiles must be + bound to either catalogs or profiles, and because circular references are + inoperable (see below), all profiles resolve eventually to collections of + controls as represented in catalogs (including the empty collection, i.e. no + controls).

+

References to URI targets not identifiable as OSCAL (catalogs, profiles or + document types tbd with resolution rules of their own) must return nothing.

+

Note that the same catalog may appear at multiple leaf positions in the + import tree.

+
+
+ OK Profile +
+ Import Catalog A +
+
+ Import Profile B1 +
+
+
+ B1 Profile +
+ Import Catalog B +
+
+
+ OK Profile Resolution +
+ Import Catalog A +

(Results of import)

+
+
+ Import Profile B1 +
+ Import Catalog B +

(Results of import)

+
+
+
+
+
+ Also OK Profile +
+ Import Catalog A +
+
+ Import Profile A1 +
+
+
+ A1 Profile +
+ Import Catalog A +
+
+ Also OK Profile Resolution +
+ Import Catalog A +

(Results of import)

+
+
+ Import Profile A1 +
+ Import Catalog A +

(Results of import)

+
+
+
+
+
+
+

Circular references are inoperable

+

If an OSCAL profile includes, directly or indirectly, any imports of itself as a + resource, such imports are inoperable. Such circular reference is an error. A + processor may fall back by ignoring circular calls (i.e. imports of resources + that have already been imported higher in the stack).

+
+
+ Perplex Profile +
+ Import Plexper profile +
+
+
+ Plexper Profile +
+ Import Perplex profile +
+
+
+ Resolution of Perplex Profile +
+ Import Plexper profile +
+ Import Perplex profile +
+
+
+
+
+
+

Control and subcontrol selection

+
+
+

Including controls from a resource (catalog or profile) by ID

+

An import can identify controls (as given in and by the resource) for inclusion + in either of two ways. The first method is by an explicit call using the + ID of the desired control or subcontrol.

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+ AAS Profile (with selection from AA Catalog) +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+
+ Resolution of AAS Profile +
Control AA.1

Control AA.3

+
+
+
+
+

Including all controls from a resource

+

Alternatively, an import can indicate that all controls from the resource + (catalog or upstream profile) should be included.

+
+
+ AAA Profile selecting all controls from AA Catalog +
+ Import AA Catalog +

All

+
+
+
+ Resolution of AAA Profile (selecting all) +
+
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+
+ AAA Profile, this time expressed using calls +
+ Import CQ Catalog +

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+

A profile that imports all controls from a single catalog, without modification, + would be an identity profile.

+
+
+

No inclusion statement implies include all

+

Note that if no explicit inclusion instruction is given (irrespective of + exclusions), a processor should include all as the fallback:

+
+
+ Implicit inclusion AAA Profile is effectively All +
+ Import AA Catalog +
+
+
+ Resolution of AAA Profile (selecting "all") +
Control AA.1

Control AA.2

Control + AA.3

+
+
+
+
+

Excluding a control by ID

+

It is more common to use "include/all" with an exclusion rule – or to use + exclusion rules with only an implicit call to "all" (which will be inferred when + no other inclusion is given):

+
+
+ "Almost All" profile of AA +
+ Import AA Catalog +

All

+

Control AA.2

+
+
+ "Almost All" profile of AA (implicit "all") +
+ Import CQ Catalog +

Control AA.2

+
+
+
+ Resolution of (either) "Almost All" Profile of Catalog AA +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.3

+
+
+
+
+

Note that the profile expressed here is the same as the AAS profile + above (except it selects controls by exclusion not inclusion).

+
+
+
+

Exception: ID clash across imported resources

+

This is a compile-time-detectable error.

+

A modify/normalize/rewriteID step could defend against it, possibly.

+
+
+
+

Exception: a control is included more than once

+

Multiple inclusions of a single control within the same import, result in a + single copy of the control in the resolved profile.

+

An application may produce a warning when this occurs.

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+ AAZ Profile +
+ Import AA Catalog +

Control AA.3

+

Control AA.3

+
+
+
+ Resolution of AAZ Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+
+
+

Exception: including or excluding a control that is not found in its + catalog

+

An inclusion of a control that is not found in its catalog is inoperable. An + implementation may report a warning when unknown controls are included or + excluded.

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+
+ AAZ Profile +
+ Import AA Catalog +

Control ZZ.1

+

Control AA.3

+

Control ZZ.0

+
+
+
+ Resolution of AAZ Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+
+
+

Exception: a control is included, then also excluded

+

A control identified for exclusion is excluded, no matter how many times it is + included.

+

An application may produce a warning when a control is both included (by ID) and + excluded. Ordinarily, exclusions of controls (not subcontrols) should not be + used unless include has all.

+
+
+ AAZ Profile +
+ Import AA Catalog +

Control AA.3

+

Control AA.3

+

Control AA.3

+
+
+
+ Resolution of AAZ Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.3

+
+
+
+
+
+

Along the same lines, multiple exclusions all mean exclude, so more than a + single one is superfluous.

+
+
+
+

Selecting subcontrols

+

Because each subcontrol is dependent on a control and may not appear without it, + there are special features for the selection and exclusion of subcontrols.

+

Note that this dependency is strict and applies to subcontrols and controls as named + within the same import tree. That is, it is not possible for a profile to select + subcontrols without their controls, within a single import. When controls however, + are included, their subcontrols may also be included either by ID or other means as + described.

+
+

Selecting subcontrols by ID

+

Subcontrols are not included by default when their controls are included. + However, like controls they may be included by ID.

+
+ BBB Controls Catalog +
+

Control BBB.1

+

Subcontrol BBB.1a

+

Subcontrol BBB.1b

+

Subcontrol BBB.1c

+

Control BBB.2

+

Control BBB.3

+

Subcontrol BBB.3a

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3b

+
+
+
+ Resolving the BBB Catalog profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3b

+
+
+
+
+
+

Note that in this example, subcontrols of control BBB.1 are not included, because + none are designated.

+
+
+

Including subcontrols with their controls

+

Alternatively, an instruction with the control can indicate to include (all) its + subcontrols. (Subcontrols not associated with the control will not be + included.)

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

Control BBB.1

+

Control BBB.3

+
+
+
+ Resolving the BBB Catalog profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3a

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+
+
+

Again, subcontrols of control BBB.1 are not included.

+
+
+

Including subcontrols with all controls

+

Additionally, the all inclusion instruction may be configured to include + subcontrols.

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

All

+
+
+
+ Resolution of AAS Profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Subcontrol BBB.1a

+

Subcontrol BBB.1b

+

Subcontrol BBB.1c

+

Control BBB.2

+

Control BBB.3

+

Subcontrol BBB.3a

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+
+
+
+
+

Excluding subcontrols

+

Subcontrols may also be (explicitly) excluded.

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

All

+

Subcontrol BBB.3a

+
+
+
+ Resolution of BBB Profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Subcontrol BBB.1a

+

Subcontrol BBB.1b

+

Subcontrol BBB.1c

+

Control BBB.2

+

Control BBB.3

+

Subcontrol BBB.3b

+

Subcontrol BBB.3c

+
+
+
+
+
+

The same logic applies when subcontrols are included by other means (such as + "Include all controls with subcontrols").

+
+
+

Exception: competing calls

+

The first of the examples given shows no conflicts. The second shows control AA.2 + in doubt – competing – because it appears in two import hierarchies. If + either import is marked for modifications the other is not, they will be + (moreover) conflicting.

+

An OSCAL processor may fail to copy one or both, or may copy (and then modify) + both occurrences of a control, while also alerting consuming applications of + apparent or likely conflicts. (In a simple implementation this might be signaled + by an ID collision.)

+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ A-2 Profile +
+ Import AA Catalog +

All

+

AA.3

+
+
+ A2A Profile +
+ Import A-2 +

(All AA controls except AA.3)

+
+
+ Import AA Catalog +

Control AA.3

+
+
+ Resolution of A2A Profile +
+ Import A-2 Profile +
+ Import AA Catalog +
+

Control AA.1

+

Control AA.2

+
+
+
+
+ Import AA Catalog +
+

Control AA.3

+
+
+
+
+ A2B Profile +
+ Import A-2 +

(All AA controls except AA.3)

+
+
+ Import AA Catalog +

Control AA.2

+
+
+ Resolution of A2B Profile +
+ Import A-2 Profile +
+ Import AA Catalog +
+

Control AA.1

+

Control AA.2

+
+
+
+
+ Import AA Catalog +
+

Control AA.2

+
+
+
+

When this happens processors should signal an error with addresses. (However, + processing does not have to end, if the processor has means or rules for dealing + with the situation.)

+
+
+

Exception: including or excluding a subcontrol without its control

+

XXX ISSUE - related to below (subcontrols must be imported with controls)

+

If a subcontrol is included, its control will be implicitly included if it is not + explicitly included. Such an implicit inclusion of a control should be taken to + have a @with-subcontrols "no", that is only subcontrols that are + actually called, come with such a control.

+

XXX See "orphan subcontrols okay" below – when merged with parents from other + branches, their values must be available XXX

+

XXX This will require unit testing! XXX

+

Was: An instruction to include a subcontrol without its control is inoperable. A + system may produce a warning when this occurs. In the resolved profile, the + included subcontrol will not appear.

+

Similarly, an instruction to exclude a subcontrol, whose control is not included + (by some means, if only by default), is inoperable; such exclusions might be + flagged with warnings – as might exclusions of subcontrols, that would not have + been included in any case (by virtue of settings or defaults).

+
+
+ Profile of BBB Catalog +
+ Import BBB Catalog +

Control BBB.1

+

Subcontrol BBB.3a

+
+
+
+ Resolution of BBB Profile +
+ Import BBB Catalog +
+ BBB Controls Catalog +
+

Control BBB.1

+

Control BBB.3

+

Subcontrol BBB.3a

+
+
+
+
+
+
+
+
+

Results of resolution without merge

+

The merge step of resolution is optional; here we describe what a + resolution looks like with no merge (and no modification).

+

Note that modifications may be applied even if there is no merge.

+
+

A profile with more than one import resolves them separately

+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ BB Controls Catalog +
+

Control BB.1

+

Control BB.2

+

Control BB.3

+
+
+ AB Profile (selections from AA and BB) +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+ Import BB Catalog +

Control BB.1

+

Control BB.3

+
+
+ Resolution of AB Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.3

+
+
+
+
+ Import BB Catalog +
+ BB Controls Catalog +
+

Control BB.1

+

Control BB.3

+
+
+
+
+
+
+

Recursive profile resolution is reflected in the import hierarchy

+
+ BB Controls Catalog +
+

Control BB.1

+

Control BB.2

+

Control BB.3

+
+
+ B-minus Profile selected from BB catalog +
+ Import BB Catalog +

Control BB.1

+

Control BB.3

+
+
+ A/B-minus Profile +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+ Import B-minus Profile +

Control BB.1

+
+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ Resolution of A/B-minus Profile +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.3

+
+
+
+
+ Import B-minus Profile +
+ Import BB Catalog +
+ BB Controls Catalog +
+

Control BB.1

+
+
+
+
+
+
+
+

The same catalog can appear at multiple terminals in an import hierarchy

+

There is no error here, nor any reason to consider this condition a problem + unless the multiple imports actually conflict.

+

A post-process or downstream transformation or rendering might opt to collapse, + regroup or rearrange hierachies – or to normalize controls against their + hierarchies thereby rendering the latter implicit.

+
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2

+

Control AA.3

+
+
+ A-minus Profile selected from AA catalog +
+ Import AA Catalog +

Control AA.1

+

Control AA.3

+
+
+ A/A-minus Profile +
+ Import AA Catalog +

Control AA.2

+
+
+ Import A-minus Profile +

Control AA.3

+
+
+ Resolution of A/A-minus Profile +
+

Control AA.2

+

Control AA.3

+
+
+

It is the business of a receiving application to collapse this if and as wanted + (for example, if no further conflicts or issues are detected).

+
+
+

Orphan subcontrols are permitted

+

We have at least one real-world use case for a subcontrol reference without a + control reference. This can happen when a profile wishes to reference a + canonical profile (such as, say, SP800-53 MODERATE), with additional subcontrols + declared in a separate (supplemental) import hierarchy.

+

This is not an error because the problem it produces can be mitigated in a merge + stage – so the outputs are not necessarily erroneous.

+
Zelda Profile
+ Import AA Catalog +

Control AA.2

+
+ Import AA Catalog +

Control AA.1

+

Subcontrol AA.2a

+
+ Resolution of Zelda +
+ Import AA Catalog +
+ AA Controls Catalog +
+

Control AA.2

+
+
+
+
+ Import AA Catalog +
+

Control AA.1

+

Control AA.2

+

Subcontrol AA.2a

+
+
+

NB the info for Control AA.2 must come through the first import branch + in case it has been modified along the way

+
+
+
+

Merging

+

Merging in OSCAL profile resolution is a process of (re)aggregation of + controls from catalogs together in a structure reflecting their original order in + their catalogs, rather than their order or arrangement of import.

+

A merge instruction may be enhanced with further specifications tbd. This draft + specification may suggest how a trace option might work; other + functionalities might include support for embedding controls in arbitrary and ad-hoc + structures (for example, to produce frameworks).

+

In its simplest default form, however, merge simply functions to reorganize controls + on the basis of their organizations within canonical "root" catalogs, called by a + fully resolved profile. It does not show a control set simply as such; instead it + maps it (in its organization) into the structure of the catalog(s) of origin.

+
+

Basic merge restores the structure of the resolved resource

+
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+

Control A_I_2

+

Control A_I_3

+
+
+ Alpha_II +

Control A_II_48

+

Control A_II_49

+

Control A_II_50

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1

+

Control B_I_2

+

Control B_I_3

+
+
+ Beta_II +

Control B_II_48

+

Control B_II_49

+

Control B_II_50

+
+
+
+
+ A combining profile +
+ Import CQZ Catalog +

Control CCA

+

Control CCB

+

Control QQC

+
+
+ Import BTW Catalog +

Control A_I_1

+

Control A_II_48

+
+
+ Import BTW Catalog +

Control B_I_1

+

Control B_II_50

+

Control A_II_50

+
+
+
+ Resolution of combining profile with 'merge' +
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+
+
+ Group QQ +

Control QQA

+

Control QQB

+

Control QQC

+
+
+
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+
+
+ Alpha_II +

Control A_II_48

+

Control A_II_50

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1

+
+
+ Beta_II +

Control B_II_50

+
+
+
+
+
+
+

Merge accepts an override for the resource referenced for structural resolution + ('root' override)

+

Maybe the controls coming back from the profile come without their structure; + instead, use merge/as to reference a resource in which to "restore" + (embed) the controls; maybe either "as root" (i.e. grouping controls by root + catalog) or "as" (any arbitrary offline or inline structural proxy)

+

NB this could be a method to tie into OSCAL frameworks albeit backwards ...

+
+
+

Merging orphan subcontrols

+

(XXX this is no longer an issue if we don't retain an explicit import + hierarchy)

+

We have at least one real-world use case for a subcontrol reference without a + control reference. This can happen when a profile wishes to reference a + canonical profile (such as, say, SP800-53 MODERATE), with additional subcontrols + declared in a separate (supplemental) import hierarchy.

+

This is not an error because the problem it produces can be mitigated in a merge + stage – so the outputs are not necessarily erroneous.

+
Zelda Profile
+ Import AA Catalog +

Control AA.2

+
+ Import AA Catalog +

Control AA.1

+

Subcontrol AA.2a

+
+ Resolution of Zelda +
+ AA Controls Catalog +
+

Control AA.1

+

Control AA.2 (via first import)

+

Subcontrol AA.2a (via second import)

+
+
+
+

Note that this requires that control AA.2 itself be accepted as modified in/by + the first import (if it imports not a catalog but a profile), while subcontrol + AA.2a is accepted as stipulated (and perhaps modified) via the second + import.

+

(XXX need illustration of this)

+
+
+

Modification

Modification permits further configuration of + profiles in two ways: parameters that are declared in catalogs, may be set (in + either or both values, and descriptions); or controls may be modified directly + (altered). Parameters are a mechanism used in SP800-53 (and possibly + other catalog types) for dynamic assignment of values to settings defined in + catalogs. A profile may (and is often expected to) provide values to parameters + stipulated in controls; additionally the profiling mechanism allows parameter + descriptions to be written over, a feature of particular use when + making profiles that are expected to be further profiled at higher "layers" (which + can then seen the emended or augmented description as well as any nominal default + value).

Parameters are a minimal intervention. Arbitrary modifications of control + and subcontrols contents can also be provided for using a more general-purpose + alterelements.
+

modify/trace option (or modify/normalize/trace)

+

The trace option (modify/trace would permit injection of a "trace" + property (prop element) into controls, subcontrols and parameters, + exposing their provenance (chain of profile imports), useful either separately + from or alongside a merge.

+

Adds property "(sub)control selected by X profile importing from Y catalog"

+

May also add flags where controls have been modified? marking deletions and + augmentations?

+
+

Parameters

+

Parameter setting (overrides) are bound to parameter IDs within their respective + (root) catalogs. Either or both of desc or value may + be overridden at any profile level; the intent is that value is + used to set the expressed (intended) value to be presented to (typically, + inserted into) the document, while desc is only a passive value + visible to any profiles that call this one (but not directly applied).

+

NB for now, parameters always travel with controls, but in principle they could + be anywhere in catalogs … so we have to determine how/whether they are + propagated up a profile calling chain … this might also be implicated in merge + i.e. merge could be a way of assuring parameters remain available even when they + are not associated with included controls.

+
+

Alterations

+
+ + diff --git a/docs/prose/Profile-Semantics.md b/docs/prose/Profile-Semantics.md new file mode 100644 index 0000000000..0d18d7b030 --- /dev/null +++ b/docs/prose/Profile-Semantics.md @@ -0,0 +1,141 @@ +# OSCAL PROFILING SEMANTICS SPECIFICATION + +## REQUIREMENTS for profile resolution / rendering / merge + +* Include controls from multiple sources +* Allow multiple imports from same source (directly or indirectly) +* Resulting (selected) control set has no duplicates or ambiguity ('duplicate' to be defined) +* The order and organization of controls in profile resolution must be deterministic, i.e always the same, although not always reversible. The hierarchies either of controls within their original catalogs, or import hierarchies (from profiles calling profiles), need not be represented directly, except as stipulated by requirements to "preserve" as part of "merge" semantics +* Errors are to be delivered as messages with no other outputs. Internally, an incorrect "provisionally resolved" profile may be produced, and may be made available to processors for diagnostics or other purposes, but a conforming implementation must (by default) deliver only an appropriate message. + +In OSCAL, "profiling semantics" refers to the way OSCAL profile instances make reference to catalogs from which their controls are derived. It is an "as if" sketch that describes the *basics* of any OSCAL system that processes profiles especially if and as those profiles integrate with each other and with catalogs (by further reference). + +## Implementation + +This document describes OSCAL profile semantics as a set of relations and operations between catalogs, controls, and the import or utilization of those controls that constitute OSCAL profiles. These operations are sometimes described here in terms that may imply a particular implementation or implementation strategy; to the extent that occurs, such description is not normative: any implementation that *delivers the same results* as the process described here, is conformant. In particular, although the process here occurs in three stages, these are conceptual steps: an implementation may work otherwise (as long as the outputs are the same). + +We have an implementation of these specifications in XSLT, which serves as a point of reference and testbed for viability. Similarly, validation of (XML OSCAL) against many of the constraints described here can be achieved with Schematron we make available in the public library. In all cases where those tools fail to deliver the results described here, they should be regarded as in error (i.e. this specification takes precedence). + +## Terms of art + +A **control** is a structured data object. Controls have arbitrary contents, which must be passed through unchanged except where these semantics depict modifications to them. A **subcontrol** is a special kind of control, in a fixed relation to another control (which it "extends"), but like controls in all other respects. While a control may have any number of subcontrols associated (or none), a subcontrol is associated directly (extends) only a single control. In these specifications, controls and subcontrols are together described as *components* (of a catalog or of a profile invoking a catalog). Generally speaking, controls and subcontrols are interchangeable in these specifications (and work the same way in implementation) with the proviso that a subcontrol will never appear in a catalog or profile without its control also appearing. + +Controls and subcontrols are addressable within their catalogs by means of unique identifiers. Note in particular that often, catalogs will present controls with a range of controlled values, any number of which may be validated as unique to that control. Only one of these will be the ID in the model. (In XML, the `@id` is used. For interchange with XML systems it is recommended that these values conform to the 'name' production rules, i.e. alphanumerics, no spaces, not beginning with digits.) + +A **catalog** is an authoritative, canonical organization of controls and possibly subcontrols. Within a catalog, controls may be collected in **groups**, and groups may be collected into groups. Information described in the catalog as the group level (i.e., associated with the group) may be inherited (implicitly and sometimes explicitly) within controls in that group; to support this, profile resolution as described here sees to it that when controls are invoked (included), the information that comes with them by virtue of group membership, also comes with them. + +A **profile** is an OSCAL data object ("document") that cites (by reference) controls while also specifying (declaring) conditions and modifications for those controls. These modifications may take the form of either assignment of values to **parameters** (which can be done independently of the controls that may use the parameters) and/or of specific modifications ("patches") made to components (controls or subcontrols). Usually such modifications will be simply augmentation or supplementation but in general any modification may be possible. + +As a document or data instance, a profile thus represents a "delta" between controls in a catalog, and the same controls in a putative or "virtual" **resolved profile**. + +However, a profile may not only cite controls from catalogs; it may also do the same from other profiles. When it does so, its selection is limited to controls as invoked -- and modified -- by those upstream profiles. Thus a resolved profile will represent selections and settings (including changes and alterations) made by *all* the profiles that it cites, in a chain. If profile B modifies controls from catalog A, profile C that modifies profile B, will include its controls *as modified*. + +Moreover, a profile may combine controls from multiple catalog sources into a single "collective" control set. This enables profiles to refer to multiple authorities (other profiles, or catalogs) to achieve a synthesis-with-modification of their controls. For example, a common way of extending a community-standard profile is to include controls from that profile's own source catalog (going back to "the beginning") along with the (modified) controls in the "base" profile being extended.. + +## Exceptions in profiles (summary) + +* broken references (to controls, subcontrols or parameters that do not exist) +* the same catalog or profile is called (directly) more than once +* the same parameter (in the same catalog) is assigned more than once +* a subcontrol is included, without its control also being included +* any control (after resolution) is called more than once +* any circular reference (a profile calling a profile that calls back again) + +Expected/okay: + +* Controls from the same groups (in the same catalogs) coming in via different import pathways + +## Profile Resolution + +Described here: + +* Import (of sources or resources) and selection (of controls and subcontrols) +* Merging - how these control sets are organized in the resolved profile +* Modification - how parameters are set, their values inserted, and patches applied + +### Invocation and selection + +A profile may combine more than one import. + +An import is bound to a single catalog or profile, its "resource". If bound to a profile, it is *implicitly* resolved according to these same rules. Because profiles must be bound to either catalogs, or profiles, this means that (ipso facto) all profiles capable of finite resolution, resolve eventually to catalogs. + +If an OSCAL profile includes, directly or indirectly, any imports of itself as a resource, such imports are inoperable. Such circular reference is an error. *(Sch.? Fallback behavior: ignore circular calls.)* Because circular references are defined as inoperable, in the real world all profiles will be finite. + +An import can identify controls (as given in and by the resource) for inclusion in either of two ways. The first method is by an explicit "call" using the ID of the desired control or subcontrol. (See on IDs below.) + +Alternatively, an import can stipulate that all controls from the catalog (or upstream profile) should be included, except as modified by exclusion. + +An import can also designate controls or subcontrols to be excluded. Ordinarily this will only be done when all controls (or all subcontrols, as applicable) have been included. + +An explicit selection or "call" (to be included or excluded) is made by ID value on a target control or subcontrol object (in XML, the element's @id). + +It is not an error if the same resource (catalog or profile) is called by more than one import. *(This is Schematronable. Fallback: process anyway. Complementary call sets will resolve; duplicate calls or multiple settings will result in duplicative or contradictory outputs.)* + +Invocations can select controls by inclusion or by exclusion. If an import does not indicate an inclusion, then all controls from the invoked resource are implicitly included. (In the XML, no `/invoke/include` is the same as having `/invoke/include/all`. Accordingly, solo `/invoke/exclude` with no "include" stated, is meaningful: include everything but what is excluded.) + +Subcontrols are regarded as dependent on their controls. If a control is not selected, it is an error if any of its subcontrols are selected. *(Fallback: drop the subcontrol silently.)* When selecting a subcontrol, see to it that its control is also selected, or select the subcontrols implicitly with a setting ("with subcontrols") setting at a higher level. + +It is an error if an import includes a control or subcontrol more than once. *(Sch. Fallback: include a single copy of the control.)* + +Similarly, it is an error if an import declares more than one modification (patch) for a given control. *(Sch. Fallback: apply all patches in order defined by processor.)* + +Likewise, it is an error if an import declares parameter settings for the same parameter, more than once. *(Sch. Fallback: use only one, tbd by processor.)* + +It is not an error if the same control is both included explicitly, and then excluded (by definition, to no effective purpose), but an implementation may warn if this occurs. *(Sch.)* A working assumption is that only imports with "all" controls included (implicitly or explicitly) will have use for exclusions. + +It is also not an error if a resolved import selects the same control set as a much more parsimonious import would (for example, instead of including 249 of 250 controls in a catalog, simply include all and exclude one.) Again, an implementation may detect this situation and offer warnings. *(Sch.)* + +#### IDs + +IDs are expected to be unique within document scope, so no control or subcontrol will have the same ID as another in the same catalog. Control catalogs whose controls are not tagged with distinct IDs can be excluded from resolution as invalid, although conforming processors have the option of continuing to process while offering some means of addressing and resolving the ID clash. + +Moreover, for purposes of these specifications, ID values are expected to be unique *across* catalogs. If local (document-level) ID collision occurs between catalogs, a system is expected to resolve them such that all controls from all catalogs can be addressed distinctly, each call resolving relative to its import. Catalogs, however, must also be valid to relevant OSCAL schemas and Schematrons demonstrating their structural integrity. This specification does not define what happens with non-OSCAL inputs to profile resolution. + +Note also that it is an expectation that every time a given profile or catalog is invoked, the *same resource* (catalog or resolved profile) is returned, enabling systems to cache. (Cf XPath doc() function.) Along with this is the assumption that resolution of a profile against its sources (profiles and catalogs) will be side-effect free; for example, it cannot have the effect of rewriting catalogs or upstream profiles (by calling some magical URI) or creating new resources to be exploited elsewhere. + +We do not yet support selection of controls by other criteria such as context/organization ("all of AC") or controlled property values ("controls that have X=Y"). + +### Merge (Combination) + +XXX NB THIS ENTIRE SECTION MAY ALTER RADICALLY XXX +cf New-Merge-Diagrams.html + +In profile resolution, a "view" is provided of *each* resource (profile or catalog) invoked by a profile, which preserves information regarding the import including the structural relations (groupings) among controls selected by it. Because multiple imports may trace back through several import steps, to the same catalog (such as, for example, NIST SP800-53), this means that the resolved profile will contain more than one "copy" (partial or complete) of the organization (groups) within which controls are organized. + +Note that since profiles can invoke profiles, the views of imports may be nested, as many layers deep as it takes to get back to a catalog. Also, because profiles may invoke controls from more than a single upstream resource (catalog or profile), views will contain multiple views, in a branching structure. Occasionally, views within views will point to the same source catalogs as other views (within views); this will happen both in error, and as a feature. In any case it will sometimes be valuable or useful information, to know not only that a control was included but *how* it was included -- its provenance of import. + +Within each view, at the deepest layer, a profile will invoke not another profile (making for another view), but a catalog. At that point, the resolved profile will present a partial (filtered) "snapshot" of the catalog in question, showing the controls that are (finally) selected (by the views in combination). + +This snapshot will show a *copy* of the catalog with the following modifications: + +* A group that does not contain any control, selected by the profile, is discarded. + +* A group that contains a selected control (either directly or by virtue of subgroups) is copied, with its properties and contents (statements, parts, paragraphs etc), as well as any selected controls or groups that contain (at any level) selected controls. + +* Only controls that are selected by the profile, are kept. + +* Within controls, only subcontrols that are selected by the profile, are kept. (Note that the means of selection of subcontrols is different from that of the controls on which they depend.) + +* Parameter descriptions and values are *unchanged*. (They will be changed in the subsequent "Modify" step.) + +More info here: [Profile Invocation Merge Diagrams](Merge-Diagrams.html) + +It is noteworthy that this organization, while it has the advantage of low information loss, will not be ideal for many purposes. Accordingly, an additional **merge** step may be performed. + +In this context, to "merge" means to collapse a "multiply refracted" combination of views on a single catalog (made by assembling disparate profiles into a profile), into a single integrated view. + +This operation is provided as an *optional* step. + +* A profile with more than one import, resolves them separately. Invocations are resolved separately within a profile. +* Recursive profile resolution is reflected in the import hierarchy +* The same catalog can appear at multiple terminals in an import hierarchy +* Among controls selected in an import, a catalog's grouping organization is retained +* Because selection can occur at any level of profiling, distinct import pathways (each subsetting controls and/or adding branches of their own) will result in very different representations of "fragmented groupings" of control catalogs. Unless these actually select the same controls, this is not necessarily an error. Where they do, they expose issues to be resolved. This occurrence above all should be exposed while being flagged as an error. + +### Modification + +The matching/selection logic of patches described in this spec is in DRAFT form, inasmuch as we expect (hope) to define more flexible and powerful mechanism in a future sprint. + +Currently, two distinct types of modification are supported: setting parameters (values, default values, descriptions); and direct modification ("patching") of controls and subcontrols. A small set of element types are provided to support the latter, including directives for deleting contents and adding new contents to the control or subcontrol. + +See the Tag Library for more on elements `alter`, `remove` and `augment` when used inside `modify`. See the Mini Testing samples for examples. \ No newline at end of file diff --git a/docs/prose/Resolution-Regroup.html b/docs/prose/Resolution-Regroup.html new file mode 100644 index 0000000000..1f660089e6 --- /dev/null +++ b/docs/prose/Resolution-Regroup.html @@ -0,0 +1,346 @@ + + + + OSCAL Profile Invocation Merge Specification (Diagrams) + + + + +
+

An optimized collapsed or regrouped profile view

+

Given the profile resolution described in, a more comprehensive merge can also be + offered as a post process. It entails re-expressing the controls set returned by + profile resolution, in a restored (single) organization

+
+

All controls sourced from a given catalog are re) grouped within a single + representation of that catalog, as modified and amended by the profile

+
+
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+

Control CCC

+
+
+ Group QQ +

Control QQA

+

Control QQB

+

Control QQC

+
+
+ Group ZZ +

Control ZZA

+

Control ZZB

+

Control ZZC

+
+
+
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+

Control A_I_2

+

Control A_I_3

+
+
+ Alpha_II +

Control A_II_48

+

Control A_II_49

+

Control A_II_50

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1

+

Control B_I_2

+

Control B_I_3

+
+
+ Beta_II +

Control B_II_48

+

Control B_II_49

+

Control B_II_50

+
+
+
+
+ AlphaBeta profile of BTW +
+ Invoke BTW Catalog +

Control A_I_1

+

Control A_II_48

+

Control B_I_1

+

Control B_II_50

+

Control A_II_50

+
+
+ A combining profile +
+ Invoke CQZ Catalog +

Control CCA

+

Control CCB

+

Control QQC

+
+
+ Invoke BTW Catalog +

Control A_I_1

+

Control A_I_2

+

Control A_I_3

+
+
+ Invoke AlphaBeta Profile (BTW controls) +

Control B_I_1

+

Control A_II_50

+
+
+ Resolution of combining profile +
+ Invoke CQZ Catalog +
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+
+
+ Group QQ +

Control QQC

+
+
+
+
+ Invoke BTW Catalog +
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+

Control A_I_2

+

Control A_I_3

+
+
+
+
+
+ Invoke AlphaBeta Profile (BTW controls) +
+ Invoke BTW Catalog +
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_II +

Control A_II_50

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1

+
+
+
+
+
+
+
+ Resolution, now regrouped +
+ Invoke CQZ Catalog +
+ CQZ Controls Catalog +
+ Group CC +

Control CCA

+

Control CCB

+
+
+ Group QQ +

Control QQC

+
+
+
+
+ Invoke BTW Catalog +
+ BTW Controls Catalog +
+ Group Alpha +
+ Alpha_I +

Control A_I_1

+

Control A_I_2

+

Control A_I_3

+
+
+ Alpha_II +

Control A_II_50 invoked via AlphaBeta + Profile

+
+
+
+ Group Beta +
+ Beta_I +

Control B_I_1 invoked via AlphaBeta + Profile

+
+
+
+
+
+

An application may mark or annotate controls with their invocation + provenance, as suggested in the diagram (and see below).

+
+
+

What to do about clashing controls (duplicated IDs)

+

Copy them both? In XML, the results will presumably be schema-invalid to a schema + that enforced ID uniqueness. In any case, subsequent processes can detect + duplication and conflict and flag things accordingly.

+
+
+

Propagating group values / normalization / flattening

+

We could outline how controls might be marked / decorated with their + invocation provenance (insertion of properties or links back?), + which would otherwise be lost here.

+

We could also provide the option to flatten groups? Either removing or copying + downward (to controls) any group properties.

+
+
+ + diff --git a/docs/schema/oscal-oscal.xml b/docs/schema/oscal-oscal.xml index 138aa93994..f39fdb3ce6 100644 --- a/docs/schema/oscal-oscal.xml +++ b/docs/schema/oscal-oscal.xml @@ -799,23 +799,23 @@ profile Profile -

In reference to a catalog (or other authority such as profile or framework), a selection +

In reference to a catalog (or other resource such as profile or framework), a selection and configuration of controls, maintained separately

- invoke - Authority invocation + import + Import resource -

For invocation of controls and subcontrols from a catalog or other authority

+

Designating a catalog, profile or other resource for controls

include Include controls -

The element's contents indicate which controls and subcontrols to include from the - authority (source catalog)

+

Which controls and subcontrols to include from the resource (source catalog) being + imported

To be schema-valid, this element must contain either (but not both) a single @@ -829,8 +829,8 @@ exclude Exclude controls -

Which controls and subcontrols to exclude from the authority (source catalog) being - invoked

+

Which controls and subcontrols to exclude from the resource (source catalog) being + imported

Within exclude, all is not an option since it makes no sense. @@ -844,30 +844,29 @@ all Include all -

Include all controls from the invoked authority (catalog)

+

Include all controls from the imported resource (catalog)

This element provides an alternative to calling controls and subcontrols individually from a catalog. But this is also the default behavior when no include element - is given in an invoke; so ordinarily one might not see this element unless it + is given in an import; so ordinarily one might not see this element unless it is for purposes of including its @with-subcontrols='yes'

-

An invocation of a catalog with all controls included:

-
<invoke href="canonical-catalog-oscal.xml">
+        

Importing a catalog with all controls included:

+
<import href="canonical-catalog-oscal.xml">
   <include>
     <all/>
   </include>
-</include>
-

has the same outcome as

-
<invoke href="canonical-catalog-oscal.xml"/>
-
-

but is not the same as

-
<invoke href="canonical-catalog-oscal.xml">
+</import>
+

can also be done implicitly (with the same outcome):

+
<import href="canonical-catalog-oscal.xml"/>
+

However these are not the same as

+
<import href="canonical-catalog-oscal.xml">
   <include>
     <all with-subcontrols="yes"/>
   </include>
-</invoke>
+</import>

(Since with-subcontrols is assumed to be no unless stated to be yes.)

@@ -898,7 +897,7 @@

@param-id indicates the parameter (within the scope of the referenced - catalog or authority). The value element is used to provide a value for + catalog or resource). The value element is used to provide a value for insertion of a value for the parameter when the catalog is resolved and rendered. A desc element can be presented (made available) to a calling profile – that is, it is a parameter description helping to set the parameter in higher layers, not this diff --git a/docs/schema/oscal-tag-library.html b/docs/schema/oscal-tag-library.html index 2d27cb4235..26f72a76d2 100644 --- a/docs/schema/oscal-tag-library.html +++ b/docs/schema/oscal-tag-library.html @@ -219,7 +219,7 @@

<profile> Profile

<include> Include controls

@@ -1750,7 +1750,7 @@

profile -

In reference to a catalog (or other authority such as profile or framework), a selection +

In reference to a catalog (or other resource such as profile or framework), a selection and configuration of controls, maintained separately

@@ -1759,14 +1759,14 @@

profile
-

invoke Authority invocation +

import Import resource

-

For invocation of controls and subcontrols from a catalog or other authority

+

Designating a catalog, profile or other resource for controls

@@ -1780,8 +1780,8 @@

include -

The element's contents indicate which controls and subcontrols to include from the - authority (source catalog) +

Which controls and subcontrols to include from the resource (source catalog) being + imported

@@ -1809,8 +1809,8 @@

exclude -

Which controls and subcontrols to exclude from the authority (source catalog) being - invoked +

Which controls and subcontrols to exclude from the resource (source catalog) being + imported

@@ -1836,7 +1836,7 @@

all -

Include all controls from the invoked authority (catalog)

+

Include all controls from the imported resource (catalog)

@@ -1844,28 +1844,27 @@

all This element provides an alternative to calling controls and subcontrols individually from a catalog. But this is also the default behavior when no include element - is given in an invoke; so ordinarily one might not see this element unless it + is given in an import; so ordinarily one might not see this element unless it is for purposes of including its @with-subcontrols='yes'

-

An invocation of a catalog with all controls included:

-
<invoke href="canonical-catalog-oscal.xml">
+                  

Importing a catalog with all controls included:

+
<import href="canonical-catalog-oscal.xml">
   <include>
     <all/>
   </include>
-</include>
-

has the same outcome as

-
<invoke href="canonical-catalog-oscal.xml"/>
-
-

but is not the same as

-
<invoke href="canonical-catalog-oscal.xml">
+</import>
+

can also be done implicitly (with the same outcome):

+
<import href="canonical-catalog-oscal.xml"/>
+

However these are not the same as

+
<import href="canonical-catalog-oscal.xml">
   <include>
     <all with-subcontrols="yes"/>
   </include>
-</invoke>
+</import>

(Since with-subcontrols is assumed to be no unless stated to be yes.)

@@ -1921,7 +1920,7 @@

set-param

@param-id indicates the parameter (within the scope of the referenced - catalog or authority). The value element is used to provide a value for + catalog or resource). The value element is used to provide a value for insertion of a value for the parameter when the catalog is resolved and rendered. A desc element can be presented (made available) to a calling profile – that diff --git a/docs/schema/oscal-tag-library.md b/docs/schema/oscal-tag-library.md index 0dec84c1cc..6ea9353c1c 100644 --- a/docs/schema/oscal-tag-library.md +++ b/docs/schema/oscal-tag-library.md @@ -58,7 +58,7 @@ > * [<span> Span](#span-span) > * [Profiling](#profiling) > * [<profile> Profile](#profile-profile) -> * [<invoke> Authority invocation](#invoke-authority-invocation) +> * [<import> Import resource](#import-import-resource) > * [<include> Include controls](#include-include-controls) > * [<exclude> Exclude controls](#exclude-exclude-controls) > * [<all> Include all](#all-include-all) @@ -459,15 +459,15 @@ Roughly speaking, a profile document is a specification of a *selection* of cont #### <profile> Profile -In reference to a catalog (or other authority such as profile or framework), a selection and configuration of controls, maintained separately +In reference to a catalog (or other resource such as profile or framework), a selection and configuration of controls, maintained separately -#### <invoke> Authority invocation +#### <import> Import resource -For invocation of controls and subcontrols from a catalog or other authority +Designating a catalog, profile or other resource for controls #### <include> Include controls -The element's contents indicate which controls and subcontrols to include from the authority (source catalog) +Which controls and subcontrols to include from the resource (source catalog) being imported To be schema-valid, this element must contain either (but not both) a single all element, or a sequence of call elements. @@ -475,37 +475,36 @@ If this element is not given, it is assumed to be present with contents all (qv) #### <exclude> Exclude controls -Which controls and subcontrols to exclude from the authority (source catalog) being invoked +Which controls and subcontrols to exclude from the resource (source catalog) being imported Within exclude, all is not an option since it makes no sense. However, it also makes no sense (think about it) to use `exclude/call` except with `include/all` (it makes no sense to call in by ID only to exclude by ID). The only error condition reported, however, is when the same control is both included (explicitly, by ID) and excluded. #### <all> Include all -Include all controls from the invoked authority (catalog) +Include all controls from the imported resource (catalog) -This element provides an alternative to calling controls and subcontrols individually from a catalog. But this is also the default behavior when no include element is given in an invoke; so ordinarily one might not see this element unless it is for purposes of including its `@with-subcontrols='yes'` +This element provides an alternative to calling controls and subcontrols individually from a catalog. But this is also the default behavior when no include element is given in an import; so ordinarily one might not see this element unless it is for purposes of including its `@with-subcontrols='yes'` -An invocation of a catalog with all controls included: ``` - +Importing a catalog with all controls included: ``` + - + ``` -has the same outcome as ``` - - +can also be done implicitly (with the same outcome): ``` + ``` -but is not the same as ``` - +However these are not the same as ``` + - + ``` @@ -523,7 +522,7 @@ If `@with-subcontrols` is "yes" on the call to a control, no sibling callelement Set a parameter's value and even override its description -`@param-id` indicates the parameter (within the scope of the referenced catalog or authority). The value element is used to provide a value for insertion of a value for the parameter when the catalog is resolved and rendered. A desc element can be presented (made available) to a calling profile – that is, it is a parameter description helping to set the parameter in higher layers, not this one (when profiles are expected to provide baselines, for example). +`@param-id` indicates the parameter (within the scope of the referenced catalog or resource). The value element is used to provide a value for insertion of a value for the parameter when the catalog is resolved and rendered. A desc element can be presented (made available) to a calling profile – that is, it is a parameter description helping to set the parameter in higher layers, not this one (when profiles are expected to provide baselines, for example). #### <alter> Alteration diff --git a/docs/schema/oxygen-docs/docHtml.css b/docs/schema/oxygen-docs/docHtml.css new file mode 100644 index 0000000000..969603e6e7 --- /dev/null +++ b/docs/schema/oxygen-docs/docHtml.css @@ -0,0 +1,605 @@ +/*---------------------------------------- + Global +-----------------------------------------*/ + +body{ +} +body, table { + font-family:arial, helvetica, sans-serif; + font-size:12px; +} + +@media print{ + body, table { + font-size:10px; + } +} + +/*-------------------------------------------- + Source code in the instance, source or + annotations. +--------------------------------------------*/ +span.tEl { + color: #000096; + background-color:inherit; +} +span.tXSLEl { + color: #0064C8; + background-color:inherit; +} +span.tAN { + color: #F5844C; + background-color:inherit; +} +span.tAV { + color: #993300; + background-color:inherit; +} +span.tI { + color: #000000; + background-color:inherit; +} +span.tT { + color: #000000; + background-color:inherit; +} +span.tC { + color: #006400; + background-color:inherit; +} +span.tCD { + color: #008C00; + background-color:inherit; +} +span.tPI { + color: #8B26C9; + background-color:inherit; +} +span.tEn { + color: #969600; + background-color:inherit; +} +span.qname{ + color:#000096; + background-color:inherit; +} + +/*----------------------------------------- + Documentation sections. +------------------------------------------*/ + +div.componentTitle, p.sHierarchyTitle { + font-size:1.4em; + font-weight:bold; + text-align:left; + margin-top:1.4em; + margin-bottom:0.7em; +} +div.componentTitle{ +/* color:rgb(255, 160, 100);*/ + color:#333333; + background-color:inherit; +} + + +/* Tables. */ + +td, th { + padding:2px 2px 2px 5px; + text-align:left; + vertical-align:top; +} + +tr > th { + background-color:#C4DAF4; + color:inherit; +} + +/* Contrast for the titles*/ +table.component { + width:100%; + border-spacing:1px; +} + +@media print{ + table.component{ + border:1px solid gray; + border-collapse:collapse; + } + + table.component td{ + border:1px solid gray; + } +} + + + +table.component td.firstColumn{ +/* pink */ + /*background-color:#FFC0C0;*/ +/*green */ + /* background-color:#C0F0A0;*/ +/*bleu*/ + /*background-color:#89C6E2;*/ +/*orange*/ + /*background-color:#FFD697;*/ +/*brown*/ + /*background-color:#D5BC8E;*/ +/*lilla*/ + /*background-color:#DDDDFF;*/ +/*gray-bleu*/ + /*background-color:#CAD0DD;*/ +/*brown-light*/ + /*background-color:#DECFB8;*/ +/*gray-green*/ + /*background-color:#C6D0CD;*/ +/*bleu-2*/ + /*background-color:#B5D5FF;*/ +/*gray*/ + /*background-color:#CCCCCC;*/ + + +/*bleu */ +background-color:#C4DAF4; + + + + color:black; + width:12%; +} + +table.component table td.firstColumn{ + border:none; + background-color:#EAF1FB; + color: inherit; +} + +td.firstColumn b{ + font-weight:normal; +} + + +/* The Name and Expand/Collapse control are on the same line + but at different ends.*/ +td.firstColumn div.floatLeft{ + float:left; +} +td.firstColumn div.floatRight{ + float:right; +} + +/* Subtables */ +table.component table{ + width:100%; +} +table.component table, +table.component table td, +table.component table th{ + border:0; +} + + +/* Properties table */ +table.propertiesTable { + border-spacing:1px; +} +table.propertiesTable td.firstColumn{ + width:140px; + text-transform:capitalize; +} +/* Used by table */ +table.usedByTable { + border-spacing:1px; +} +table.usedByTable td.firstColumn{ + width:140px; + text-transform:capitalize; +} + +/* Facets table*/ +table.facetsTable { + border-spacing:1px; +} +table.facetsTable td.firstColumn{ + width:140px; + text-transform:capitalize; +} + +/* Attributes table */ +table.attributesTable { + border-spacing:1px; +} +table.attributesTable th{ + font-weight:normal; +} +table.attributesTable tr:hover{ + color:inherit; + background-color:#EAF1FB; +} + + +/* Identity constraints table */ +table.identityConstraintsTable { + border-spacing:1px; +} +table.identityConstraintsTable th{ + font-weight:normal; +} +table.identityConstraintsTable tr:hover{ + color:inherit; + background-color:#EAF1FB; +} + + + +/*--------------------------------------- + The diagram. +----------------------------------------*/ + +table.component td.diagram { + background-color:white; + color:inherit; +} + + +/* This table is a workaround for an IE bug regarding pre-wrap */ +table.preWrapContainer, +table.preWrapContainer td{ + border:0; + margin:0; + padding:0; +} + + +/* Annotations. */ +div.annotation{ +} +div.annotation pre{ + font-family:arial, helvetica, sans-serif; + margin:0; +} +div.annotation, +div.annotation table, +div.annotation table td{ + margin:0; + padding:0; +} + +/* Hierarchy */ +ul > li.internal, ul > li.schemaHierarchy { + list-style:none; +} + +ul.internal { + margin:2px; + padding:0; +} + +ul ul li.internal { + padding-left:10px; + + list-style-image:url('img/hierarchy_arrow.gif'); + list-style-position:inside; +} + +ul ul li.schemaHierarchy { + padding-left:20px; + + list-style-image:none; + list-style-position:inside; +} + +ul.schemaHierarchy { + margin:2px; + padding-left:20px; +} + +/*------------------------------------- + Rounded tables. +---------------------------------------*/ + +table.rt, +table.rt_with_bg{ + border-collapse:collapse; + border-spacing:0; + width:100%; +} +table.rt_with_bg{ + /*background-color:#C0F0A0;*/ + background-color:white; + color:inherit; +} + + +.rt_cornerTopLeft{ + background-color:transparent; + background-repeat:no-repeat; + background-position:right; + width:8px; + height:8px; + margin:0; + padding:0; +} +.rt_cornerTopLeft{ + background-image:url('img/cTL.gif'); +} + + +.rt_cornerBottomLeft{ + background-color:transparent; + background-repeat:no-repeat; + background-position:right; + width:8px; + height:8px; + margin:0; + padding:0; +} +.rt_cornerBottomLeft{ + background-image:url('img/cBL.gif'); +} + + +.rt_cornerTopRight{ + background-color:transparent; + background-repeat:no-repeat; + width:8px; + height:8px; + margin:0; + padding:0; + +} +.rt_cornerTopRight{ + background-image:url('img/cTR.gif'); +} + + +.rt_cornerBottomRight{ + background-color:transparent; + background-repeat:no-repeat; + width:8px; + height:8px; + margin:0; + padding:0; + +} +.rt_cornerBottomRight{ + background-image:url('img/cBR.gif'); +} + + +.rt_content{ + background-color:white; + color:inherit; + width:auto; + margin:0; + padding:0; +} + + +.rt_lineLeft{ + background-color:transparent; + background-repeat:repeat-y; + background-position:right; + width:8px; + margin:0; + padding:0; + +} +.rt_lineLeft{ + background-image:url('img/lL.gif'); +} + + +.rt_lineRight{ + background-repeat:repeat-y; + width:8px; + margin:0; + padding:0; +} +.rt_lineRight{ + background-image:url('img/lR.gif'); +} + + +.rt_lineTop{ + background-color:transparent; + background-repeat:repeat-x; + height:8px; + width:auto; + margin:0; + padding:0; +} +.rt_lineTop{ + background-image:url('img/lT.gif'); +} + +.rt_lineBottom{ + background-color:transparent; + background-repeat:repeat-x; + height:8px; + width:auto; + margin:0; + padding:0; +} +.rt_lineBottom{ + background-image:url('img/lB.gif'); +} + + +/* -------------------------------------- + Controls for bulk showing/hidding sections + from the documentation. +----------------------------------------*/ + +.globalControls h3{ + margin:0.1em; + font-size:1.2em; +} + +.globalControls table td{ + padding:0; + margin:0; +} + +.globalControls{ + position:fixed; + right:0; + background-color:transparent; + padding-left:0.5em; + padding-right:0.5em; + padding-bottom:0.5em; + width:190px; +} + +@media print{ + .globalControls{ + display:none; + } +} + +/* Expand/collapse of a single section. */ +input.control { + text-align:center; + vertical-align:middle; + padding:0; + padding-right:3px; + padding-bottom:2px; + +} + + +/* close button */ +td.rt_content div span input{ + font-size:0.8em; +} + +@media print{ + input.control{ + display:none; + } +} + + + + +/*----------------------------------------- + Navigation. +------------------------------------------*/ +a, a:visited { + color:rgb(0, 0, 150); + background-color:inherit; +} + +a:link, a:visited { + text-decoration:none; +} +a:hover { + text-decoration:underline; +} + +div.toTop{ + text-align:right; +} +div.toTop a{ + font-weight:normal; +} + + + + +/*------------------------------------------ + The second level of index. Floating DIVs +-------------------------------------------*/ +.toc { +} +.toc div.verticalLayout, div.horizontalLayout{ + float:left; + display:block; + + background-color:white; + color:inherit; + + min-width:130px; + min-height:50px; + + padding:0.5em; +} +/* This is not used. */ +.toc div.verticalLayout { + clear:left; +} + +/* Hack for the IE - acts like a minimum height.*/ +* html .toc div.horizontalLayout, +* html .toc div.verticalLayout { + width:120px; + height:60px; +} + +/* Namespacces or system ids in the TOC. */ +.toc .indexGroupTitle { + font-weight:bold; + margin-bottom:0.5em; +} + +/* Components group*/ + +div.componentGroupTitle { + font-weight: bold; + color: black; + background-color: inherit; +} + +div.componentGroup { + padding-top: 4px; +} + +table.componentGroup { + border-spacing: 1px; +} + +td.componentGroup { + padding: 0px 0px 0px 0px; +} + + + +/*---------------- + The footer. +-----------------*/ +.footer{ + margin-top:3em; +} +.redX{ + color:red; + background-color:inherit; + font-size:1.2em; +} +.oXygenLogo{ + color:#1166DD; + background-color:inherit; + font-weight:bold; + font-size:1.2em; +} + + +/* List item from documentation format */ +ul > li.doc{ + list-style:disc; + margin-left:10px; +} + +/* No margin for pre from the table.*/ +td > pre { + margin:0px; +} + +/* Wrap the long lines in the 'pre' section. */ +pre { + white-space: pre-wrap; /* css-3 */ + white-space: -moz-pre-wrap; /* Mozilla, since 1999 */ + white-space: -pre-wrap; /* Opera 4-6 */ + white-space: -o-pre-wrap; /* Opera 7 */ + word-wrap: break-word; /* Internet Explorer 5.5+ */ + _white-space: pre; /* IE only hack to re-specify in addition to word-wrap */ +} \ No newline at end of file diff --git a/docs/schema/oxygen-docs/img/Cycle12.png b/docs/schema/oxygen-docs/img/Cycle12.png new file mode 100644 index 0000000000..58743202ac Binary files /dev/null and b/docs/schema/oxygen-docs/img/Cycle12.png differ diff --git a/docs/schema/oxygen-docs/img/HierarchyArrow12.jpg b/docs/schema/oxygen-docs/img/HierarchyArrow12.jpg new file mode 100644 index 0000000000..2d3cda4d75 Binary files /dev/null and b/docs/schema/oxygen-docs/img/HierarchyArrow12.jpg differ diff --git a/docs/schema/oxygen-docs/img/Import12.gif b/docs/schema/oxygen-docs/img/Import12.gif new file mode 100644 index 0000000000..32950ba502 Binary files /dev/null and b/docs/schema/oxygen-docs/img/Import12.gif differ diff --git a/docs/schema/oxygen-docs/img/Include12.gif b/docs/schema/oxygen-docs/img/Include12.gif new file mode 100644 index 0000000000..ed5961ae1a Binary files /dev/null and b/docs/schema/oxygen-docs/img/Include12.gif differ diff --git a/docs/schema/oxygen-docs/img/Override12.gif b/docs/schema/oxygen-docs/img/Override12.gif new file mode 100644 index 0000000000..f2c116b0f9 Binary files /dev/null and b/docs/schema/oxygen-docs/img/Override12.gif differ diff --git a/docs/schema/oxygen-docs/img/Redefine12.gif b/docs/schema/oxygen-docs/img/Redefine12.gif new file mode 100644 index 0000000000..0377abedc1 Binary files /dev/null and b/docs/schema/oxygen-docs/img/Redefine12.gif differ diff --git a/docs/schema/oxygen-docs/img/btM.gif b/docs/schema/oxygen-docs/img/btM.gif new file mode 100644 index 0000000000..78d309a0e5 Binary files /dev/null and b/docs/schema/oxygen-docs/img/btM.gif differ diff --git a/docs/schema/oxygen-docs/img/btP.gif b/docs/schema/oxygen-docs/img/btP.gif new file mode 100644 index 0000000000..63e253532e Binary files /dev/null and b/docs/schema/oxygen-docs/img/btP.gif differ diff --git a/docs/schema/oxygen-docs/img/cBL.gif b/docs/schema/oxygen-docs/img/cBL.gif new file mode 100644 index 0000000000..aacb1da416 Binary files /dev/null and b/docs/schema/oxygen-docs/img/cBL.gif differ diff --git a/docs/schema/oxygen-docs/img/cBR.gif b/docs/schema/oxygen-docs/img/cBR.gif new file mode 100644 index 0000000000..48879ca267 Binary files /dev/null and b/docs/schema/oxygen-docs/img/cBR.gif differ diff --git a/docs/schema/oxygen-docs/img/cTL.gif b/docs/schema/oxygen-docs/img/cTL.gif new file mode 100644 index 0000000000..b52ae5496a Binary files /dev/null and b/docs/schema/oxygen-docs/img/cTL.gif differ diff --git a/docs/schema/oxygen-docs/img/cTR.gif b/docs/schema/oxygen-docs/img/cTR.gif new file mode 100644 index 0000000000..136df091ac Binary files /dev/null and b/docs/schema/oxygen-docs/img/cTR.gif differ diff --git a/docs/schema/oxygen-docs/img/hierarchy_arrow.gif b/docs/schema/oxygen-docs/img/hierarchy_arrow.gif new file mode 100644 index 0000000000..739bb6512f Binary files /dev/null and b/docs/schema/oxygen-docs/img/hierarchy_arrow.gif differ diff --git a/docs/schema/oxygen-docs/img/lB.gif b/docs/schema/oxygen-docs/img/lB.gif new file mode 100644 index 0000000000..c0b44c6fbd Binary files /dev/null and b/docs/schema/oxygen-docs/img/lB.gif differ diff --git a/docs/schema/oxygen-docs/img/lL.gif b/docs/schema/oxygen-docs/img/lL.gif new file mode 100644 index 0000000000..bfbef22682 Binary files /dev/null and b/docs/schema/oxygen-docs/img/lL.gif differ diff --git a/docs/schema/oxygen-docs/img/lR.gif b/docs/schema/oxygen-docs/img/lR.gif new file mode 100644 index 0000000000..cd75fdc268 Binary files /dev/null and b/docs/schema/oxygen-docs/img/lR.gif differ diff --git a/docs/schema/oxygen-docs/img/lT.gif b/docs/schema/oxygen-docs/img/lT.gif new file mode 100644 index 0000000000..c67c57666a Binary files /dev/null and b/docs/schema/oxygen-docs/img/lT.gif differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_contextAttr.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_contextAttr.jpeg new file mode 100644 index 0000000000..26944310e0 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_contextAttr.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_hrefAttr.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_hrefAttr.jpeg new file mode 100644 index 0000000000..ceb2d6862a Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_hrefAttr.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_idAttr.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_idAttr.jpeg new file mode 100644 index 0000000000..f4e797b3bc Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_idAttr.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_optionalClass.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_optionalClass.jpeg new file mode 100644 index 0000000000..6ae67e4dc4 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_optionalClass.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_relAttr.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_relAttr.jpeg new file mode 100644 index 0000000000..65477c7225 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_relAttr.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_requiredClass.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_requiredClass.jpeg new file mode 100644 index 0000000000..0b7ac86d44 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Attribute_Group_oscal_requiredClass.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_catalog-contents.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_catalog-contents.jpeg new file mode 100644 index 0000000000..e978d98d37 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_catalog-contents.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_decls.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_decls.jpeg new file mode 100644 index 0000000000..dd485e257c Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_decls.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_framework-contents.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_framework-contents.jpeg new file mode 100644 index 0000000000..e8cdca53ef Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_framework-contents.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_worksheet-contents.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_worksheet-contents.jpeg new file mode 100644 index 0000000000..af0178ba8a Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Complex_Type_oscal_worksheet-contents.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_anyKindofPart.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_anyKindofPart.jpeg new file mode 100644 index 0000000000..c086ac9bf6 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_anyKindofPart.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_category.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_category.jpeg new file mode 100644 index 0000000000..ba0469ea86 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_category.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_control-components.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_control-components.jpeg new file mode 100644 index 0000000000..6b7df1b433 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_control-components.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_group.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_group.jpeg new file mode 100644 index 0000000000..5b897c1856 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_group.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_inlines.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_inlines.jpeg new file mode 100644 index 0000000000..79925bb349 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_inlines.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_mix.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_mix.jpeg new file mode 100644 index 0000000000..eca16b04ab Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_mix.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_prose.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_prose.jpeg new file mode 100644 index 0000000000..db1b701a5c Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_prose.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_semantical.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_semantical.jpeg new file mode 100644 index 0000000000..e03184f7cb Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_semantical.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_whatnot.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_whatnot.jpeg new file mode 100644 index 0000000000..7ad8fca7af Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_Group_oscal_whatnot.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_a.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_a.jpeg new file mode 100644 index 0000000000..ecc0e14dd1 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_a.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_autonum.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_autonum.jpeg new file mode 100644 index 0000000000..e24a48f1cd Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_autonum.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_b.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_b.jpeg new file mode 100644 index 0000000000..c3eca9aabd Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_b.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_calc.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_calc.jpeg new file mode 100644 index 0000000000..c2db7efc2d Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_calc.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_catalog.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_catalog.jpeg new file mode 100644 index 0000000000..3eb6a555da Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_catalog.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_citation.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_citation.jpeg new file mode 100644 index 0000000000..c03ece24c6 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_citation.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_code.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_code.jpeg new file mode 100644 index 0000000000..152d7a2af2 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_code.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_component.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_component.jpeg new file mode 100644 index 0000000000..dbfa623803 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_component.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_control.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_control.jpeg new file mode 100644 index 0000000000..b8abe64522 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_control.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declarations.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declarations.jpeg new file mode 100644 index 0000000000..49b76acd98 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declarations.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-link.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-link.jpeg new file mode 100644 index 0000000000..e8d8a4285c Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-link.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-p.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-p.jpeg new file mode 100644 index 0000000000..d162440be1 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-p.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-part.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-part.jpeg new file mode 100644 index 0000000000..8c01a7b07f Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-part.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-prop.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-prop.jpeg new file mode 100644 index 0000000000..c7a5291830 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_declare-prop.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_desc.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_desc.jpeg new file mode 100644 index 0000000000..5657b42dc3 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_desc.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_em.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_em.jpeg new file mode 100644 index 0000000000..a97237e663 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_em.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_em_1.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_em_1.jpeg new file mode 100644 index 0000000000..7492db7a36 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_em_1.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_framework.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_framework.jpeg new file mode 100644 index 0000000000..0a7e066c0e Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_framework.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_group.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_group.jpeg new file mode 100644 index 0000000000..4ac76894ca Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_group.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_group_1.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_group_1.jpeg new file mode 100644 index 0000000000..74de4d423f Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_group_1.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_i.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_i.jpeg new file mode 100644 index 0000000000..9beb45f4b1 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_i.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_identifier.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_identifier.jpeg new file mode 100644 index 0000000000..f6c10115e5 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_identifier.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_inherit.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_inherit.jpeg new file mode 100644 index 0000000000..3fb80a1853 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_inherit.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_insert.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_insert.jpeg new file mode 100644 index 0000000000..b5d642c820 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_insert.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_li.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_li.jpeg new file mode 100644 index 0000000000..06cd90db30 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_li.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_link.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_link.jpeg new file mode 100644 index 0000000000..29c9ff2360 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_link.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ol.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ol.jpeg new file mode 100644 index 0000000000..e1dffd9453 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ol.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_p.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_p.jpeg new file mode 100644 index 0000000000..0071c29e5b Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_p.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_param.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_param.jpeg new file mode 100644 index 0000000000..fb3b0d5fa6 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_param.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_part.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_part.jpeg new file mode 100644 index 0000000000..a187c1e0e6 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_part.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_pre.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_pre.jpeg new file mode 100644 index 0000000000..7f6016ada1 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_pre.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_prop.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_prop.jpeg new file mode 100644 index 0000000000..d3bcc32cff Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_prop.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_q.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_q.jpeg new file mode 100644 index 0000000000..c264696700 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_q.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ref.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ref.jpeg new file mode 100644 index 0000000000..35429a2fc3 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ref.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_references.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_references.jpeg new file mode 100644 index 0000000000..adf3b709ec Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_references.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_regex.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_regex.jpeg new file mode 100644 index 0000000000..07e9682f15 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_regex.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_required.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_required.jpeg new file mode 100644 index 0000000000..85881555dc Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_required.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_section.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_section.jpeg new file mode 100644 index 0000000000..ba8fe042cd Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_section.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_singleton.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_singleton.jpeg new file mode 100644 index 0000000000..ef1b4abb72 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_singleton.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_span.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_span.jpeg new file mode 100644 index 0000000000..ed41005329 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_span.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_std.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_std.jpeg new file mode 100644 index 0000000000..af76e45ced Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_std.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_sub.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_sub.jpeg new file mode 100644 index 0000000000..7c60e71d04 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_sub.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_subcontrol.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_subcontrol.jpeg new file mode 100644 index 0000000000..b6e33cb8ed Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_subcontrol.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_sup.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_sup.jpeg new file mode 100644 index 0000000000..d55bdaef8d Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_sup.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_title.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_title.jpeg new file mode 100644 index 0000000000..be2eb4d6f8 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_title.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ul.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ul.jpeg new file mode 100644 index 0000000000..eb84248f95 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_ul.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_value.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_value.jpeg new file mode 100644 index 0000000000..b4c249f225 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_value.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_withdrawn.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_withdrawn.jpeg new file mode 100644 index 0000000000..cbfb8954fd Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_withdrawn.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_worksheet.jpeg b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_worksheet.jpeg new file mode 100644 index 0000000000..721997bac7 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-core_xsd_Element_oscal_worksheet.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Attribute_Group_oscal_withSubContrlsAttr.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Attribute_Group_oscal_withSubContrlsAttr.jpeg new file mode 100644 index 0000000000..fbfd3693bb Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Attribute_Group_oscal_withSubContrlsAttr.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_all.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_all.jpeg new file mode 100644 index 0000000000..e9a1c8ae20 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_all.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_alter.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_alter.jpeg new file mode 100644 index 0000000000..1492822703 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_alter.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_augment.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_augment.jpeg new file mode 100644 index 0000000000..92da29486d Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_augment.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_call.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_call.jpeg new file mode 100644 index 0000000000..2d5e0ac909 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_call.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_call_1.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_call_1.jpeg new file mode 100644 index 0000000000..86edc45f46 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_call_1.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_exclude.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_exclude.jpeg new file mode 100644 index 0000000000..8dea1510ba Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_exclude.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_include.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_include.jpeg new file mode 100644 index 0000000000..fd2bb9011c Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_include.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_invoke.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_invoke.jpeg new file mode 100644 index 0000000000..0396b9ed57 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_invoke.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_profile.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_profile.jpeg new file mode 100644 index 0000000000..a443b74113 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_profile.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_remove.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_remove.jpeg new file mode 100644 index 0000000000..f50ce4884f Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_remove.jpeg differ diff --git a/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_set-param.jpeg b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_set-param.jpeg new file mode 100644 index 0000000000..218a947075 Binary files /dev/null and b/docs/schema/oxygen-docs/img/oscal-profile_xsd_Element_oscal_set-param.jpeg differ diff --git a/docs/schema/oxygen-docs/oscal-core-o2docs.html b/docs/schema/oxygen-docs/oscal-core-o2docs.html new file mode 100644 index 0000000000..e2e6976b01 --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-core-o2docs.html @@ -0,0 +1,4 @@ + + +Schema documentation for oscal-core.xsd \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-core-o2docs.indexList.html b/docs/schema/oxygen-docs/oscal-core-o2docs.indexList.html new file mode 100644 index 0000000000..649628d5e6 --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-core-o2docs.indexList.html @@ -0,0 +1,628 @@ + + + + + Schema documentation for + + +

Table of Contents

+
+
+
Group by:
+
+
+
+
+

oscal-core.xsd

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+ +
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Complex Types
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Element Groups
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attribute Groups
+
+ +
+
+
+
+
+
+
+

xml.xsd

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+
+ +
+
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attributes
+
+ +
+
+
+
+
+
+
+
+
+ + \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-core-o2docs.indexListcomp.html b/docs/schema/oxygen-docs/oscal-core-o2docs.indexListcomp.html new file mode 100644 index 0000000000..8ea133302d --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-core-o2docs.indexListcomp.html @@ -0,0 +1,589 @@ + + + + + Schema documentation for + + +

Table of Contents

+
+
+
Group by:
+
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+
+ +
+
+
+
+ +
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Complex Types
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attributes
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Element Groups
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attribute Groups
+
+ +
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-core-o2docs.indexListns.html b/docs/schema/oxygen-docs/oscal-core-o2docs.indexListns.html new file mode 100644 index 0000000000..4b3870b66c --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-core-o2docs.indexListns.html @@ -0,0 +1,600 @@ + + + + + Schema documentation for + + +

Table of Contents

+
+
+
Group by:
+
+
+
+
+

http://csrc.nist.gov/ns/oscal/1.0

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+ +
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Complex Types
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Element Groups
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attribute Groups
+
+ +
+
+
+
+
+
+
+

http://www.w3.org/XML/1998/namespace

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+
+ +
+
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attributes
+
+ +
+
+
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-core_xsd.html b/docs/schema/oxygen-docs/oscal-core_xsd.html new file mode 100644 index 0000000000..6326b0edeb --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-core_xsd.html @@ -0,0 +1,12915 @@ + + + + + Schema documentation for oscal-core.xsd + + +
+ + + + + + + + + + + + + + + + +
+

Showing:

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Annotations
Attributes
Diagrams
Instances
Model
Properties
Source
Used by
+
+
+
Main schema oscal-core.xsd
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Properties
+
+
+
+ + + + + + + + + +
attribute form defaultunqualified
element form defaultqualified
+
+
+
Element oscal:title
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Title</b>A fallback for display and navigation, exclusive of more specific properties
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#q
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:q
+
Instance
+
+
+
+ + + + +
<oscal:title xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{0,unbounded}</oscal:q>
+</oscal:title>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="title">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Title</b>A fallback for display and navigation, exclusive of more specific properties</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:sequence>
+      <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:q"/>
+    </xs:sequence>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:q
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Quoted text</b>An inline segment to appear within quotation marks
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:inlines
Elements oscal:a, oscal:title
+
+
Model
+
+ +
Childrenoscal:b, oscal:i, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:q xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+</oscal:q>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="q">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Quoted text</b>An inline segment to appear within quotation marks</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:i"/>
+      <xs:element ref="oscal:b"/>
+      <xs:element ref="oscal:sub"/>
+      <xs:element ref="oscal:sup"/>
+    </xs:choice>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:i
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Italics</b>Typographical shift to italics
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:inlines
Element oscal:q
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:i class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:i>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="i">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Italics</b>Typographical shift to italics</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:code
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Code</b>Inline code
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:inlines
Element oscal:a
+
+
Model
+
+ +
Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:code class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+</oscal:code>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="code">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Code</b>Inline code</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:group ref="oscal:mix"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:em
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:inlines
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:em class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:em>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="em">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:a
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Anchor</b>An HTML-style anchor (inline linking element)
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#a_href + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#a_em
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Elements oscal:b, oscal:citation, oscal:em, oscal:i, oscal:pre, oscal:span, oscal:std
Element Group oscal:whatnot
+
+
Model
+
+ +
Childrenoscal:code, oscal:em, oscal:q
+
Instance
+
+
+
+ + + + +
<oscal:a href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+</oscal:a>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
hrefoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="a">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Anchor</b>An HTML-style anchor (inline linking element)</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:q"/>
+      <xs:element ref="oscal:code"/>
+      <xs:element name="em">
+        <xs:annotation>
+          <xs:documentation>
+            <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift</xs:documentation>
+        </xs:annotation>
+        <xs:complexType mixed="true">
+          <xs:attributeGroup ref="oscal:optionalClass"/>
+        </xs:complexType>
+      </xs:element>
+    </xs:choice>
+    <xs:attribute name="href"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:a / oscal:em
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
Model
+
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="em">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:b
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Bold</b>Typographical shift to bold
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:inlines
Element oscal:q
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:b class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:b>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="b">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Bold</b>Typographical shift to bold</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:sub
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Subscript</b>Subscripted text
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:inlines
Element oscal:q
+
+
Model
+
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="sub">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Subscript</b>Subscripted text</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:sup
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Superscript</b>Superscripted text
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:inlines
Element oscal:q
+
+
Model
+
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="sup">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Superscript</b>Superscripted text</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:span
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Span</b>Generic inline container
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:inlines
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:span class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:span>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="span">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Span</b>Generic inline container</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:declarations
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Declarations</b>For extra-schema validation of data given within controls or framework components
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#declare-prop + oscal-core_xsd.tmp#declare-part + oscal-core_xsd.tmp#declare-p + oscal-core_xsd.tmp#declare-link + oscal-core_xsd.tmp#decls + oscal-core_xsd.tmp#hrefAttr
+
Typeextension of oscal:decls
Type hierarchy + +
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:declare-link, oscal:declare-p, oscal:declare-part, oscal:declare-prop
+
Instance
+
+
+
+ + + + +
<oscal:declarations href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:declare-prop class="" context="">{1,1}</oscal:declare-prop>
+  <oscal:declare-part class="" context="">{1,1}</oscal:declare-part>
+  <oscal:declare-p class="" context="">{1,1}</oscal:declare-p>
+  <oscal:declare-link context="" rel="">{1,1}</oscal:declare-link>
+</oscal:declarations>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
hrefoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="declarations">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Declarations</b>For extra-schema validation of data given within controls or framework components</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:complexContent>
+      <xs:extension base="oscal:decls">
+        <xs:attributeGroup ref="oscal:hrefAttr"/>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:declare-prop
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Property declaration</b>Constraints applicable to a class or classes of<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>elements (properties) in
+context
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#requiredClass + oscal-core_xsd.tmp#contextAttr + oscal-core_xsd.tmp#singleton + oscal-core_xsd.tmp#required + oscal-core_xsd.tmp#identifier + oscal-core_xsd.tmp#regex + oscal-core_xsd.tmp#calc + oscal-core_xsd.tmp#value
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Complex Type oscal:decls
Element oscal:declarations
+
+
Model
+
+ +
Childrenoscal:calc, oscal:identifier, oscal:regex, oscal:required, oscal:singleton, oscal:value
+
Instance
+
+
+
+ + + + +
<oscal:declare-prop class="" context="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:singleton>{0,1}</oscal:singleton>
+  <oscal:required>{0,1}</oscal:required>
+  <oscal:identifier>{0,1}</oscal:identifier>
+  <oscal:regex>{1,1}</oscal:regex>
+  <oscal:calc xml:space="">{0,unbounded}</oscal:calc>
+  <oscal:value>{0,unbounded}</oscal:value>
+</oscal:declare-prop>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classrequired +
+
contextrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="declare-prop">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Property declaration</b>Constraints applicable to a class or classes of
+      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>elements (properties) in context</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:singleton"/>
+      <xs:element minOccurs="0" ref="oscal:required"/>
+      <xs:element minOccurs="0" ref="oscal:identifier"/>
+      <xs:choice>
+        <xs:element ref="oscal:regex"/>
+        <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:calc"/>
+        <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:value"/>
+      </xs:choice>
+    </xs:sequence>
+    <xs:attributeGroup ref="oscal:requiredClass"/>
+    <xs:attributeGroup ref="oscal:contextAttr"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:singleton
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Singleton constraint</b>The declared component may occur only once in its context
+
+
+
+
Diagram
+
+
+
Diagram
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+ +
+
Source
+
+
+
+ + + + +
<xs:element name="singleton">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Singleton constraint</b>The declared component may occur only once in its context</xs:documentation>
+  </xs:annotation>
+  <xs:complexType/>
+</xs:element>
+
+
+
Element oscal:required
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Requirement constraint</b>The declared component is required in its context
+
+
+
+
Diagram
+
+
+
Diagram
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+ +
+
Source
+
+
+
+ + + + +
<xs:element name="required">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Requirement constraint</b>The declared component is required in its context</xs:documentation>
+  </xs:annotation>
+  <xs:complexType/>
+</xs:element>
+
+
+
Element oscal:identifier
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Identifier constraint</b>The declared component has a value unique within the document, among properties
+(<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) with the same class
+
+
+
+
Diagram
+
+
+
Diagram
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:declare-prop
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="identifier">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Identifier constraint</b>The declared component has a value unique within the document, among properties (
+      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) with the same class</xs:documentation>
+  </xs:annotation>
+  <xs:complexType/>
+</xs:element>
+
+
+
Element oscal:regex
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Regular expression constraint</b>Indicates that the value of a property (<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) or parameter
+(<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">param</code>) must match the given regular expression
+
+
+
+
Diagram
+
+
+
Diagram
+
Typexs:string
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:declare-prop
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="regex" type="xs:string">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Regular expression constraint</b>Indicates that the value of a property (
+      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) or parameter (
+      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">param</code>) must match the given regular expression</xs:documentation>
+  </xs:annotation>
+</xs:element>
+
+
+
Element oscal:calc
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Calculated value constraint</b>Indicates a permissible value for a parameter or property, calculated dynamically
+
+
+
+
Diagram
+
+
+
Diagram + xml_xsd.tmp#space + oscal-core_xsd.tmp#inherit + oscal-core_xsd.tmp#autonum
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:declare-prop
+
+
Model
+
+ +
Childrenoscal:autonum, oscal:inherit
+
Instance
+
+
+
+ + + + +
<oscal:calc xml:space="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:inherit from="">{1,1}</oscal:inherit>
+  <oscal:autonum>{1,1}</oscal:autonum>
+</oscal:calc>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
xml:spacerestriction of xs:tokenoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="calc">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Calculated value constraint</b>Indicates a permissible value for a parameter or property, calculated dynamically</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:inherit"/>
+      <xs:element ref="oscal:autonum"/>
+    </xs:choice>
+    <xs:attribute ref="xml:space"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:inherit
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Inherited value</b>Indicates that a value or text within a value should be inherited from a property on a
+containing control object
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#inherit_from
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:calc
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
fromoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="inherit">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Inherited value</b>Indicates that a value or text within a value should be inherited from a property on a containing control object</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:attribute name="from"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:autonum
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Autonumbered (generated) value</b>Generates a formatted numeric value based on the position of a control object among its
+siblings, the text contents providing a template for the numbering format (arabic,
+alphabetic, roman, etc.)
+
+
+
+
Diagram
+
+
+
Diagram
+
Typexs:string
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:calc
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="autonum" type="xs:string">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Autonumbered (generated) value</b>Generates a formatted numeric value based on the position of a control object among its siblings, the text contents providing a template for the numbering format (arabic, alphabetic, roman, etc.)</xs:documentation>
+  </xs:annotation>
+</xs:element>
+
+
+
Element oscal:value
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Value constraint</b>Indicates a permissible value for a parameter or property
+
+
+
+
Diagram
+
+
+
Diagram
+
Typexs:string
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Elements oscal:declare-prop, oscal:param
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="value" type="xs:string">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Value constraint</b>Indicates a permissible value for a parameter or property</xs:documentation>
+  </xs:annotation>
+</xs:element>
+
+
+
Element oscal:declare-part
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Part declaration</b>Indicates constraints to be imposed on parts in context
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#requiredClass + oscal-core_xsd.tmp#contextAttr + oscal-core_xsd.tmp#singleton + oscal-core_xsd.tmp#required
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Complex Type oscal:decls
Element oscal:declarations
+
+
Model
+
+ +
Childrenoscal:required, oscal:singleton
+
Instance
+
+
+
+ + + + +
<oscal:declare-part class="" context="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:singleton>{0,1}</oscal:singleton>
+  <oscal:required>{0,1}</oscal:required>
+</oscal:declare-part>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classrequired +
+
contextrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="declare-part">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Part declaration</b>Indicates constraints to be imposed on parts in context</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:singleton"/>
+      <xs:element minOccurs="0" ref="oscal:required"/>
+    </xs:sequence>
+    <xs:attributeGroup ref="oscal:requiredClass"/>
+    <xs:attributeGroup ref="oscal:contextAttr"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:declare-p
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Paragraph declaration</b>Indicates constraints to be enforced on paragraphs in context
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#requiredClass + oscal-core_xsd.tmp#contextAttr + oscal-core_xsd.tmp#singleton + oscal-core_xsd.tmp#required
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Complex Type oscal:decls
Element oscal:declarations
+
+
Model
+
+ +
Childrenoscal:required, oscal:singleton
+
Instance
+
+
+
+ + + + +
<oscal:declare-p class="" context="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:singleton>{0,1}</oscal:singleton>
+  <oscal:required>{0,1}</oscal:required>
+</oscal:declare-p>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classrequired +
+
contextrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="declare-p">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Paragraph declaration</b>Indicates constraints to be enforced on paragraphs in context</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:singleton"/>
+      <xs:element minOccurs="0" ref="oscal:required"/>
+    </xs:sequence>
+    <xs:attributeGroup ref="oscal:requiredClass"/>
+    <xs:attributeGroup ref="oscal:contextAttr"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:declare-link
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+ +
+
Diagram
+
+
+ +
+
Properties
+
+
+ +
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:required, oscal:singleton
+
Instance
+
+
+ +
+
Attributes
+
+
+ +
+
Source
+
+
+ +
+
Element oscal:section
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Section</b>For partitioning a catalog, collection, or section therein
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#section_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#references
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:group, oscal:ol, oscal:p, oscal:pre, oscal:references, oscal:section, oscal:title, oscal:ul
+
Instance
+
+
+
+ + + + +
<oscal:section class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{1,1}</oscal:title>
+  <oscal:ul>{1,1}</oscal:ul>
+  <oscal:ol>{1,1}</oscal:ol>
+  <oscal:p class="" id="">{1,1}</oscal:p>
+  <oscal:pre id="">{1,1}</oscal:pre>
+  <oscal:section class="" id="">{1,1}</oscal:section>
+  <oscal:group class="" id="">{1,1}</oscal:group>
+  <oscal:references>{0,1}</oscal:references>
+</oscal:section>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="section">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Section</b>For partitioning a catalog, collection, or section therein</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element ref="oscal:title"/>
+      <xs:group ref="oscal:prose"/>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element ref="oscal:section"/>
+        <xs:group ref="oscal:group"/>
+      </xs:choice>
+      <xs:element minOccurs="0" ref="oscal:references"/>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:ul
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Unordered list</b>A series of items kept in order but without indicators of sequence; likely bulleted
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#li
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element oscal:li
Element Group oscal:prose
+
+
Model
+
+ +
Childrenoscal:li
+
Instance
+
+
+
+ + + + +
<oscal:ul xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:li class="" id="">{1,unbounded}</oscal:li>
+</oscal:ul>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="ul">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Unordered list</b>A series of items kept in order but without indicators of sequence; likely bulleted</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element maxOccurs="unbounded" ref="oscal:li"/>
+    </xs:sequence>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:li
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>List item</b>An item demarcated with a bullet or numerator
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#li_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert + oscal-core_xsd.tmp#semantical + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a + oscal-core_xsd.tmp#whatnot + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#ul
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Elements oscal:ol, oscal:ul
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:insert, oscal:ol, oscal:q, oscal:span, oscal:sub, oscal:sup, oscal:ul, oscal:withdrawn
+
Instance
+
+
+
+ + + + +
<oscal:li class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:withdrawn>{1,1}</oscal:withdrawn>
+  <oscal:insert id="" param-id="">{1,1}</oscal:insert>
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+  <oscal:ol>{1,1}</oscal:ol>
+  <oscal:ul>{1,1}</oscal:ul>
+</oscal:li>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="li">
+  <xs:annotation>
+    <xs:documentation>
+      <b>List item</b>An item demarcated with a bullet or numerator</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:whatnot"/>
+      <xs:element ref="oscal:ol"/>
+      <xs:element ref="oscal:ul"/>
+    </xs:choice>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:withdrawn
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Withdrawn</b>Indicates that a containing control or subcontrol is no longer applicable
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:semantical
+
+
Model
+
+ +
Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:withdrawn xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+</oscal:withdrawn>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="withdrawn">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Withdrawn</b>Indicates that a containing control or subcontrol is no longer applicable</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:group minOccurs="0" maxOccurs="unbounded" ref="oscal:inlines"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:insert
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Parameter insertion</b>A<q xmlns="http://csrc.nist.gov/ns/oscal/1.0">call</q>(reference) to a parameter for dynamic content transclusion
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#insert_id + oscal-core_xsd.tmp#insert_param-id
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:semantical
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
idxs:IDoptional +
+
param-idxs:IDREFrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="insert">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Parameter insertion</b>A
+      <q xmlns="http://csrc.nist.gov/ns/oscal/1.0">call</q>(reference) to a parameter for dynamic content transclusion</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attribute name="param-id" use="required" type="xs:IDREF"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:ol
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Ordered List</b>Appears with numbering in ordinal position
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#li
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element oscal:li
Element Group oscal:prose
+
+
Model
+
+ +
Childrenoscal:li
+
Instance
+
+
+
+ + + + +
<oscal:ol xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:li class="" id="">{1,unbounded}</oscal:li>
+</oscal:ol>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="ol">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Ordered List</b>Appears with numbering in ordinal position</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element maxOccurs="unbounded" ref="oscal:li"/>
+    </xs:sequence>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:p
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Paragraph</b>Running text: a paragraph or paragraph fragment
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#p_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert + oscal-core_xsd.tmp#semantical + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a + oscal-core_xsd.tmp#whatnot
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:prose
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:insert, oscal:q, oscal:span, oscal:sub, oscal:sup, oscal:withdrawn
+
Instance
+
+
+
+ + + + +
<oscal:p class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:withdrawn>{1,1}</oscal:withdrawn>
+  <oscal:insert id="" param-id="">{1,1}</oscal:insert>
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:p>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="p">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Paragraph</b>Running text: a paragraph or paragraph fragment</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:group ref="oscal:whatnot"/>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:pre
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Preformatted text</b>Retains whitespace in display
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#pre_id + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:prose
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:pre id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:pre>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="pre">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Preformatted text</b>Retains whitespace in display</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+    <xs:attribute name="id" type="xs:ID"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:group / oscal:group
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Group</b>Related controls or groups (of controls or groups)
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#group_group_group_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#control + oscal-core_xsd.tmp#references
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
Model
+
+ +
Childrenoscal:control, oscal:group, oscal:link, oscal:param, oscal:part, oscal:prop, oscal:references, oscal:title
+
Instance
+
+
+
+ + + + +
<oscal:group class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{0,1}</oscal:title>
+  <oscal:prop class="">{1,1}</oscal:prop>
+  <oscal:part class="" id="">{0,unbounded}</oscal:part>
+  <oscal:link href="" rel="">{1,1}</oscal:link>
+  <oscal:param class="" id="">{1,1}</oscal:param>
+  <oscal:group class="" id="">{1,1}</oscal:group>
+  <oscal:control class="" id="">{1,1}</oscal:control>
+  <oscal:references>{0,1}</oscal:references>
+</oscal:group>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="group">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:title"/>
+      <xs:group ref="oscal:control-components"/>
+      <xs:choice maxOccurs="unbounded">
+        <xs:group ref="oscal:group"/>
+        <xs:element ref="oscal:control"/>
+      </xs:choice>
+      <xs:element minOccurs="0" ref="oscal:references"/>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:prop
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Property</b>A value with a name, attributed to the containing control, subcontrol, component, part,
+or group
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#requiredClass
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:control-components
Elements oscal:category/oscal:group, oscal:component
+
+
Model
+
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="prop">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Property</b>A value with a name, attributed to the containing control, subcontrol, component, part, or group</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:attributeGroup ref="oscal:requiredClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:part
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Part</b>A partition,<q xmlns="http://csrc.nist.gov/ns/oscal/1.0">piece</q>or section of a control, subcontrol, component or part
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#part_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:anyKindofPart
Element oscal:component
+
+
Model
+
+ +
Childrenoscal:link, oscal:ol, oscal:p, oscal:param, oscal:part, oscal:pre, oscal:prop, oscal:title, oscal:ul
+
Instance
+
+
+
+ + + + +
<oscal:part class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{0,1}</oscal:title>
+  <oscal:ul>{1,1}</oscal:ul>
+  <oscal:ol>{1,1}</oscal:ol>
+  <oscal:p class="" id="">{1,1}</oscal:p>
+  <oscal:pre id="">{1,1}</oscal:pre>
+  <oscal:prop class="">{1,1}</oscal:prop>
+  <oscal:part class="" id="">{0,unbounded}</oscal:part>
+  <oscal:link href="" rel="">{1,1}</oscal:link>
+  <oscal:param class="" id="">{1,1}</oscal:param>
+</oscal:part>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="part">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Part</b>A partition,
+      <q xmlns="http://csrc.nist.gov/ns/oscal/1.0">piece</q>or section of a control, subcontrol, component or part</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:title"/>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:group ref="oscal:prose"/>
+        <xs:group ref="oscal:control-components"/>
+      </xs:choice>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:link
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+ +
+
Diagram
+
+
+ +
+
Properties
+
+
+ +
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+ +
+
Attributes
+
+
+ +
+
Source
+
+
+ +
+
Element oscal:param
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Parameter</b>A parameter setting, to be propagated to points of insertion
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#param_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#desc + oscal-core_xsd.tmp#value
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:control-components
Element oscal:component
+
+
Model
+
+ +
Childrenoscal:desc, oscal:value
+
Instance
+
+
+
+ + + + +
<oscal:param class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:desc>{1,1}</oscal:desc>
+  <oscal:value>{1,1}</oscal:value>
+</oscal:param>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="param">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Parameter</b>A parameter setting, to be propagated to points of insertion</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element ref="oscal:desc"/>
+      <xs:element ref="oscal:value"/>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:desc
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Parameter description</b>Indicates and explains the purpose and use of a parameter
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:param
+
+
Model
+
+ +
Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:desc xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+</oscal:desc>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="desc">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Parameter description</b>Indicates and explains the purpose and use of a parameter</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:group ref="oscal:mix"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:control
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Control</b>A structured information object representing a security control
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#control_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components + oscal-core_xsd.tmp#subcontrol + oscal-core_xsd.tmp#references
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + + + + + +
Element oscal:group/oscal:group
Complex Type oscal:catalog-contents
+
+
Model
+
+ +
Childrenoscal:link, oscal:param, oscal:part, oscal:prop, oscal:references, oscal:subcontrol, oscal:title
+
Instance
+
+
+
+ + + + +
<oscal:control class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{0,1}</oscal:title>
+  <oscal:prop class="">{1,1}</oscal:prop>
+  <oscal:part class="" id="">{0,unbounded}</oscal:part>
+  <oscal:link href="" rel="">{1,1}</oscal:link>
+  <oscal:param class="" id="">{1,1}</oscal:param>
+  <oscal:subcontrol class="" id="">{1,1}</oscal:subcontrol>
+  <oscal:references>{0,1}</oscal:references>
+</oscal:control>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="control">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Control</b>A structured information object representing a security control</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:title"/>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:group ref="oscal:control-components"/>
+        <xs:element ref="oscal:subcontrol"/>
+      </xs:choice>
+      <xs:element minOccurs="0" ref="oscal:references"/>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:subcontrol
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Control extension</b>An associated or dependent control object; an enhancement to a control
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#subcontrol_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components + oscal-core_xsd.tmp#references
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:control
+
+
Model
+
+ +
Childrenoscal:link, oscal:param, oscal:part, oscal:prop, oscal:references, oscal:title
+
Instance
+
+
+
+ + + + +
<oscal:subcontrol class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{0,1}</oscal:title>
+  <oscal:prop class="">{1,1}</oscal:prop>
+  <oscal:part class="" id="">{0,unbounded}</oscal:part>
+  <oscal:link href="" rel="">{1,1}</oscal:link>
+  <oscal:param class="" id="">{1,1}</oscal:param>
+  <oscal:references>{0,1}</oscal:references>
+</oscal:subcontrol>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="subcontrol">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Control extension</b>An associated or dependent control object; an enhancement to a control</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:title"/>
+      <xs:group ref="oscal:control-components"/>
+      <xs:element minOccurs="0" ref="oscal:references"/>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:references
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>References</b>A group of reference descriptions
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#ref
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:ref
+
Instance
+
+
+
+ + + + +
<oscal:references xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:ref id="">{1,unbounded}</oscal:ref>
+</oscal:references>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="references">
+  <xs:annotation>
+    <xs:documentation>
+      <b>References</b>A group of reference descriptions</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element maxOccurs="unbounded" ref="oscal:ref"/>
+    </xs:sequence>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:ref
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Reference</b>A reference, with one or more citations to standards, related documents, or other
+resources
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#ref_id + oscal-core_xsd.tmp#std + oscal-core_xsd.tmp#citation + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:references
+
+
Model
+
+ +
Childrenoscal:citation, oscal:ol, oscal:p, oscal:pre, oscal:std, oscal:ul
+
Instance
+
+
+
+ + + + +
<oscal:ref id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:std href="">{1,1}</oscal:std>
+  <oscal:citation href="">{1,1}</oscal:citation>
+  <oscal:ul>{1,1}</oscal:ul>
+  <oscal:ol>{1,1}</oscal:ol>
+  <oscal:p class="" id="">{1,1}</oscal:p>
+  <oscal:pre id="">{1,1}</oscal:pre>
+</oscal:ref>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="ref">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Reference</b>A reference, with one or more citations to standards, related documents, or other resources</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:std"/>
+      <xs:element ref="oscal:citation"/>
+      <xs:group ref="oscal:prose"/>
+    </xs:choice>
+    <xs:attribute name="id" type="xs:ID"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:std
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Standard</b>Citation of a formal published standard
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#std_href + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:ref
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:std href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:std>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
hrefxs:anyURIoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="std">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Standard</b>Citation of a formal published standard</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+    <xs:attribute name="href" type="xs:anyURI"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:citation
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Citation</b>Citation of a resource
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#citation_href + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
mixedtrue
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:ref
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Instance
+
+
+
+ + + + +
<oscal:citation href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:q>{1,1}</oscal:q>
+  <oscal:code class="">{1,1}</oscal:code>
+  <oscal:em class="">{1,1}</oscal:em>
+  <oscal:i class="">{1,1}</oscal:i>
+  <oscal:b class="">{1,1}</oscal:b>
+  <oscal:sub class="">{1,1}</oscal:sub>
+  <oscal:sup class="">{1,1}</oscal:sup>
+  <oscal:span class="">{1,1}</oscal:span>
+  <oscal:a href="">{1,1}</oscal:a>
+</oscal:citation>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
hrefxs:anyURIoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="citation">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Citation</b>Citation of a resource</xs:documentation>
+  </xs:annotation>
+  <xs:complexType mixed="true">
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+    <xs:attribute name="href" type="xs:anyURI"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:category / oscal:group
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Group</b>Related controls or groups (of controls or groups)
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#category_category_group_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
Model
+
+ +
Childrenoscal:component, oscal:group, oscal:link, oscal:ol, oscal:p, oscal:pre, oscal:prop, oscal:title, oscal:ul
+
Instance
+
+
+
+ + + + +
<oscal:group class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{0,1}</oscal:title>
+  <oscal:prop class="">{1,1}</oscal:prop>
+  <oscal:link href="" rel="">{1,1}</oscal:link>
+  <oscal:ul>{1,1}</oscal:ul>
+  <oscal:ol>{1,1}</oscal:ol>
+  <oscal:p class="" id="">{1,1}</oscal:p>
+  <oscal:pre id="">{1,1}</oscal:pre>
+  <oscal:group class="" id="">{1,1}</oscal:group>
+  <oscal:component class="" id="">{1,unbounded}</oscal:component>
+</oscal:group>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="group">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:title"/>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element ref="oscal:prop"/>
+        <xs:element ref="oscal:link"/>
+        <xs:group ref="oscal:prose"/>
+      </xs:choice>
+      <xs:choice>
+        <xs:group maxOccurs="unbounded" ref="oscal:category"/>
+        <xs:element maxOccurs="unbounded" ref="oscal:component"/>
+      </xs:choice>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:component
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Framework component</b>Within a framework, a structured information object typically referencing one or more
+security controls
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#component_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#component
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:component, oscal:link, oscal:ol, oscal:p, oscal:param, oscal:part, oscal:pre, oscal:prop, oscal:title, oscal:ul
+
Instance
+
+
+
+ + + + +
<oscal:component class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{0,1}</oscal:title>
+  <oscal:param class="" id="">{1,1}</oscal:param>
+  <oscal:prop class="">{1,1}</oscal:prop>
+  <oscal:link href="" rel="">{1,1}</oscal:link>
+  <oscal:ul>{1,1}</oscal:ul>
+  <oscal:ol>{1,1}</oscal:ol>
+  <oscal:p class="" id="">{1,1}</oscal:p>
+  <oscal:pre id="">{1,1}</oscal:pre>
+  <oscal:part class="" id="">{1,1}</oscal:part>
+  <oscal:component class="" id="">{0,unbounded}</oscal:component>
+</oscal:component>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="component">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Framework component</b>Within a framework, a structured information object typically referencing one or more security controls</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:title"/>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element ref="oscal:param"/>
+        <xs:element ref="oscal:prop"/>
+        <xs:element ref="oscal:link"/>
+        <xs:group ref="oscal:prose"/>
+        <xs:element ref="oscal:part"/>
+      </xs:choice>
+      <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:component"/>
+    </xs:sequence>
+    <xs:attribute name="id" type="xs:ID"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:catalog
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Catalog</b>A (canonical) control catalog: a structured set of security controls
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#control + oscal-core_xsd.tmp#references + oscal-core_xsd.tmp#catalog-contents
+
Typeoscal:catalog-contents
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
Model
+
+ +
Childrenoscal:control, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
+
Instance
+
+
+
+ + + + +
<oscal:catalog xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{1,1}</oscal:title>
+  <oscal:declarations href="">{0,1}</oscal:declarations>
+  <oscal:section class="" id="">{1,1}</oscal:section>
+  <oscal:group class="" id="">{1,1}</oscal:group>
+  <oscal:control class="" id="">{1,1}</oscal:control>
+  <oscal:references>{0,1}</oscal:references>
+</oscal:catalog>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="catalog" type="oscal:catalog-contents">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Catalog</b>A (canonical) control catalog: a structured set of security controls</xs:documentation>
+  </xs:annotation>
+</xs:element>
+
+
+
Element oscal:framework
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Framework</b>A collection of components for formal reference into and among control catalogs
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references + oscal-core_xsd.tmp#framework-contents + oscal-core_xsd.tmp#framework_id + oscal-core_xsd.tmp#optionalClass
+
Typeextension of oscal:framework-contents
Type hierarchy + +
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
Model
+
+ +
Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
+
Instance
+
+
+
+ + + + +
<oscal:framework class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{1,1}</oscal:title>
+  <oscal:declarations href="">{0,1}</oscal:declarations>
+  <oscal:section class="" id="">{1,1}</oscal:section>
+  <oscal:group class="" id="">{1,1}</oscal:group>
+  <oscal:component class="" id="">{1,1}</oscal:component>
+  <oscal:references>{0,1}</oscal:references>
+</oscal:framework>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="framework">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Framework</b>A collection of components for formal reference into and among control catalogs</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:complexContent>
+      <xs:extension base="oscal:framework-contents">
+        <xs:attribute name="id" type="xs:ID"/>
+        <xs:attributeGroup ref="oscal:optionalClass"/>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:worksheet
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Worksheet</b>An arbitrary, working collection of components
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references + oscal-core_xsd.tmp#worksheet-contents + oscal-core_xsd.tmp#worksheet_id + oscal-core_xsd.tmp#optionalClass
+
Typeextension of oscal:worksheet-contents
Type hierarchy + +
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
Model
+
+ +
Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
+
Instance
+
+
+
+ + + + +
<oscal:worksheet class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{1,1}</oscal:title>
+  <oscal:declarations href="">{0,1}</oscal:declarations>
+  <oscal:section class="" id="">{1,1}</oscal:section>
+  <oscal:group class="" id="">{1,1}</oscal:group>
+  <oscal:component class="" id="">{1,1}</oscal:component>
+  <oscal:references>{0,1}</oscal:references>
+</oscal:worksheet>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
idxs:IDoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="worksheet">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Worksheet</b>An arbitrary, working collection of components</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:complexContent>
+      <xs:extension base="oscal:worksheet-contents">
+        <xs:attribute name="id" type="xs:ID"/>
+        <xs:attributeGroup ref="oscal:optionalClass"/>
+      </xs:extension>
+    </xs:complexContent>
+  </xs:complexType>
+</xs:element>
+
+
+
Complex Type oscal:catalog-contents
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#control + oscal-core_xsd.tmp#references
+
+
Used by
+
+
+
+ + + + + +
Element oscal:catalog
+
+
Model
+
+ +
Childrenoscal:control, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
+
Source
+
+
+
+ + + + +
<xs:complexType name="catalog-contents">
+  <xs:sequence>
+    <xs:element ref="oscal:title"/>
+    <xs:element minOccurs="0" ref="oscal:declarations"/>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:section"/>
+      <xs:group ref="oscal:group"/>
+      <xs:element ref="oscal:control"/>
+    </xs:choice>
+    <xs:element minOccurs="0" ref="oscal:references"/>
+  </xs:sequence>
+</xs:complexType>
+
+
+
Complex Type oscal:decls
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#declare-prop + oscal-core_xsd.tmp#declare-part + oscal-core_xsd.tmp#declare-p + oscal-core_xsd.tmp#declare-link
+
+
Used by
+
+
+
+ + + + + +
Element oscal:declarations
+
+
Model
+
+ +
Childrenoscal:declare-link, oscal:declare-p, oscal:declare-part, oscal:declare-prop
+
Source
+
+
+
+ + + + +
<xs:complexType name="decls">
+  <xs:choice minOccurs="0" maxOccurs="unbounded">
+    <xs:element ref="oscal:declare-prop"/>
+    <xs:element ref="oscal:declare-part"/>
+    <xs:element ref="oscal:declare-p"/>
+    <xs:element ref="oscal:declare-link"/>
+  </xs:choice>
+</xs:complexType>
+
+
+
Complex Type oscal:framework-contents
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references
+
+
Used by
+
+
+
+ + + + + +
Element oscal:framework
+
+
Model
+
+ +
Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
+
Source
+
+
+
+ + + + +
<xs:complexType name="framework-contents">
+  <xs:sequence>
+    <xs:element ref="oscal:title"/>
+    <xs:element minOccurs="0" ref="oscal:declarations"/>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:section"/>
+      <xs:group ref="oscal:category"/>
+      <xs:element ref="oscal:component"/>
+    </xs:choice>
+    <xs:element minOccurs="0" ref="oscal:references"/>
+  </xs:sequence>
+</xs:complexType>
+
+
+
Complex Type oscal:worksheet-contents
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references
+
+
Used by
+
+
+
+ + + + + +
Element oscal:worksheet
+
+
Model
+
+ +
Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
+
Source
+
+
+
+ + + + +
<xs:complexType name="worksheet-contents">
+  <xs:sequence>
+    <xs:element ref="oscal:title"/>
+    <xs:element minOccurs="0" ref="oscal:declarations"/>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:section"/>
+      <xs:group ref="oscal:category"/>
+      <xs:element ref="oscal:component"/>
+    </xs:choice>
+    <xs:element minOccurs="0" ref="oscal:references"/>
+  </xs:sequence>
+</xs:complexType>
+
+
+
Attribute oscal:optionalClass / @class
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Attribute Group oscal:optionalClass
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="class"/>
+
+
+
Attribute oscal:a / @href
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:a
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="href"/>
+
+
+
Attribute oscal:inherit / @from
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:inherit
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="from"/>
+
+
+
Attribute oscal:requiredClass / @class
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Properties
+
+
+
+ + + + + +
userequired
+
+
+
Used by
+
+
+
+ + + + + +
Attribute Group oscal:requiredClass
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="class" use="required"/>
+
+
+
Attribute oscal:contextAttr / @context
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Properties
+
+
+
+ + + + + +
userequired
+
+
+
Used by
+
+
+
+ + + + + +
Attribute Group oscal:contextAttr
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="context" use="required"/>
+
+
+
Attribute oscal:relAttr / @rel
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Attribute Group oscal:relAttr
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="rel"/>
+
+
+
Attribute oscal:hrefAttr / @href
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Attribute Group oscal:hrefAttr
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="href"/>
+
+
+
Attribute oscal:insert / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:insert
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:insert / @param-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:IDREF
+
Properties
+
+
+
+ + + + + +
userequired
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:insert
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="param-id" use="required" type="xs:IDREF"/>
+
+
+
Attribute oscal:li / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:li
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:whatnot / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:p
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:p / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:pre / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:pre
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:part / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:part
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:param / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:param
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:std / @href
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:anyURI
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:std
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="href" type="xs:anyURI"/>
+
+
+
Attribute oscal:citation / @href
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:anyURI
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:citation
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="href" type="xs:anyURI"/>
+
+
+
Attribute oscal:ref / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:ref
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:subcontrol / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:subcontrol
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:control / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:control
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:group / oscal:group / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:group/oscal:group
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:section / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:section
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:component / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:component
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:category / oscal:group / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:category/oscal:group
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:framework / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:framework
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:worksheet / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:worksheet
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" type="xs:ID"/>
+
+
+
Attribute oscal:idAttr / @id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:ID
+
Properties
+
+
+
+ + + + + +
userequired
+
+
+
Used by
+
+
+
+ + + + + +
Attribute Group oscal:idAttr
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="id" use="required" type="xs:ID"/>
+
+
+
Element Group oscal:mix
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Source
+
+
+
+ + + + +
<xs:group name="mix">
+  <xs:sequence>
+    <xs:group minOccurs="0" maxOccurs="unbounded" ref="oscal:inlines"/>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:inlines
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span
+
+
Used by
+
+
+
+ + + + + + + + + +
Element Group oscal:mix
Element oscal:withdrawn
+
+
Model
+
+ +
Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
+
Source
+
+
+
+ + + + +
<xs:group name="inlines">
+  <xs:sequence>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:q"/>
+      <xs:element ref="oscal:code"/>
+      <xs:element ref="oscal:em"/>
+      <xs:element ref="oscal:i"/>
+      <xs:element ref="oscal:b"/>
+      <xs:element ref="oscal:sub"/>
+      <xs:element ref="oscal:sup"/>
+      <xs:element ref="oscal:span"/>
+    </xs:choice>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:prose
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:ol, oscal:p, oscal:pre, oscal:ul
+
Source
+
+
+
+ + + + +
<xs:group name="prose">
+  <xs:sequence>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:ul"/>
+      <xs:element ref="oscal:ol"/>
+      <xs:element ref="oscal:p"/>
+      <xs:element ref="oscal:pre"/>
+    </xs:choice>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:whatnot
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert + oscal-core_xsd.tmp#semantical + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
+
+
Used by
+
+
+
+ + + + + +
Elements oscal:li, oscal:p
+
+
Model
+
+ +
Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:insert, oscal:q, oscal:span, oscal:sub, oscal:sup, oscal:withdrawn
+
Source
+
+
+
+ + + + +
<xs:group name="whatnot">
+  <xs:sequence>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:group ref="oscal:semantical"/>
+      <xs:group ref="oscal:mix"/>
+      <xs:element ref="oscal:a"/>
+    </xs:choice>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:semantical
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:whatnot
+
+
Model
+
+ +
Childrenoscal:insert, oscal:withdrawn
+
Source
+
+
+
+ + + + +
<xs:group name="semantical">
+  <xs:sequence>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:withdrawn"/>
+      <xs:element ref="oscal:insert"/>
+    </xs:choice>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:group
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#group_group
+
+
Used by
+
+
+
+ + + + + + + + + +
Elements oscal:group/oscal:group, oscal:section
Complex Type oscal:catalog-contents
+
+
Model
+
+ +
Childrenoscal:group
+
Source
+
+
+
+ + + + +
<xs:group name="group">
+  <xs:sequence>
+    <xs:element name="group">
+      <xs:annotation>
+        <xs:documentation>
+          <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
+      </xs:annotation>
+      <xs:complexType>
+        <xs:sequence>
+          <xs:element minOccurs="0" ref="oscal:title"/>
+          <xs:group ref="oscal:control-components"/>
+          <xs:choice maxOccurs="unbounded">
+            <xs:group ref="oscal:group"/>
+            <xs:element ref="oscal:control"/>
+          </xs:choice>
+          <xs:element minOccurs="0" ref="oscal:references"/>
+        </xs:sequence>
+        <xs:attribute name="id" type="xs:ID"/>
+        <xs:attributeGroup ref="oscal:optionalClass"/>
+      </xs:complexType>
+    </xs:element>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:control-components
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:link, oscal:param, oscal:part, oscal:prop
+
Source
+
+
+
+ + + + +
<xs:group name="control-components">
+  <xs:sequence>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:prop"/>
+      <xs:group ref="oscal:anyKindofPart"/>
+      <xs:element ref="oscal:link"/>
+      <xs:element ref="oscal:param"/>
+    </xs:choice>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:anyKindofPart
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#part
+
+
Used by
+
+
+
+ + + + + +
Element Group oscal:control-components
+
+
Model
+
+ +
Childrenoscal:part
+
Source
+
+
+
+ + + + +
<xs:group name="anyKindofPart">
+  <xs:sequence>
+    <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:part"/>
+  </xs:sequence>
+</xs:group>
+
+
+
Element Group oscal:category
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#category_group
+
+
Used by
+
+
+ +
Model
+
+ +
Childrenoscal:group
+
Source
+
+
+
+ + + + +
<xs:group name="category">
+  <xs:sequence>
+    <xs:element name="group">
+      <xs:annotation>
+        <xs:documentation>
+          <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
+      </xs:annotation>
+      <xs:complexType>
+        <xs:sequence>
+          <xs:element minOccurs="0" ref="oscal:title"/>
+          <xs:choice minOccurs="0" maxOccurs="unbounded">
+            <xs:element ref="oscal:prop"/>
+            <xs:element ref="oscal:link"/>
+            <xs:group ref="oscal:prose"/>
+          </xs:choice>
+          <xs:choice>
+            <xs:group maxOccurs="unbounded" ref="oscal:category"/>
+            <xs:element maxOccurs="unbounded" ref="oscal:component"/>
+          </xs:choice>
+        </xs:sequence>
+        <xs:attribute name="id" type="xs:ID"/>
+        <xs:attributeGroup ref="oscal:optionalClass"/>
+      </xs:complexType>
+    </xs:element>
+  </xs:sequence>
+</xs:group>
+
+
+
Attribute Group oscal:optionalClass
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#optionalClass_class
+
+
Used by
+
+
+ +
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:attributeGroup name="optionalClass">
+  <xs:attribute name="class"/>
+</xs:attributeGroup>
+
+
+
Attribute Group oscal:requiredClass
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#requiredClass_class
+
+
Used by
+
+
+ +
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
classrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:attributeGroup name="requiredClass">
+  <xs:attribute name="class" use="required"/>
+</xs:attributeGroup>
+
+
+
Attribute Group oscal:contextAttr
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#contextAttr_context
+
+
Used by
+
+
+ +
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
contextrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:attributeGroup name="contextAttr">
+  <xs:attribute name="context" use="required"/>
+</xs:attributeGroup>
+
+
+
Attribute Group oscal:relAttr
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#relAttr_rel
+
+
Used by
+
+
+
+ + + + + +
Elements oscal:declare-link, oscal:link
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
reloptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:attributeGroup name="relAttr">
+  <xs:attribute name="rel"/>
+</xs:attributeGroup>
+
+
+
Attribute Group oscal:hrefAttr
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#hrefAttr_href
+
+
Used by
+
+
+
+ + + + + +
Elements oscal:declarations, oscal:link
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
hrefoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:attributeGroup name="hrefAttr">
+  <xs:attribute name="href"/>
+</xs:attributeGroup>
+
+
+
Attribute Group oscal:idAttr
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#idAttr_id
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
idxs:IDrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:attributeGroup name="idAttr">
+  <xs:attribute name="id" use="required" type="xs:ID"/>
+</xs:attributeGroup>
+
+
+
+ + \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-profile-o2docs.html b/docs/schema/oxygen-docs/oscal-profile-o2docs.html new file mode 100644 index 0000000000..fbdf88a163 --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-profile-o2docs.html @@ -0,0 +1,4 @@ + + +Schema documentation for oscal-profile.xsd \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-profile-o2docs.indexList.html b/docs/schema/oxygen-docs/oscal-profile-o2docs.indexList.html new file mode 100644 index 0000000000..796349f6d0 --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-profile-o2docs.indexList.html @@ -0,0 +1,757 @@ + + + + + Schema documentation for + + +

Table of Contents

+
+
+
Group by:
+
+
+
+
+

oscal-profile.xsd

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Elements
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attribute Groups
+
+ +
+
+
+
+
+
+
+

oscal-core.xsd

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+ +
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Complex Types
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Element Groups
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attribute Groups
+
+ +
+
+
+
+
+
+
+

xml.xsd

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+
+ +
+
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attributes
+
+ +
+
+
+
+
+
+
+
+
+ + \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-profile-o2docs.indexListcomp.html b/docs/schema/oxygen-docs/oscal-profile-o2docs.indexListcomp.html new file mode 100644 index 0000000000..b4dff704c1 --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-profile-o2docs.indexListcomp.html @@ -0,0 +1,638 @@ + + + + + Schema documentation for + + +

Table of Contents

+
+
+
Group by:
+
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+
+ +
+
+
+
+ +
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Complex Types
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attributes
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Element Groups
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attribute Groups
+
+ +
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-profile-o2docs.indexListns.html b/docs/schema/oxygen-docs/oscal-profile-o2docs.indexListns.html new file mode 100644 index 0000000000..01d5bd1df4 --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-profile-o2docs.indexListns.html @@ -0,0 +1,649 @@ + + + + + Schema documentation for + + +

Table of Contents

+
+
+
Group by:
+
+
+
+
+

http://csrc.nist.gov/ns/oscal/1.0

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+ +
+
+
+ +
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Complex Types
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Element Groups
+
+ +
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attribute Groups
+
+ +
+
+
+
+
+
+
+

http://www.w3.org/XML/1998/namespace

+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
s
+
+
+ +
+
+
+
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
+
Attributes
+
+ +
+
+
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/docs/schema/oxygen-docs/oscal-profile_xsd.html b/docs/schema/oxygen-docs/oscal-profile_xsd.html new file mode 100644 index 0000000000..79f34b170f --- /dev/null +++ b/docs/schema/oxygen-docs/oscal-profile_xsd.html @@ -0,0 +1,2884 @@ + + + + + Schema documentation for oscal-profile.xsd + + +
+ + + + + + + + + + + + + + + + +
+

Showing:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Annotations
Attributes
Diagrams
Facets
Instances
Model
Properties
Source
Used by
+
+
+
Main schema oscal-profile.xsd
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Properties
+
+
+
+ + + + + + + + + +
attribute form defaultunqualified
element form defaultqualified
+
+
+
Element oscal:profile
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Profile</b>In reference to a catalog (or other authority such as profile or framework), a selection
+and configuration of controls, maintained separately
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#idAttr + oscal-core_xsd.tmp#title + oscal-profile_xsd.tmp#invoke + oscal-core_xsd.tmp#framework
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
Model
+
+ +
Childrenoscal:framework, oscal:invoke, oscal:title
+
Instance
+
+
+
+ + + + +
<oscal:profile id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:title>{1,1}</oscal:title>
+  <oscal:invoke href="">{1,unbounded}</oscal:invoke>
+  <oscal:framework class="" id="">{0,1}</oscal:framework>
+</oscal:profile>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
idxs:IDrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="profile">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Profile</b>In reference to a catalog (or other authority such as profile or framework), a selection and configuration of controls, maintained separately</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element ref="oscal:title"/>
+      <xs:element maxOccurs="unbounded" ref="oscal:invoke"/>
+      <xs:element minOccurs="0" ref="oscal:framework"/>
+    </xs:sequence>
+    <xs:attributeGroup ref="oscal:idAttr"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:invoke
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Authority invocation</b>For invocation of controls and subcontrols from a catalog or other authority
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#hrefAttr + oscal-profile_xsd.tmp#include + oscal-profile_xsd.tmp#exclude + oscal-profile_xsd.tmp#set-param + oscal-profile_xsd.tmp#alter
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:profile
+
+
Model
+
+ +
Childrenoscal:alter, oscal:exclude, oscal:include, oscal:set-param
+
Instance
+
+
+
+ + + + +
<oscal:invoke href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:include>{0,1}</oscal:include>
+  <oscal:exclude>{0,1}</oscal:exclude>
+  <oscal:set-param class="" param-id="">{1,1}</oscal:set-param>
+  <oscal:alter control-id="" subcontrol-id="">{1,1}</oscal:alter>
+</oscal:invoke>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
hrefoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="invoke">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Authority invocation</b>For invocation of controls and subcontrols from a catalog or other authority</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:sequence>
+        <xs:element minOccurs="0" ref="oscal:include"/>
+        <xs:element minOccurs="0" ref="oscal:exclude"/>
+      </xs:sequence>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element ref="oscal:set-param"/>
+        <xs:element ref="oscal:alter"/>
+      </xs:choice>
+    </xs:sequence>
+    <xs:attributeGroup ref="oscal:hrefAttr"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:include
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Include controls</b>The element's contents indicate which controls and subcontrols to include from the
+authority (source catalog)
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#all + oscal-profile_xsd.tmp#call
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:invoke
+
+
Model
+
+ +
Childrenoscal:all, oscal:call
+
Instance
+
+
+
+ + + + +
<oscal:include xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:all with-subcontrols="">{1,1}</oscal:all>
+  <oscal:call control-id="" subcontrol-id="" with-subcontrols="">{1,unbounded}</oscal:call>
+</oscal:include>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="include">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Include controls</b>The element's contents indicate which controls and subcontrols to include from the authority (source catalog)</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:choice>
+      <xs:element ref="oscal:all"/>
+      <xs:element maxOccurs="unbounded" ref="oscal:call"/>
+    </xs:choice>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:all
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Include all</b>Include all controls from the invoked authority (catalog)
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#withSubContrlsAttr
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:include
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
with-subcontrolsrestriction of xs:tokenoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="all">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Include all</b>Include all controls from the invoked authority (catalog)</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:attributeGroup ref="oscal:withSubContrlsAttr"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:call
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Call (control or subcontrol)</b>Call a control or subcontrol by its ID
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#withSubContrlsAttr + oscal-profile_xsd.tmp#call_control-id + oscal-profile_xsd.tmp#call_subcontrol-id
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:include
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
control-idoptional +
+
subcontrol-idoptional +
+
with-subcontrolsrestriction of xs:tokenoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="call">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Call (control or subcontrol)</b>Call a control or subcontrol by its ID</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:attributeGroup ref="oscal:withSubContrlsAttr"/>
+    <xs:attribute name="control-id"/>
+    <xs:attribute name="subcontrol-id"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:exclude
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Exclude controls</b>Which controls and subcontrols to exclude from the authority (source catalog) being
+invoked
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#exclude_call
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:invoke
+
+
Model
+
+ +
Childrenoscal:call
+
Instance
+
+
+
+ + + + +
<oscal:exclude xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:call control-id="" subcontrol-id="">{1,unbounded}</oscal:call>
+</oscal:exclude>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="exclude">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Exclude controls</b>Which controls and subcontrols to exclude from the authority (source catalog) being invoked</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element maxOccurs="unbounded" name="call">
+        <xs:annotation>
+          <xs:documentation>
+            <b>Call (control or subcontrol)</b>Call a control or subcontrol by its ID</xs:documentation>
+        </xs:annotation>
+        <xs:complexType>
+          <xs:attribute name="control-id"/>
+          <xs:attribute name="subcontrol-id"/>
+        </xs:complexType>
+      </xs:element>
+    </xs:sequence>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:exclude / oscal:call
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Call (control or subcontrol)</b>Call a control or subcontrol by its ID
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#exclude_exclude_call_control-id + oscal-profile_xsd.tmp#exclude_exclude_call_subcontrol-id
+
+
Properties
+
+
+
+ + + + + + + + + +
contentcomplex
maxOccursunbounded
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
control-idoptional +
+
subcontrol-idoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element maxOccurs="unbounded" name="call">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Call (control or subcontrol)</b>Call a control or subcontrol by its ID</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:attribute name="control-id"/>
+    <xs:attribute name="subcontrol-id"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:set-param
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Parameter setting</b>Set a parameter's value and even override its description
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#set-param_param-id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#desc + oscal-core_xsd.tmp#value
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:invoke
+
+
Model
+
+ +
Childrenoscal:desc, oscal:value
+
Instance
+
+
+
+ + + + +
<oscal:set-param class="" param-id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:desc>{1,1}</oscal:desc>
+  <oscal:value>{1,1}</oscal:value>
+</oscal:set-param>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
classoptional +
+
param-idxs:NMTOKENrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="set-param">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Parameter setting</b>Set a parameter's value and even override its description</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element ref="oscal:desc"/>
+      <xs:element ref="oscal:value"/>
+    </xs:sequence>
+    <xs:attribute name="param-id" use="required" type="xs:NMTOKEN"/>
+    <xs:attributeGroup ref="oscal:optionalClass"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:alter
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Alteration</b>Specifies changes to be made to an included control or subcontrol when a profile is
+resolved
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#alter_control-id + oscal-profile_xsd.tmp#alter_subcontrol-id + oscal-profile_xsd.tmp#remove + oscal-profile_xsd.tmp#augment
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:invoke
+
+
Model
+
+ +
Childrenoscal:augment, oscal:remove
+
Instance
+
+
+
+ + + + +
<oscal:alter control-id="" subcontrol-id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:remove targets="">{0,1}</oscal:remove>
+  <oscal:augment>{0,1}</oscal:augment>
+</oscal:alter>
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +
QNameTypeUse
control-idoptional +
+
subcontrol-idoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="alter">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Alteration</b>Specifies changes to be made to an included control or subcontrol when a profile is resolved</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:sequence>
+      <xs:element minOccurs="0" ref="oscal:remove"/>
+      <xs:element minOccurs="0" ref="oscal:augment"/>
+    </xs:sequence>
+    <xs:attribute name="control-id"/>
+    <xs:attribute name="subcontrol-id"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:remove
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Removal</b>Elements to be removed from a control or subcontrol, in resolution
+
+
+
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#remove_targets
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:alter
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
targetsxs:NMTOKENSrequired +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="remove">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Removal</b>Elements to be removed from a control or subcontrol, in resolution</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:attribute name="targets" use="required" type="xs:NMTOKENS"/>
+  </xs:complexType>
+</xs:element>
+
+
+
Element oscal:augment
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Annotations
+
+
+
+
+ + + + +
<b>Augmentation</b>Element contents to be added to a control or subcontrols, in resolution
+
+
+
+
Diagram
+
+
+
Diagram + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart
+
+
Properties
+
+
+
+ + + + + +
contentcomplex
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:alter
+
+
Model
+
+ +
Childrenoscal:part, oscal:prop
+
Instance
+
+
+
+ + + + +
<oscal:augment xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
+  <oscal:prop class="">{1,1}</oscal:prop>
+  <oscal:part class="" id="">{0,unbounded}</oscal:part>
+</oscal:augment>
+
+
+
Source
+
+
+
+ + + + +
<xs:element name="augment">
+  <xs:annotation>
+    <xs:documentation>
+      <b>Augmentation</b>Element contents to be added to a control or subcontrols, in resolution</xs:documentation>
+  </xs:annotation>
+  <xs:complexType>
+    <xs:choice minOccurs="0" maxOccurs="unbounded">
+      <xs:element ref="oscal:prop"/>
+      <xs:group ref="oscal:anyKindofPart"/>
+    </xs:choice>
+  </xs:complexType>
+</xs:element>
+
+
+
Attribute oscal:withSubContrlsAttr / @with-subcontrols
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typerestriction of xs:token
+
Properties
+
+
+
+ + + + + +
contentsimple
+
+
+
Facets
+
+
+
+ + + + + + + + + + + +
enumerationyes +
+
enumerationno +
+
+
+
+
Used by
+
+
+
+ + + + + +
Attribute Group oscal:withSubContrlsAttr
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="with-subcontrols">
+  <xs:simpleType>
+    <xs:restriction base="xs:token">
+      <xs:enumeration value="yes"/>
+      <xs:enumeration value="no"/>
+    </xs:restriction>
+  </xs:simpleType>
+</xs:attribute>
+
+
+
Attribute oscal:call / @control-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:call
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="control-id"/>
+
+
+
Attribute oscal:call / @subcontrol-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:call
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="subcontrol-id"/>
+
+
+
Attribute oscal:exclude / oscal:call / @control-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:exclude/oscal:call
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="control-id"/>
+
+
+
Attribute oscal:exclude / oscal:call / @subcontrol-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:exclude/oscal:call
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="subcontrol-id"/>
+
+
+
Attribute oscal:set-param / @param-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:NMTOKEN
+
Properties
+
+
+
+ + + + + +
userequired
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:set-param
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="param-id" use="required" type="xs:NMTOKEN"/>
+
+
+
Attribute oscal:remove / @targets
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
NamespaceNo namespace
Typexs:NMTOKENS
+
Properties
+
+
+
+ + + + + +
userequired
+
+
+
Used by
+
+
+
+ + + + + +
Element oscal:remove
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="targets" use="required" type="xs:NMTOKENS"/>
+
+
+
Attribute oscal:alter / @control-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:alter
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="control-id"/>
+
+
+
Attribute oscal:alter / @subcontrol-id
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
NamespaceNo namespace
+
Used by
+
+
+
+ + + + + +
Element oscal:alter
+
+
+
Source
+
+
+
+ + + + +
<xs:attribute name="subcontrol-id"/>
+
+
+
Attribute Group oscal:withSubContrlsAttr
+ + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + +
Namespacehttp://csrc.nist.gov/ns/oscal/1.0
+
Diagram
+
+
+
Diagram + oscal-profile_xsd.tmp#withSubContrlsAttr_with-subcontrols
+
+
Used by
+
+
+
+ + + + + +
Elements oscal:all, oscal:call
+
+
+
Attributes
+
+
+
+ + + + + + + + + + + + + + + +
QNameTypeUse
with-subcontrolsrestriction of xs:tokenoptional +
+
+
+
+
Source
+
+
+
+ + + + +
<xs:attributeGroup name="withSubContrlsAttr">
+  <xs:attribute name="with-subcontrols">
+    <xs:simpleType>
+      <xs:restriction base="xs:token">
+        <xs:enumeration value="yes"/>
+        <xs:enumeration value="no"/>
+      </xs:restriction>
+    </xs:simpleType>
+  </xs:attribute>
+</xs:attributeGroup>
+
+
+
+ + \ No newline at end of file diff --git a/examples/FedRAMP/FedRAMP-HIGH-crude.xml b/examples/FedRAMP/FedRAMP-HIGH-crude.xml index a645c76492..34d7089ba0 100644 --- a/examples/FedRAMP/FedRAMP-HIGH-crude.xml +++ b/examples/FedRAMP/FedRAMP-HIGH-crude.xml @@ -1,11 +1,11 @@ + - + FedRAMP HIGH Baseline PROFILE (extracted and aligned, no edits) - + @@ -350,7 +350,91 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles @@ -5175,88 +5259,7 @@ NAME/ADDRESS RESOLUTION SERVICE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + organization-defined actions @@ -6316,5 +6319,4 @@ ASYMMETRIC KEYS - - + \ No newline at end of file diff --git a/examples/FedRAMP/FedRAMP-HIGH-edited.xml b/examples/FedRAMP/FedRAMP-HIGH-edited.xml index 7c33d146c6..b6df53d561 100644 --- a/examples/FedRAMP/FedRAMP-HIGH-edited.xml +++ b/examples/FedRAMP/FedRAMP-HIGH-edited.xml @@ -1,12 +1,12 @@ + - + FedRAMP HIGH Baseline PROFILE (extracted and aligned, no edits) - + @@ -351,7 +351,91 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles @@ -5090,88 +5174,7 @@ NAME/ADDRESS RESOLUTION SERVICE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + organization-defined actions @@ -6231,5 +6234,4 @@ ASYMMETRIC KEYS - - + \ No newline at end of file diff --git a/examples/FedRAMP/FedRAMP-LOW-crude.xml b/examples/FedRAMP/FedRAMP-LOW-crude.xml index bbcd7ee115..fc37914e33 100644 --- a/examples/FedRAMP/FedRAMP-LOW-crude.xml +++ b/examples/FedRAMP/FedRAMP-LOW-crude.xml @@ -1,10 +1,10 @@ + - + FedRAMP LOW Baseline PROFILE (extracted and aligned, no edits) - + @@ -129,7 +129,15 @@ - + + + + + + + + + organization-defined personnel or roles @@ -1794,12 +1802,7 @@ - - - - - - + organization-defined level of independence @@ -1821,5 +1824,4 @@ - - + \ No newline at end of file diff --git a/examples/FedRAMP/FedRAMP-MODERATE-crude.xml b/examples/FedRAMP/FedRAMP-MODERATE-crude.xml index 652ef9e387..ae4ec4602f 100644 --- a/examples/FedRAMP/FedRAMP-MODERATE-crude.xml +++ b/examples/FedRAMP/FedRAMP-MODERATE-crude.xml @@ -1,10 +1,10 @@ - + + - + FedRAMP MODERATE Baseline PROFILE (extracted and aligned, no edits) - + @@ -265,7 +265,82 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles @@ -3044,30 +3119,7 @@ NAME/ADDRESS RESOLUTION SERVICE - - - - - - - - - - - - - - - - - - - - - - - - + organization-defined time-period of expected inactivity or description of when to log out @@ -3303,56 +3355,7 @@ NAME/ADDRESS RESOLUTION SERVICE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + organization-defined actions @@ -3775,5 +3778,4 @@ ASYMMETRIC KEYS - - + \ No newline at end of file diff --git a/examples/FedRAMP/pub/FedRAMP-HIGH-edited-rendered.html b/examples/FedRAMP/pub/FedRAMP-HIGH-edited-rendered.html deleted file mode 100644 index 32f2c8b612..0000000000 --- a/examples/FedRAMP/pub/FedRAMP-HIGH-edited-rendered.html +++ /dev/null @@ -1,81850 +0,0 @@ - - - - - - FedRAMP HIGH Baseline PROFILE (extracted and aligned, no edits) - - - - -
-
-

- NIST SP800-53 rev 4 -

-
-

- ACCESS CONTROL -

- - - - - - - - - - - - - - - - - - -
- - - -
-

- CONFIGURATION MANAGEMENT -

- - - - - - - - - - - -
-
-

- CONTINGENCY PLANNING -

- - - - - - - - - -
- - - - - - - - - -
-

- SYSTEM AND COMMUNICATIONS PROTECTION -

- - - - - - - - - - - - - - - - - - - - - -
- -
- -
-
-
-

FedRAMP HIGH Baseline PROFILE (extracted and aligned, no edits)

-
-
-

../SP800-53/SP800-53-HIGH-baseline.xml ➭ Included: - - Control ac.1 - - Control ac.2 - - Subcontrol ac.2.1. - - Subcontrol ac.2.2. - - Subcontrol ac.2.3. - - Subcontrol ac.2.4. - - Subcontrol ac.2.5. - - Subcontrol ac.2.11. - - Subcontrol ac.2.12. - - Subcontrol ac.2.13. - - Control ac.3 - - Control ac.4 - - Control ac.5 - - Control ac.6 - - Subcontrol ac.6.1. - - Subcontrol ac.6.2. - - Subcontrol ac.6.3. - - Subcontrol ac.6.5. - - Subcontrol ac.6.9. - - Subcontrol ac.6.10. - - Control ac.7 - - Control ac.8 - - Control ac.10 - - Control ac.11 - - Subcontrol ac.11.1. - - Control ac.12 - - Control ac.14 - - Control ac.17 - - Subcontrol ac.17.1. - - Subcontrol ac.17.2. - - Subcontrol ac.17.3. - - Subcontrol ac.17.4. - - Control ac.18 - - Subcontrol ac.18.1. - - Subcontrol ac.18.4. - - Subcontrol ac.18.5. - - Control ac.19 - - Subcontrol ac.19.5. - - Control ac.20 - - Subcontrol ac.20.1. - - Subcontrol ac.20.2. - - Control ac.21 - - Control ac.22 - - Control at.1 - - Control at.2 - - Subcontrol at.2.2. - - Control at.3 - - Control at.4 - - Control au.1 - - Control au.2 - - Subcontrol au.2.3. - - Control au.3 - - Subcontrol au.3.1. - - Subcontrol au.3.2. - - Control au.4 - - Control au.5 - - Subcontrol au.5.1. - - Subcontrol au.5.2. - - Control au.6 - - Subcontrol au.6.1. - - Subcontrol au.6.3. - - Subcontrol au.6.5. - - Subcontrol au.6.6. - - Control au.7 - - Subcontrol au.7.1. - - Control au.8 - - Subcontrol au.8.1. - - Control au.9 - - Subcontrol au.9.2. - - Subcontrol au.9.3. - - Subcontrol au.9.4. - - Control au.10 - - Control au.11 - - Control au.12 - - Subcontrol au.12.1. - - Subcontrol au.12.3. - - Control ca.1 - - Control ca.2 - - Subcontrol ca.2.1. - - Subcontrol ca.2.2. - - Control ca.3 - - Subcontrol ca.3.5. - - Control ca.5 - - Control ca.6 - - Control ca.7 - - Subcontrol ca.7.1. - - Control ca.8 - - Control ca.9 - - Control cm.1 - - Control cm.2 - - Subcontrol cm.2.1. - - Subcontrol cm.2.2. - - Subcontrol cm.2.3. - - Subcontrol cm.2.7. - - Control cm.3 - - Subcontrol cm.3.1. - - Subcontrol cm.3.2. - - Control cm.4 - - Subcontrol cm.4.1. - - Control cm.5 - - Subcontrol cm.5.1. - - Subcontrol cm.5.2. - - Subcontrol cm.5.3. - - Control cm.6 - - Subcontrol cm.6.1. - - Subcontrol cm.6.2. - - Control cm.7 - - Subcontrol cm.7.1. - - Subcontrol cm.7.2. - - Subcontrol cm.7.5. - - Control cm.8 - - Subcontrol cm.8.1. - - Subcontrol cm.8.2. - - Subcontrol cm.8.3. - - Subcontrol cm.8.4. - - Subcontrol cm.8.5. - - Control cm.9 - - Control cm.10 - - Control cm.11 - - Control cp.1 - - Control cp.2 - - Subcontrol cp.2.1. - - Subcontrol cp.2.2. - - Subcontrol cp.2.3. - - Subcontrol cp.2.4. - - Subcontrol cp.2.5. - - Subcontrol cp.2.8. - - Control cp.3 - - Subcontrol cp.3.1. - - Control cp.4 - - Subcontrol cp.4.1. - - Subcontrol cp.4.2. - - Control cp.6 - - Subcontrol cp.6.1. - - Subcontrol cp.6.2. - - Subcontrol cp.6.3. - - Control cp.7 - - Subcontrol cp.7.1. - - Subcontrol cp.7.2. - - Subcontrol cp.7.3. - - Subcontrol cp.7.4. - - Control cp.8 - - Subcontrol cp.8.1. - - Subcontrol cp.8.2. - - Subcontrol cp.8.3. - - Subcontrol cp.8.4. - - Control cp.9 - - Subcontrol cp.9.1. - - Subcontrol cp.9.2. - - Subcontrol cp.9.3. - - Subcontrol cp.9.5. - - Control cp.10 - - Subcontrol cp.10.2. - - Subcontrol cp.10.4. - - Control ia.1 - - Control ia.2 - - Subcontrol ia.2.1. - - Subcontrol ia.2.2. - - Subcontrol ia.2.3. - - Subcontrol ia.2.4. - - Subcontrol ia.2.8. - - Subcontrol ia.2.9. - - Subcontrol ia.2.11. - - Subcontrol ia.2.12. - - Control ia.3 - - Control ia.4 - - Control ia.5 - - Subcontrol ia.5.1. - - Subcontrol ia.5.2. - - Subcontrol ia.5.3. - - Subcontrol ia.5.11. - - Control ia.6 - - Control ia.7 - - Control ia.8 - - Subcontrol ia.8.1. - - Subcontrol ia.8.2. - - Subcontrol ia.8.3. - - Subcontrol ia.8.4. - - Control ir.1 - - Control ir.2 - - Subcontrol ir.2.1. - - Subcontrol ir.2.2. - - Control ir.3 - - Subcontrol ir.3.2. - - Control ir.4 - - Subcontrol ir.4.1. - - Subcontrol ir.4.4. - - Control ir.5 - - Subcontrol ir.5.1. - - Control ir.6 - - Subcontrol ir.6.1. - - Control ir.7 - - Subcontrol ir.7.1. - - Control ir.8 - - Control ma.1 - - Control ma.2 - - Subcontrol ma.2.2. - - Control ma.3 - - Subcontrol ma.3.1. - - Subcontrol ma.3.2. - - Subcontrol ma.3.3. - - Control ma.4 - - Subcontrol ma.4.2. - - Subcontrol ma.4.3. - - Control ma.5 - - Subcontrol ma.5.1. - - Control ma.6 - - Control mp.1 - - Control mp.2 - - Control mp.3 - - Control mp.4 - - Control mp.5 - - Subcontrol mp.5.4. - - Control mp.6 - - Subcontrol mp.6.1. - - Subcontrol mp.6.2. - - Subcontrol mp.6.3. - - Control mp.7 - - Subcontrol mp.7.1. - - Control pe.1 - - Control pe.2 - - Control pe.3 - - Subcontrol pe.3.1. - - Control pe.4 - - Control pe.5 - - Control pe.6 - - Subcontrol pe.6.1. - - Subcontrol pe.6.4. - - Control pe.8 - - Subcontrol pe.8.1. - - Control pe.9 - - Control pe.10 - - Control pe.11 - - Subcontrol pe.11.1. - - Control pe.12 - - Control pe.13 - - Subcontrol pe.13.1. - - Subcontrol pe.13.2. - - Subcontrol pe.13.3. - - Control pe.14 - - Control pe.15 - - Subcontrol pe.15.1. - - Control pe.16 - - Control pe.17 - - Control pe.18 - - Control pl.1 - - Control pl.2 - - Subcontrol pl.2.3. - - Control pl.4 - - Subcontrol pl.4.1. - - Control pl.8 - - Control ps.1 - - Control ps.2 - - Control ps.3 - - Control ps.4 - - Subcontrol ps.4.2. - - Control ps.5 - - Control ps.6 - - Control ps.7 - - Control ps.8 - - Control ra.1 - - Control ra.2 - - Control ra.3 - - Control ra.5 - - Subcontrol ra.5.1. - - Subcontrol ra.5.2. - - Subcontrol ra.5.4. - - Subcontrol ra.5.5. - - Control sa.1 - - Control sa.2 - - Control sa.3 - - Control sa.4 - - Subcontrol sa.4.1. - - Subcontrol sa.4.2. - - Subcontrol sa.4.9. - - Subcontrol sa.4.10. - - Control sa.5 - - Control sa.8 - - Control sa.9 - - Subcontrol sa.9.2. - - Control sa.10 - - Control sa.11 - - Control sa.12 - - Control sa.15 - - Control sa.16 - - Control sa.17 - - Control sc.1 - - Control sc.2 - - Control sc.3 - - Control sc.4 - - Control sc.5 - - Control sc.7 - - Subcontrol sc.7.3. - - Subcontrol sc.7.4. - - Subcontrol sc.7.5. - - Subcontrol sc.7.7. - - Subcontrol sc.7.8. - - Subcontrol sc.7.18. - - Subcontrol sc.7.21. - - Control sc.8 - - Subcontrol sc.8.1. - - Control sc.10 - - Control sc.12 - - Subcontrol sc.12.1. - - Control sc.13 - - Control sc.15 - - Control sc.17 - - Control sc.18 - - Control sc.19 - - Control sc.20 - - Control sc.21 - - Control sc.22 - - Control sc.23 - - Control sc.24 - - Control sc.28 - - Control sc.39 - - Control si.1 - - Control si.2 - - Subcontrol si.2.1. - - Subcontrol si.2.2. - - Control si.3 - - Subcontrol si.3.1. - - Subcontrol si.3.2. - - Control si.4 - - Subcontrol si.4.2. - - Subcontrol si.4.4. - - Subcontrol si.4.5. - - Control si.5 - - Subcontrol si.5.1. - - Control si.6 - - Control si.7 - - Subcontrol si.7.1. - - Subcontrol si.7.2. - - Subcontrol si.7.5. - - Subcontrol si.7.7. - - Subcontrol si.7.14. - - Control si.8 - - Subcontrol si.8.1. - - Subcontrol si.8.2. - - Control si.10 - - Control si.11 - - Control si.12 - - Control si.16 - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined frequency): at least annually or whenever a significant change occurs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined information system account types): organization-defined information system account types - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined procedures or conditions): organization-defined procedures or conditions - - Parameter (organization-defined frequency): monthly for privileged accessed, every six (6) months for non-privileged access - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined time period for each type of account): 24 hours from last use - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined time period): 35 days for user accounts - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AC-2 (3) Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available. - - - Parameter (organization-defined personnel or roles): organization and/or service provider system owner - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined time-period of expected inactivity or description of when to log out): inactivity is anticipated to exceed Fifteen (15) minutes - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AC-2 (5) Guidance: Should use a shorter timeframe than AC-12. - - - Parameter (organization-defined circumstances and/or usage conditions): organization-defined circumstances and/or usage conditions - - Parameter (organization-defined information system accounts): organization-defined information system accounts - - NIST added this control to the NIST High Baseline during the 1/15/2015 - - - Parameter (organization-defined atypical usage): organization-defined atypical usage - - Parameter (organization-defined personnel or roles): at a minimum, the ISSO and/or similar role within the organization - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AC-2 (12)(a) Guidance: Required for privileged accounts. -AC-2 (12)(b) Guidance: Required for privileged accounts. - - - - Parameter (organization-defined time period): one (1) hour - - Included in NIST High Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information flow control policies): organization-defined information flow control policies - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined duties of individuals): organization-defined duties of individuals - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - AC-5 Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information): all functions not publicly accessible and all security-relevant information not publicly available - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined security functions or security-relevant information): all security functions - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AC-6 (2) Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions. - - - Parameter (organization-defined privileged commands): all privileged commands - - Parameter (organization-defined compelling operational needs): organization-defined compelling operational needs - - Included in NIST High Baseline, Rev 4 - - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined number): not more than three (3) - - Parameter (organization-defined time period): fifteen (15) minutes - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined delay algorithm): locks the account/node for a minimum of three (3) hours or until unlocked by an administrator - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined system use notification message or banner): [see additional Requirements and Guidance] - - Parameter (organization-defined conditions): [see additional Requirements and Guidance] - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AC-8 Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO. Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO. - - - Parameter (organization-defined account and/or account type): organization-defined account and/or account type - - Parameter (organization-defined number): three (3) sessions for privileged access and two (2) sessions for non-privileged access - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined time period): fifteen (15) minutes - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined conditions or trigger events requiring session disconnect): organization-defined conditions or trigger events requiring session disconnect - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined user actions): organization-defined user actions - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined number): organization-defined number - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined needs): organization-defined needs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined mobile devices): organization-defined mobile devices - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information sharing circumstances where user discretion is required): organization-defined information sharing circumstances where user discretion is required - - Parameter (organization-defined automated mechanisms or manual processes): organization-defined automated mechanisms or manual processes - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): at least quarterly - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): at least annually or whenever a significant change occurs - - Parameter (organization-defined frequency): at least annually or whenever a significant change occurs - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined frequency): at least annually - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): at least annually - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined time period): five (5) years or 5 years after completion of a specific training program - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined frequency): at least annually or whenever a significant change occurs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined auditable events): successful and unsuccessful account logon events, account management events, object - access, policy change, privilege functions, process tracking, and system events. For Web - applications: all administrator activity, authentication checks, authorization checks, - data deletions, data access, data changes, and permission changes - - Parameter (organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event): organization-defined subset of the auditable events defined in AU-2a to be audited - continually for each identified event - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AU-2 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. - - - Parameter (organization-defined frequency): annually or whenever there is a change in the threat environment - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AU-2 (3) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined additional, more detailed information): session, connection, transaction, or activity duration; for client-server - transactions, the number of bytes received and bytes sent; additional informational - messages to diagnose or identify the event; characteristics that describe or identify - the object or resource being acted upon; individual identities of group account users; - full-text of privileged commands - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AU-3 (1) Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry. - - - Parameter (organization-defined information system components): all network, data storage, and computing devices - - Included in NIST High Baseline, Rev 4 - - - - Parameter (organization-defined audit record storage requirements): organization-defined audit record storage requirements - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)): organization-defined actions to be taken (overwrite oldest record) - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined personnel, roles, and/or locations): organization-defined personnel, roles, and/or locations - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined percentage): organization-defined percentage - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined real-time period): real-time - - Parameter (organization-defined personnel, roles, and/or locations): service provider personnel with authority to address failed audit events - - Parameter (organization-defined audit failure events requiring real-time alerts): audit failure events requiring real-time alerts, as defined by organization audit - policy - - Included in NIST High Baseline, Rev 4 - - - - - Parameter (organization-defined frequency): at least weekly - - Parameter (organization-defined inappropriate or unusual activity): organization-defined inappropriate or unusual activity - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AU-6 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined data/information collected from other sources): Selection (one or more): vulnerability scanning information; performance data; - information system monitoring information; penetration test data - - Included in NIST High Baseline, Rev 4 - - - - - - Included in NIST High Baseline, Rev 4 - AU-6 (6) Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined audit fields within audit records): organization-defined audit fields within audit records - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined granularity of time measurement): one second granularity of time measurement - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined authoritative time source): http://tf.nist.gov/tf-cgi/servers.cgi - - Parameter (organization-defined time period): At least hourly - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AU-8 (1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. AU-8 (1) Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server. AU-8 (1) Guidance: Synchronization of system clocks improves the accuracy of log analysis. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): at least weekly - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined subset of privileged users): organization-defined subset of privileged users - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined actions to be covered by non-repudiation): minimum actions including the addition, modification, deletion, approval, sending, - or receiving of data - - Included in NIST High Baseline, Rev 4 - - - - Parameter (organization-defined time period consistent with records retention policy): at least one (1) year - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - AU-11 Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements. - - - Parameter (organization-defined information system components): organization-defined information system components - - Parameter (organization-defined personnel or roles): all information system and network components where audit capability is - deployed/available - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined information system components): all network, data storage, and computing devices - - Parameter (organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail): organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - - Non-repudiation - - - - Parameter (organization-defined individuals or roles): service provider-defined individuals or roles with audit configuration - responsibilities - - Parameter (organization-defined information system components): all network, data storage, and computing devices - - Parameter (organization-defined selectable event criteria): organization-defined selectable event criteria - - Parameter (organization-defined time thresholds): organization-defined time thresholds - - Non-repudiation - - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined frequency): at least annually or whenever a significant change occurs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined individuals or roles): individuals or roles to include FedRAMP PMO - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined level of independence): organization-defined level of independence - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CA-2 (1) Requirement: For JAB Authorization, must use an accredited 3PAO. - - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined other forms of security assessment): organization-defined other forms of security assessment - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CA-2 (2) Requirement: To include 'announced', 'vulnerability scanning' - - - Parameter (organization-defined frequency): At least annually and on input from FedRAMP - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined information systems): any systems - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CA-3 (5) Guidance: For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing - - - Parameter (organization-defined frequency): at least monthly - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CA-5 Guidance: Requirement: POA&Ms must be provided at least monthly. - - - Parameter (organization-defined frequency): at least every three (3) years or when a significant change occurs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CA-6 (c) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO. - - - Parameter (organization-defined metrics): organization-defined metrics - - Parameter (organization-defined frequencies): organization-defined frequencies - - Parameter (organization-defined frequencies): organization-defined frequencies - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CA-7 Requirement: Operating System Scans: at least monthlyDatabase and Web Application Scans: at least monthlyAll scans performed by Independent Assessor: at least annuallyCA-7 Guidance: CSPs must provide evidence of closure and remediation of high - vulnerabilities within the timeframe for standard POA&M updates.Operating System Scans: at least monthlyDatabase and Web Application Scans: at least monthlyAll scans performed by Independent Assessor: at least annually - - - Parameter (organization-defined level of independence): organization-defined level of independence - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined information systems or system components): organization-defined information systems or system components - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined information system components or classes of components): organization-defined information system components or classes of components - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined frequency): at least annually or whenever a significant change occurs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): at least annually or when a significant change occurs - - Parameter (Assignment organization-defined circumstances): to include when directed by the JAB - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CM-2 (1) (a) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined previous versions of baseline configurations of the information system): organization-defined previous versions of baseline configurations of the previously - approved baseline configuration of IS components - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined information systems, system components, or devices): organization-defined information systems, system components, or devices - - Parameter (organization-defined configurations): organization-defined configurations - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined configuration change control element (e.g., committee, board)): organization-defined configuration change control element (e.g., committee, board) - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined configuration change conditions): organization-defined configuration change conditions - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CM-3 Requirement: The service provider establishes a central means of - communicating major changes to or developments in the information system or - environment of operations that may affect its services to the federal government - and associated service consumers (e.g., electronic bulletin board, web status - page). The means of communication are approved and accepted by the JAB/AO.CM-3 (e) Guidance: In accordance with record retention policies and - procedures. - - - Parameter (organized-defined approval authorities): organized-defined approval authorities - - Parameter (organization-defined time period): organization agreed upon time period - - Parameter (organization-defined personnel): organization defined configuration management approval authorities - - Included in NIST High Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): at least every thirty (30) days - - Parameter (organization-defined circumstances): organization-defined circumstances - - Included in NIST High Baseline, Rev 4 - - - - Parameter (organization-defined software and firmware components): organization-defined software and firmware components - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CM-5 (3) Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized. - - - Parameter (organization-defined security configuration checklists): United States Government Configuration Baseline (USGCB) - - Parameter (organization-defined information system components): organization-defined information system components - - Parameter (organization-defined operational requirements): organization-defined operational requirements - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CM-6 (a)-1 Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. CM-6 (a)-2 Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc - - - Parameter (organization-defined information system components): organization-defined information system components - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Parameter (organization-defined configuration settings): organization-defined configuration settings - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined prohibited or restricted functions, ports, protocols, and/or services): [United States Government Configuration Baseline (USGCB)] - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CM-7 (b) Requirement: The service provider shall use the Center for Internet - Security guidelines (Level 1) to establish list of prohibited or restricted - functions, ports, protocols, and/or services or establishes its own list of - prohibited or restricted functions, ports, protocols, and/or services if USGCB is - not available.CM-7 Guidance: Information on the USGCB checklists can be found at: - http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived from - AC-17(8). - - - Parameter (organization-defined frequency): at least monthly - - Parameter (organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure): organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined policies regarding software program usage and restrictions): organization-defined policies regarding software program usage and restrictions - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CM-7 (2) Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run. - - - Parameter (organization-defined software programs authorized to execute on the information system): organization-defined software programs authorized to execute on the information system - - Parameter (organization-defined frequency): at least quarterly or when there is a change - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined information deemed necessary to achieve effective information system component accountability): organization-defined information deemed necessary to achieve effective information system component accountability - - Parameter (organization-defined frequency): at least monthly - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CM-8 Requirement: must be provided at least monthly or when there is a change. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined frequency): Continuously, using automated mechanisms with a maximum five-minute delay in - detection. - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined policies): organization-defined policies - - Parameter (organization-defined methods): organization-defined methods - - Parameter (organization-defined frequency): Continuously (via CM-7 (5)) - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined frequency): at least annually or whenever a significant change occurs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined key contingency personnel (identified by name and/or by role) and organizational elements): organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined key contingency personnel (identified by name and/or by role) and organizational elements): organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CP-2 Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined time period): time period defined in service provider and organization SLA - - Included in NIST High Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined time period): ten (10) days - - Parameter (organization-defined frequency): at least annually - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined frequency): at least annually - - Parameter (organization-defined tests): functional exercises - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - CP-4 (a) Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information system operations): organization-defined information system operations - - Parameter (organization-defined time period consistent with recovery time and recovery point objectives): organization-defined time period consistent with recovery time and recovery point objectives - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CP-7 (a) Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CP-7 (1) Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined information system operations): organization-defined information system operations - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CP-8 Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 - CP-8 (4) (c) [annually] - - - Parameter (organization-defined frequency consistent with recovery time and recovery point objectives): organization-defined frequency consistent with recovery time and recovery point objectives - - Parameter (organization-defined frequency consistent with recovery time and recovery point objectives): organization-defined frequency consistent with recovery time and recovery point objectives - - Parameter (organization-defined frequency consistent with recovery time and recovery point objectives): organization-defined frequency consistent with recovery time and recovery point objectives - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full] - CP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check. CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative. - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - CP-9 (1). [at least monthly] - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined critical information system software and other security-related information): organization-defined critical information system software and other security-related information - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives): organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives - - Included in NIST High Baseline, Rev 4 - CP-9 (5) [time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA]. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined restoration time-periods): organization-defined restoration time-periods - - Included in NIST High Baseline, Rev 4 - CP-10 (4) [time period consistent with the restoration time-periods defined in the service provider and organization SLA] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IA-1 (b) (1) [at least annually] IA-1 (b) (2) [at least annually or whenever a significant change occurs] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined strength of mechanism requirements): organization-defined strength of mechanism requirements - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IA-2 (11) [FIPS 140-2, NIAP Certification, or NSA approval] - IA-2 (11) Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IA-2 (12) Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12. - - - Parameter (organization-defined specific and/or types of devices): organization-defined specific and/or types of devices - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined time period of inactivity): organization-defined time period of inactivity - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IA-4(a) [at a minimum, the ISSO (or similar role within the organization)] IA-4 (d) [at least two (2) years] IA-4 (e) [thirty-five (35) days] (See additional requirements and guidance.) - IA-4 (e) Requirement: The service provider defines the time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx. - - - Parameter (organization-defined time period by authenticator type): organization-defined time period by authenticator type - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IA-5 (g) [to include sixty (60) days for passwords] - IA-5 Requirement: Authenticators must be compliant with NIST SP 800-63-2 Electronic Authentication Guideline assurance Level 4 (Link http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf) - - - Parameter (organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type): organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - - Parameter (organization-defined number): organization-defined number - - Parameter (organization-defined numbers for lifetime minimum, lifetime maximum): organization-defined numbers for lifetime minimum, lifetime maximum - - Parameter (organization-defined number): organization-defined number - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IA-5 (1) (a) [case sensitive, minimum of fourteen (14) characters, and at least one (1) each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b) [at least fifty percent (50%)] IA-5 (1) (d) [one (1) day minimum, sixty (60) day maximum] IA-5 (1) (e) [twenty four (24)] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined types of and/or specific authenticators): organization-defined types of and/or specific authenticators - - Parameter (organization-defined registration authority): organization-defined registration authority - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IA-5 (3)-1 [All hardware/biometric (multifactor authenticators] IA-5 (3)-2 [in person] - - - Parameter (organization-defined token quality requirements): organization-defined token quality requirements - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information systems): organization-defined information systems - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IR-1 (b) (1) [at least annually] IR-1 (b) (2) [at least annually or whenever a significant change occurs] - - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IR-2 (a) [within ten (10) days] IR-2 (c) [at least annually] - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined tests): organization-defined tests - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IR-3-1 [at least every six (6) months] - IR-3-2 Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IR-4 Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined authorities): organization-defined authorities - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IR-6 (a) [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)] - IR-6 Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined incident response personnel (identified by name and/or by role) and organizational elements): organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined incident response personnel (identified by name and/or by role) and organizational elements): organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - IR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (c) [at least annually] IR-8 (e) [see additional FedRAMP Requirements and Guidance] - IR-8 (b) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8 (e) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MA-1 (b) (1) [at least annually] MA-1 (b) (2) [at least annually or whenever a significant change occurs] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined maintenance-related information): organization-defined maintenance-related information - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MA-3 (3) (d). [the information owner explicitly authorizing removal of the equipment from the facility] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information system components): organization-defined information system components - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MP-1 (b) (1) [at least annually] MP-1 (b) (2) [at least annually or whenever a significant change occurs] - - - Parameter (organization-defined types of digital and/or non-digital media): organization-defined types of digital and/or non-digital media - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MP-2-1 [any digital and non-digital media deemed sensitive] - - - Parameter (organization-defined types of information system media): organization-defined types of information system media - - Parameter (organization-defined controlled areas): organization-defined controlled areas - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MP-3 (b)-1 [no removable media types] MP-3 (b)-2 [organization-defined security safeguards not applicable] - MP-3 (b) Guidance: Second parameter not-applicable - - - Parameter (organization-defined types of digital and/or non-digital media): organization-defined types of digital and/or non-digital media - - Parameter (organization-defined controlled areas): organization-defined controlled areas - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MP-4 (a)-1 [all types of digital and non-digital media with sensitive information] MP-4 (a)-2 [see additional FedRAMP requirements and guidance] - MP-4 (a) Requirement: The service provider defines controlled areas within facilities where the information and information system reside. - - - Parameter (organization-defined types of information system media): organization-defined types of information system media - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MP-5 (a) [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container] - MP-5 (a) Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information system media): organization-defined information system media - - Parameter (organization-defined sanitization techniques and procedures): organization-defined sanitization techniques and procedures - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MP-6(a)-2 [techniques and procedures IAW NIST SP 800-88 and Section 5.9: Reuse and Disposal of Storage Media and Hardware] - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - MP-6 (2) [at least every six (6) months] - MP-6 (2) Guidance: Equipment and procedures may be tested or validated for effectiveness - - - Parameter (organization-defined circumstances requiring sanitization of portable storage devices): organization-defined circumstances requiring sanitization of portable storage devices - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined types of information system media): organization-defined types of information system media - - Parameter (organization-defined information systems or system components): organization-defined information systems or system components - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PE-1 (b) (1) [at least annually] PE-1 (b) (2) [at least annually or whenever a significant change occurs] - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PE-2 (c) [at least every ninety (90) days] - - - Parameter (organization-defined entry/exit points to the facility where the information system resides): organization-defined entry/exit points to the facility where the information system resides - - Parameter (organization-defined physical access control systems/devices): organization-defined physical access control systems/devices - - Parameter (organization-defined entry/exit points): organization-defined entry/exit points - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Parameter (organization-defined circumstances requiring visitor escorts and monitoring): organization-defined circumstances requiring visitor escorts and monitoring - - Parameter (organization-defined physical access devices): organization-defined physical access devices - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 (d) [in all circumstances within restricted access area where the information system resides] PE-3 (f) [at least annually] PE-3 (g) [at least annually] - - - Parameter (organization-defined physical spaces containing one or more components of the information system): organization-defined physical spaces containing one or more components of the information system - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined information system distribution and transmission lines): organization-defined information system distribution and transmission lines - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined events or potential indications of events): organization-defined events or potential indications of events - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PE-6 (b) [at least monthly] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined physical spaces containing one or more components of the information system): organization-defined physical spaces containing one or more components of the information system - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PE-8 (a) [for a minimum of one (1) year] PE-8 (b) [at least monthly] - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined location by information system or system component): organization-defined location by information system or system component - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined emergency responders): organization-defined emergency responders - - Included in NIST High Baseline, Rev 4 - PE-13 (1) -1 [service provider building maintenance/physical security personnel] PE-13 (1) -2 [service provider emergency responders with incident response responsibilities] - - - Parameter (organization-defined emergency responders): organization-defined emergency responders - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined acceptable levels): organization-defined acceptable levels - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PE-14 (a) [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14 (b) [continuously] - PE-14 (a) Requirements: The service provider measures temperature at server inlets and humidity levels by dew point. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 - PE-15 (1) [service provider building maintenance/physical security personnel] - - - Parameter (organization-defined types of information system components): organization-defined types of information system components - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PE-16 [all information system components] - - - Parameter (organization-defined security controls): organization-defined security controls - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined physical and environmental hazards): organization-defined physical and environmental hazards - - Included in NIST High Baseline, Rev 4 - PE-18 [physical and environmental hazards identified during threat assessment] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PL-1 (b) (1) [at least annually] PL-1 (b) (2) [at least annually or whenever a significant change occurs] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PL-2 (c) [at least annually] - - - Parameter (organization-defined individuals or groups): organization-defined individuals or groups - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PL-4 (c) [annually] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PL-8 (b) [at least annually or when a significant change occurs] - PL-8 (b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7. - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-1 (b) (1) [at least annually] PS-1 (b) (2) [at least annually or whenever a significant change occurs] - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-2 (c) [at least annually] - - - Parameter (organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening): organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-3 (b) [for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions] - - - Parameter (organization-defined time period): organization-defined time period - - Parameter (organization-defined information security topics): organization-defined information security topics - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-4 (a) [eight (8) hours] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 - PS-4 (2) [access control personnel responsible for disabling access to the system] - - - Parameter (organization-defined transfer or reassignment actions): organization-defined transfer or reassignment actions - - Parameter (organization-defined time period following the formal transfer action): organization-defined time period following the formal transfer action - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-5 (b)-2 [twenty-four (24) hours] PS-5 (d)-2 [twenty-four (24) hours] - - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-6 (b) [at least annually] PS-6 (c) (2) [at least annually and any time there is a change to the user's level of access] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-7 (d)-2 [terminations: immediately; transfers: within twenty-four (24) hours] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - PS-8(b)-1 [at a minimum, the ISSO and/or similar role within the organization] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - RA-1 (b) (1) [at least annually] RA-1 (b) (2) [at least annually or whenever a significant change occurs] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined document): organization-defined document - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - RA-3 (b) [security assessment report]RA-3 (c) [at least annually or whenever a significant change occurs]RA-3 (e) [annually] - RA-3 Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3 (d) Requirement: Include all Authoring Officials and FedRAMP ISSOs. - - - Parameter (organization-defined frequency and/or randomly in accordance with organization-defined process): organization-defined frequency and/or randomly in accordance with organization-defined process - - Parameter (organization-defined response times): organization-defined response times - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - RA-5 (a) [monthly operating system/infrastructure; monthly web applications and databases] RA-5 (d) [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery] - RA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. RA-5 (e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - RA-5 (2) [prior to a new scan] - - - Parameter (organization-defined corrective actions): organization-defined corrective actions - - Included in NIST High Baseline, Rev 4 - RA-5 (4) [notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions] - - - Parameter (organization-identified information system components): organization-identified information system components - - Parameter (organization-defined vulnerability scanning activities): organization-defined vulnerability scanning activities - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - RA-5 (5)-1 [operating systems / web applications / databases] RA-5 (5)-2 [all scans] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SA-1 (b) (1) [at least annually] SA-1 (b) (2) [at least annually or whenever a significant change occurs] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined system development life cycle): organization-defined system development life cycle - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined design/implementation information): organization-defined design/implementation information - - Parameter (organization-defined level of detail): organization-defined level of detail - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SA-4 (2)-1 [at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined actions): organization-defined actions - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SA-5E [at a minimum, the ISSO (or similar role within the organization)] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security controls): organization-defined security controls - - Parameter (organization-defined processes, methods, and techniques): organization-defined processes, methods, and techniques - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SA-9 (a) [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] SA-9 (c) [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored] - - - Parameter (organization-defined external information system services): organization-defined external information system services - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SA-9 (2) [all external systems where Federal information is processed or stored] - - - Parameter (organization-defined configuration items under configuration management): organization-defined configuration items under configuration management - - Parameter (organization-defined personnel): organization-defined personnel - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SA-10 (a) [development, implementation, AND operation] - SA-10 (e) Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP. - - - Parameter (organization-defined depth and coverage): organization-defined depth and coverage - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 - SA-12 [organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures] - - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined security requirements): organization-defined security requirements - - Included in NIST High Baseline, Rev 4 - SA-15 (b)-1 [as needed and as dictated by the current threat posture] SA-15 (b)-2 [organization and service provider- defined security requirements] - - - Parameter (organization-defined training): organization-defined training - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-1 (b) (1) [at least annually] SC-1 (b) (2) [at least annually or whenever a significant change occurs] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined types of denial of service attacks or references to sources for such information): organization-defined types of denial of service attacks or references to sources for such information - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-7 (4) (e) [at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined internal communications traffic): organization-defined internal communications traffic - - Parameter (organization-defined external networks): organization-defined external networks - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information system components): organization-defined information system components - - Parameter (organization-defined missions and/or business functions): organization-defined missions and/or business functions - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-8 [confidentiality AND integrity] - - - Parameter (organization-defined alternative physical safeguards): organization-defined alternative physical safeguards - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-8 (1)-1 [prevent unauthorized disclosure of information AND detect changes to information] SC-8 (1)-1 [a hardened or alarmed carrier Protective Distribution System (PDS)] - - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-10 [no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions] - - - Parameter (organization-defined requirements for key generation, distribution, storage, access, and destruction): organization-defined requirements for key generation, distribution, storage, access, and destruction - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-12 Guidance: Federally approved cryptography - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined cryptographic uses and type of cryptography required for each use): organization-defined cryptographic uses and type of cryptography required for each use - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-13 [FIPS-validated or NSA-approved cryptography] - - - Parameter (organization-defined exceptions where remote activation is to be allowed): organization-defined exceptions where remote activation is to be allowed - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-15 (a) [no exceptions] - SC-15 Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use. - - - Parameter (organization-defined certificate policy): organization-defined certificate policy - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - SECURE NAME /ADDRESS RESOLUTION SERVICE -(AUTHORITATIVE SOURCE) - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - SECURE NAME /ADDRESS RESOLUTION SERVICE -(RECURSIVE OR CACHING RESOLVER) - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - ARCHITECTURE AND PROVISIONING FOR -NAME/ADDRESS RESOLUTION SERVICE - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined known-state): organization-defined known-state - - Parameter (organization-defined types of failures): organization-defined types of failures - - Parameter (organization-defined system state information): organization-defined system state information - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined information at rest): organization-defined information at rest - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SC-28 [confidentiality AND integrity] - SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-1 (b) (1) [at least annually] SI-1 (b) (2) [at least annually or whenever a significant change occurs] - - - Parameter (organization-defined time period): organization-defined time period - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-2 (c) [thirty (30) days of release of updates] - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-2 (2) [at least monthly] - - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined action): organization-defined action - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-3 (c) (1)-1 [at least weekly] SI-3 (c) (1)-2 [to include endpoints] SI-3 (c) (2) [to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime] - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined monitoring objectives): organization-defined monitoring objectives - - Parameter (organization-defined techniques and methods): organization-defined techniques and methods - - Parameter (organization-defined information system monitoring information): organization-defined information system monitoring information - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-4 Guidance: See US-CERT Incident Response Reporting Guidelines. - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-4 (4) [continuously] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined compromise indicators): organization-defined compromise indicators - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-4 (5) Guidance: In accordance with the incident response plan. - - - Parameter (organization-defined external organizations): organization-defined external organizations - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined elements within the organization): organization-defined elements within the organization - - Parameter (organization-defined external organizations): organization-defined external organizations - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-5 (a) [to include US-CERT] SI-5 (c) [to include system security personnel and administrators with configuration/patch-management responsibilities] - - - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined security functions): organization-defined security functions - - Parameter (organization-defined system transitional states): organization-defined system transitional states - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined alternative action(s)): organization-defined alternative action(s) - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-6 (b) [to include upon system startup and/or restart and at least monthly] SI-6 (c) [to include system administrators and security personnel] SI-6 (d) [to include notification of system administrators and security personnel] - - - Parameter (organization-defined software, firmware, and information): organization-defined software, firmware, and information - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined software, firmware, and information): organization-defined software, firmware, and information - - Parameter (organization-defined transitional states or security-relevant events): organization-defined transitional states or security-relevant events - - Parameter (organization-defined frequency): organization-defined frequency - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - SI-7(1)-1 [selection to include security relevant events] SI-7(1)-2 [at least monthly] - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 - - - Parameter (organization-defined security-relevant changes to the information system): organization-defined security-relevant changes to the information system - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined information inputs): organization-defined information inputs - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 - -

-

SP800-53-rev4-catalog.xml ➭ Included: - - Control ac.1 - - Control ac.2 - - Subcontrol ac.2.1. - - Subcontrol ac.2.2. - - Subcontrol ac.2.3. - - Subcontrol ac.2.4. - - Subcontrol ac.2.5. - - Subcontrol ac.2.11. - - Subcontrol ac.2.12. - - Subcontrol ac.2.13. - - Control ac.3 - - Control ac.4 - - Control ac.5 - - Control ac.6 - - Subcontrol ac.6.1. - - Subcontrol ac.6.2. - - Subcontrol ac.6.3. - - Subcontrol ac.6.5. - - Subcontrol ac.6.9. - - Subcontrol ac.6.10. - - Control ac.7 - - Control ac.8 - - Control ac.10 - - Control ac.11 - - Subcontrol ac.11.1. - - Control ac.12 - - Control ac.14 - - Control ac.17 - - Subcontrol ac.17.1. - - Subcontrol ac.17.2. - - Subcontrol ac.17.3. - - Subcontrol ac.17.4. - - Control ac.18 - - Subcontrol ac.18.1. - - Subcontrol ac.18.4. - - Subcontrol ac.18.5. - - Control ac.19 - - Subcontrol ac.19.5. - - Control ac.20 - - Subcontrol ac.20.1. - - Subcontrol ac.20.2. - - Control ac.21 - - Control ac.22 - - Control at.1 - - Control at.2 - - Subcontrol at.2.2. - - Control at.3 - - Control at.4 - - Control au.1 - - Control au.2 - - Subcontrol au.2.3. - - Control au.3 - - Subcontrol au.3.1. - - Subcontrol au.3.2. - - Control au.4 - - Control au.5 - - Subcontrol au.5.1. - - Subcontrol au.5.2. - - Control au.6 - - Subcontrol au.6.1. - - Subcontrol au.6.3. - - Subcontrol au.6.5. - - Subcontrol au.6.6. - - Control au.7 - - Subcontrol au.7.1. - - Control au.8 - - Subcontrol au.8.1. - - Control au.9 - - Subcontrol au.9.2. - - Subcontrol au.9.3. - - Subcontrol au.9.4. - - Control au.10 - - Control au.11 - - Control au.12 - - Subcontrol au.12.1. - - Subcontrol au.12.3. - - Control ca.1 - - Control ca.2 - - Subcontrol ca.2.1. - - Subcontrol ca.2.2. - - Control ca.3 - - Subcontrol ca.3.5. - - Control ca.5 - - Control ca.6 - - Control ca.7 - - Subcontrol ca.7.1. - - Control ca.8 - - Control ca.9 - - Control cm.1 - - Control cm.2 - - Subcontrol cm.2.1. - - Subcontrol cm.2.2. - - Subcontrol cm.2.3. - - Subcontrol cm.2.7. - - Control cm.3 - - Subcontrol cm.3.1. - - Subcontrol cm.3.2. - - Control cm.4 - - Subcontrol cm.4.1. - - Control cm.5 - - Subcontrol cm.5.1. - - Subcontrol cm.5.2. - - Subcontrol cm.5.3. - - Control cm.6 - - Subcontrol cm.6.1. - - Subcontrol cm.6.2. - - Control cm.7 - - Subcontrol cm.7.1. - - Subcontrol cm.7.2. - - Subcontrol cm.7.5. - - Control cm.8 - - Subcontrol cm.8.1. - - Subcontrol cm.8.2. - - Subcontrol cm.8.3. - - Subcontrol cm.8.4. - - Subcontrol cm.8.5. - - Control cm.9 - - Control cm.10 - - Control cm.11 - - Control cp.1 - - Control cp.2 - - Subcontrol cp.2.1. - - Subcontrol cp.2.2. - - Subcontrol cp.2.3. - - Subcontrol cp.2.4. - - Subcontrol cp.2.5. - - Subcontrol cp.2.8. - - Control cp.3 - - Subcontrol cp.3.1. - - Control cp.4 - - Subcontrol cp.4.1. - - Subcontrol cp.4.2. - - Control cp.6 - - Subcontrol cp.6.1. - - Subcontrol cp.6.2. - - Subcontrol cp.6.3. - - Control cp.7 - - Subcontrol cp.7.1. - - Subcontrol cp.7.2. - - Subcontrol cp.7.3. - - Subcontrol cp.7.4. - - Control cp.8 - - Subcontrol cp.8.1. - - Subcontrol cp.8.2. - - Subcontrol cp.8.3. - - Subcontrol cp.8.4. - - Control cp.9 - - Subcontrol cp.9.1. - - Subcontrol cp.9.2. - - Subcontrol cp.9.3. - - Subcontrol cp.9.5. - - Control cp.10 - - Subcontrol cp.10.2. - - Subcontrol cp.10.4. - - Control ia.1 - - Control ia.2 - - Subcontrol ia.2.1. - - Subcontrol ia.2.2. - - Subcontrol ia.2.3. - - Subcontrol ia.2.4. - - Subcontrol ia.2.8. - - Subcontrol ia.2.9. - - Subcontrol ia.2.11. - - Subcontrol ia.2.12. - - Control ia.3 - - Control ia.4 - - Control ia.5 - - Subcontrol ia.5.1. - - Subcontrol ia.5.2. - - Subcontrol ia.5.3. - - Subcontrol ia.5.11. - - Control ia.6 - - Control ia.7 - - Control ia.8 - - Subcontrol ia.8.1. - - Subcontrol ia.8.2. - - Subcontrol ia.8.3. - - Subcontrol ia.8.4. - - Control ir.1 - - Control ir.2 - - Subcontrol ir.2.1. - - Subcontrol ir.2.2. - - Control ir.3 - - Subcontrol ir.3.2. - - Control ir.4 - - Subcontrol ir.4.1. - - Subcontrol ir.4.4. - - Control ir.5 - - Subcontrol ir.5.1. - - Control ir.6 - - Subcontrol ir.6.1. - - Control ir.7 - - Subcontrol ir.7.1. - - Control ir.8 - - Control ma.1 - - Control ma.2 - - Subcontrol ma.2.2. - - Control ma.3 - - Subcontrol ma.3.1. - - Subcontrol ma.3.2. - - Subcontrol ma.3.3. - - Control ma.4 - - Subcontrol ma.4.2. - - Subcontrol ma.4.3. - - Control ma.5 - - Subcontrol ma.5.1. - - Control ma.6 - - Control mp.1 - - Control mp.2 - - Control mp.3 - - Control mp.4 - - Control mp.5 - - Subcontrol mp.5.4. - - Control mp.6 - - Subcontrol mp.6.1. - - Subcontrol mp.6.2. - - Subcontrol mp.6.3. - - Control mp.7 - - Subcontrol mp.7.1. - - Control pe.1 - - Control pe.2 - - Control pe.3 - - Subcontrol pe.3.1. - - Control pe.4 - - Control pe.5 - - Control pe.6 - - Subcontrol pe.6.1. - - Subcontrol pe.6.4. - - Control pe.8 - - Subcontrol pe.8.1. - - Control pe.9 - - Control pe.10 - - Control pe.11 - - Subcontrol pe.11.1. - - Control pe.12 - - Control pe.13 - - Subcontrol pe.13.1. - - Subcontrol pe.13.2. - - Subcontrol pe.13.3. - - Control pe.14 - - Control pe.15 - - Subcontrol pe.15.1. - - Control pe.16 - - Control pe.17 - - Control pe.18 - - Control pl.1 - - Control pl.2 - - Subcontrol pl.2.3. - - Control pl.4 - - Subcontrol pl.4.1. - - Control pl.8 - - Control ps.1 - - Control ps.2 - - Control ps.3 - - Control ps.4 - - Subcontrol ps.4.2. - - Control ps.5 - - Control ps.6 - - Control ps.7 - - Control ps.8 - - Control ra.1 - - Control ra.2 - - Control ra.3 - - Control ra.5 - - Subcontrol ra.5.1. - - Subcontrol ra.5.2. - - Subcontrol ra.5.4. - - Subcontrol ra.5.5. - - Control sa.1 - - Control sa.2 - - Control sa.3 - - Control sa.4 - - Subcontrol sa.4.1. - - Subcontrol sa.4.2. - - Subcontrol sa.4.9. - - Subcontrol sa.4.10. - - Control sa.5 - - Control sa.8 - - Control sa.9 - - Subcontrol sa.9.2. - - Control sa.10 - - Control sa.11 - - Control sa.12 - - Control sa.15 - - Control sa.16 - - Control sa.17 - - Control sc.1 - - Control sc.2 - - Control sc.3 - - Control sc.4 - - Control sc.5 - - Control sc.7 - - Subcontrol sc.7.3. - - Subcontrol sc.7.4. - - Subcontrol sc.7.5. - - Subcontrol sc.7.7. - - Subcontrol sc.7.8. - - Subcontrol sc.7.18. - - Subcontrol sc.7.21. - - Control sc.8 - - Subcontrol sc.8.1. - - Control sc.10 - - Control sc.12 - - Subcontrol sc.12.1. - - Control sc.13 - - Control sc.15 - - Control sc.17 - - Control sc.18 - - Control sc.19 - - Control sc.20 - - Control sc.21 - - Control sc.22 - - Control sc.23 - - Control sc.24 - - Control sc.28 - - Control sc.39 - - Control si.1 - - Control si.2 - - Subcontrol si.2.1. - - Subcontrol si.2.2. - - Control si.3 - - Subcontrol si.3.1. - - Subcontrol si.3.2. - - Control si.4 - - Subcontrol si.4.2. - - Subcontrol si.4.4. - - Subcontrol si.4.5. - - Control si.5 - - Subcontrol si.5.1. - - Control si.6 - - Control si.7 - - Subcontrol si.7.1. - - Subcontrol si.7.2. - - Subcontrol si.7.5. - - Subcontrol si.7.7. - - Subcontrol si.7.14. - - Control si.8 - - Subcontrol si.8.1. - - Subcontrol si.8.2. - - Control si.10 - - Control si.11 - - Control si.12 - - Control si.16 -

-
-

-
-
-
-

SP800-53-rev4-catalog.xml ➭ Included: - - Control ac.1 - - Control ac.2 - - Subcontrol ac.2.1. - - Subcontrol ac.2.2. - - Subcontrol ac.2.3. - - Subcontrol ac.2.4. - - Subcontrol ac.2.5. - - Subcontrol ac.2.11. - - Subcontrol ac.2.12. - - Subcontrol ac.2.13. - - Control ac.3 - - Control ac.4 - - Control ac.5 - - Control ac.6 - - Subcontrol ac.6.1. - - Subcontrol ac.6.2. - - Subcontrol ac.6.3. - - Subcontrol ac.6.5. - - Subcontrol ac.6.9. - - Subcontrol ac.6.10. - - Control ac.7 - - Control ac.8 - - Control ac.10 - - Control ac.11 - - Subcontrol ac.11.1. - - Control ac.12 - - Control ac.14 - - Control ac.17 - - Subcontrol ac.17.1. - - Subcontrol ac.17.2. - - Subcontrol ac.17.3. - - Subcontrol ac.17.4. - - Control ac.18 - - Subcontrol ac.18.1. - - Subcontrol ac.18.4. - - Subcontrol ac.18.5. - - Control ac.19 - - Subcontrol ac.19.5. - - Control ac.20 - - Subcontrol ac.20.1. - - Subcontrol ac.20.2. - - Control ac.21 - - Control ac.22 - - Control at.1 - - Control at.2 - - Subcontrol at.2.2. - - Control at.3 - - Control at.4 - - Control au.1 - - Control au.2 - - Subcontrol au.2.3. - - Control au.3 - - Subcontrol au.3.1. - - Subcontrol au.3.2. - - Control au.4 - - Control au.5 - - Subcontrol au.5.1. - - Subcontrol au.5.2. - - Control au.6 - - Subcontrol au.6.1. - - Subcontrol au.6.3. - - Subcontrol au.6.5. - - Subcontrol au.6.6. - - Control au.7 - - Subcontrol au.7.1. - - Control au.8 - - Subcontrol au.8.1. - - Control au.9 - - Subcontrol au.9.2. - - Subcontrol au.9.3. - - Subcontrol au.9.4. - - Control au.10 - - Control au.11 - - Control au.12 - - Subcontrol au.12.1. - - Subcontrol au.12.3. - - Control ca.1 - - Control ca.2 - - Subcontrol ca.2.1. - - Subcontrol ca.2.2. - - Control ca.3 - - Subcontrol ca.3.5. - - Control ca.5 - - Control ca.6 - - Control ca.7 - - Subcontrol ca.7.1. - - Control ca.8 - - Control ca.9 - - Control cm.1 - - Control cm.2 - - Subcontrol cm.2.1. - - Subcontrol cm.2.2. - - Subcontrol cm.2.3. - - Subcontrol cm.2.7. - - Control cm.3 - - Subcontrol cm.3.1. - - Subcontrol cm.3.2. - - Control cm.4 - - Subcontrol cm.4.1. - - Control cm.5 - - Subcontrol cm.5.1. - - Subcontrol cm.5.2. - - Subcontrol cm.5.3. - - Control cm.6 - - Subcontrol cm.6.1. - - Subcontrol cm.6.2. - - Control cm.7 - - Subcontrol cm.7.1. - - Subcontrol cm.7.2. - - Subcontrol cm.7.5. - - Control cm.8 - - Subcontrol cm.8.1. - - Subcontrol cm.8.2. - - Subcontrol cm.8.3. - - Subcontrol cm.8.4. - - Subcontrol cm.8.5. - - Control cm.9 - - Control cm.10 - - Control cm.11 - - Control cp.1 - - Control cp.2 - - Subcontrol cp.2.1. - - Subcontrol cp.2.2. - - Subcontrol cp.2.3. - - Subcontrol cp.2.4. - - Subcontrol cp.2.5. - - Subcontrol cp.2.8. - - Control cp.3 - - Subcontrol cp.3.1. - - Control cp.4 - - Subcontrol cp.4.1. - - Subcontrol cp.4.2. - - Control cp.6 - - Subcontrol cp.6.1. - - Subcontrol cp.6.2. - - Subcontrol cp.6.3. - - Control cp.7 - - Subcontrol cp.7.1. - - Subcontrol cp.7.2. - - Subcontrol cp.7.3. - - Subcontrol cp.7.4. - - Control cp.8 - - Subcontrol cp.8.1. - - Subcontrol cp.8.2. - - Subcontrol cp.8.3. - - Subcontrol cp.8.4. - - Control cp.9 - - Subcontrol cp.9.1. - - Subcontrol cp.9.2. - - Subcontrol cp.9.3. - - Subcontrol cp.9.5. - - Control cp.10 - - Subcontrol cp.10.2. - - Subcontrol cp.10.4. - - Control ia.1 - - Control ia.2 - - Subcontrol ia.2.1. - - Subcontrol ia.2.2. - - Subcontrol ia.2.3. - - Subcontrol ia.2.4. - - Subcontrol ia.2.8. - - Subcontrol ia.2.9. - - Subcontrol ia.2.11. - - Subcontrol ia.2.12. - - Control ia.3 - - Control ia.4 - - Control ia.5 - - Subcontrol ia.5.1. - - Subcontrol ia.5.2. - - Subcontrol ia.5.3. - - Subcontrol ia.5.11. - - Control ia.6 - - Control ia.7 - - Control ia.8 - - Subcontrol ia.8.1. - - Subcontrol ia.8.2. - - Subcontrol ia.8.3. - - Subcontrol ia.8.4. - - Control ir.1 - - Control ir.2 - - Subcontrol ir.2.1. - - Subcontrol ir.2.2. - - Control ir.3 - - Subcontrol ir.3.2. - - Control ir.4 - - Subcontrol ir.4.1. - - Subcontrol ir.4.4. - - Control ir.5 - - Subcontrol ir.5.1. - - Control ir.6 - - Subcontrol ir.6.1. - - Control ir.7 - - Subcontrol ir.7.1. - - Control ir.8 - - Control ma.1 - - Control ma.2 - - Subcontrol ma.2.2. - - Control ma.3 - - Subcontrol ma.3.1. - - Subcontrol ma.3.2. - - Subcontrol ma.3.3. - - Control ma.4 - - Subcontrol ma.4.2. - - Subcontrol ma.4.3. - - Control ma.5 - - Subcontrol ma.5.1. - - Control ma.6 - - Control mp.1 - - Control mp.2 - - Control mp.3 - - Control mp.4 - - Control mp.5 - - Subcontrol mp.5.4. - - Control mp.6 - - Subcontrol mp.6.1. - - Subcontrol mp.6.2. - - Subcontrol mp.6.3. - - Control mp.7 - - Subcontrol mp.7.1. - - Control pe.1 - - Control pe.2 - - Control pe.3 - - Subcontrol pe.3.1. - - Control pe.4 - - Control pe.5 - - Control pe.6 - - Subcontrol pe.6.1. - - Subcontrol pe.6.4. - - Control pe.8 - - Subcontrol pe.8.1. - - Control pe.9 - - Control pe.10 - - Control pe.11 - - Subcontrol pe.11.1. - - Control pe.12 - - Control pe.13 - - Subcontrol pe.13.1. - - Subcontrol pe.13.2. - - Subcontrol pe.13.3. - - Control pe.14 - - Control pe.15 - - Subcontrol pe.15.1. - - Control pe.16 - - Control pe.17 - - Control pe.18 - - Control pl.1 - - Control pl.2 - - Subcontrol pl.2.3. - - Control pl.4 - - Subcontrol pl.4.1. - - Control pl.8 - - Control ps.1 - - Control ps.2 - - Control ps.3 - - Control ps.4 - - Subcontrol ps.4.2. - - Control ps.5 - - Control ps.6 - - Control ps.7 - - Control ps.8 - - Control ra.1 - - Control ra.2 - - Control ra.3 - - Control ra.5 - - Subcontrol ra.5.1. - - Subcontrol ra.5.2. - - Subcontrol ra.5.4. - - Subcontrol ra.5.5. - - Control sa.1 - - Control sa.2 - - Control sa.3 - - Control sa.4 - - Subcontrol sa.4.1. - - Subcontrol sa.4.2. - - Subcontrol sa.4.9. - - Subcontrol sa.4.10. - - Control sa.5 - - Control sa.8 - - Control sa.9 - - Subcontrol sa.9.2. - - Control sa.10 - - Control sa.11 - - Control sa.12 - - Control sa.15 - - Control sa.16 - - Control sa.17 - - Control sc.1 - - Control sc.2 - - Control sc.3 - - Control sc.4 - - Control sc.5 - - Control sc.7 - - Subcontrol sc.7.3. - - Subcontrol sc.7.4. - - Subcontrol sc.7.5. - - Subcontrol sc.7.7. - - Subcontrol sc.7.8. - - Subcontrol sc.7.18. - - Subcontrol sc.7.21. - - Control sc.8 - - Subcontrol sc.8.1. - - Control sc.10 - - Control sc.12 - - Subcontrol sc.12.1. - - Control sc.13 - - Control sc.15 - - Control sc.17 - - Control sc.18 - - Control sc.19 - - Control sc.20 - - Control sc.21 - - Control sc.22 - - Control sc.23 - - Control sc.24 - - Control sc.28 - - Control sc.39 - - Control si.1 - - Control si.2 - - Subcontrol si.2.1. - - Subcontrol si.2.2. - - Control si.3 - - Subcontrol si.3.1. - - Subcontrol si.3.2. - - Control si.4 - - Subcontrol si.4.2. - - Subcontrol si.4.4. - - Subcontrol si.4.5. - - Control si.5 - - Subcontrol si.5.1. - - Control si.6 - - Control si.7 - - Subcontrol si.7.1. - - Subcontrol si.7.2. - - Subcontrol si.7.5. - - Subcontrol si.7.7. - - Subcontrol si.7.14. - - Control si.8 - - Subcontrol si.8.1. - - Subcontrol si.8.2. - - Control si.10 - - Control si.11 - - Control si.12 - - Control si.16 -

-
-
-

NIST SP800-53 rev 4

-
-

ACCESS CONTROL

-
-

- AC-1 ACCESS CONTROL POLICY AND PROCEDURES

-
-

- Parameter: - ac-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-1_b organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - ac-1_c organization-defined frequency

-

- Value: at least annually or whenever a significant change occurs

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ac-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the access control policy and associated access controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Access control policy - - ac-1_b - - organization-defined frequency - at least annually - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Access control procedures - - ac-1_c - - organization-defined frequency - at least annually or whenever a significant change occurs - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an access control policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the access control policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the access control policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AC-2 ACCOUNT MANAGEMENT

-
-

- Parameter: - ac-2_a organization-defined information system account types

-

- Value: organization-defined information system account types

-
-
-

- Parameter: - ac-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-2_c organization-defined procedures or conditions

-

- Value: organization-defined procedures or conditions

-
-
-

- Parameter: - ac-2_d organization-defined frequency

-

- Value: monthly for privileged accessed, every six (6) months for non-privileged access

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies and selects the following types of information system accounts to support organizational missions/business functions: - - ac-2_a - - organization-defined information system account types - organization-defined information system account types - ;

-
-
-
- - - - - - - -
-

b.

-
-

Assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

c.

-
-

Establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

d.

-
-

Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

-
-
-
- - - - - - - -
-

e.

-
-

Requires approvals by - - ac-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - for requests to create information system accounts;

-
-
-
- - - - - - - -
-

f.

-
-

Creates, enables, modifies, disables, and removes information system accounts in accordance with - - ac-2_c - - organization-defined procedures or conditions - organization-defined procedures or conditions - ;

-
-
-
- - - - - - - -
-

g.

-
-

Monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

h.

-
-

Notifies account managers:

-
- - - - - - - -
-

1.

-
-

When accounts are no longer required;

-
-
-
- - - - - - - -
-

2.

-
-

When users are terminated or transferred; and

-
-
-
- - - - - - - -
-

3.

-
-

When individual information system usage or need-to-know changes;

-
-
-
-
-
- - - - - - - -
-

i.

-
-

Authorizes access to the information system based on:

-
- - - - - - - -
-

1.

-
-

A valid access authorization;

-
-
-
- - - - - - - -
-

2.

-
-

Intended system usage; and

-
-
-
- - - - - - - -
-

3.

-
-

Other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

j.

-
-

Reviews accounts for compliance with account management requirements - - ac-2_d - - organization-defined frequency - monthly for privileged accessed, every six (6) months for non-privileged access - ; and

-
-
-
- - - - - - - -
-

k.

-
-

Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Supplemental guidance

-

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

- - - - - - - - - - - - - - - - - - - - - -
-
-

- AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to support the management of information system accounts.

-
-
-
-

Supplemental guidance

-

The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to support the management of information system accounts.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-2 (2) REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS

-
-

- Parameter: - ac-2_e organization-defined time period for each type of account

-

- Value: 24 hours from last use

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically [Selection: removes; disables] temporary and emergency accounts after - - ac-2_e - - organization-defined time period for each type of account - 24 hours from last use - .

-
-
-
-

Supplemental guidance

-

This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system-generated list of temporary accounts removed and/or disabled

-

- information system-generated list of emergency accounts removed and/or disabled

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-2 (3) DISABLE INACTIVE ACCOUNTS

-
-

- Parameter: - ac-2_f organization-defined time period

-

- Value: 35 days for user accounts

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically disables inactive accounts after - - ac-2_f - - organization-defined time period - 35 days for user accounts - .

-
-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the time period after which the information system automatically disables inactive accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically disables inactive accounts after the organization-defined time period.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system-generated list of temporary accounts removed and/or disabled

-

- information system-generated list of emergency accounts removed and/or disabled

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AC-2 (3) Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

-
-

References: None -

-
-
-

- AC-2 (4) AUTOMATED AUDIT ACTIONS

-
-

- Parameter: - ac-2_g organization-defined personnel or roles

-

- Value: organization and/or service provider system owner

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies - - ac-2_g - - organization-defined personnel or roles - organization and/or service provider system owner - .

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system automatically audits the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling;

-
-
-
- - - - - - - -
-

[e]

-
-

removal;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to be notified of the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling;

-
-
-
- - - - - - - -
-

[e]

-
-

removal;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the information system notifies organization-defined personnel or roles of the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling; and

-
-
-
- - - - - - - -
-

[e]

-
-

removal.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- notifications/alerts of account creation, modification, enabling, disabling, and removal actions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-2 (5) INACTIVITY LOGOUT

-
-

- Parameter: - ac-2_h organization-defined time-period of expected inactivity or description of when to log out

-

- Value: inactivity is anticipated to exceed Fifteen (15) minutes

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that users log out when - - ac-2_h - - organization-defined time-period of expected inactivity or description of when to log out - inactivity is anticipated to exceed Fifteen (15) minutes - .

-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines either the time period of expected inactivity that requires users to log out or the description of when users are required to log out; and

-
-
-
- - - - - - - -
-

[2]

-
-

requires that users log out when the organization-defined time period of inactivity is reached or in accordance with organization-defined description of when to log out.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security violation reports

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- users that must comply with inactivity logout policy

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AC-2 (5) Guidance: Should use a shorter timeframe than AC-12.

-
-

References: None -

-
-
-

- AC-2 (11) USAGE CONDITIONS

-
-

- Parameter: - ac-2_m organization-defined circumstances and/or usage conditions

-

- Value: organization-defined circumstances and/or usage conditions

-
-
-

- Parameter: - ac-2_n organization-defined information system accounts

-

- Value: organization-defined information system accounts

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces - - ac-2_m - - organization-defined circumstances and/or usage conditions - organization-defined circumstances and/or usage conditions - for - - ac-2_n - - organization-defined information system accounts - organization-defined information system accounts - .

-
-
-
-

Supplemental guidance

-

Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines circumstances and/or usage conditions to be enforced for information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines information system accounts for which organization-defined circumstances and/or usage conditions are to be enforced; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-generated list of information system accounts and associated assignments of usage circumstances and/or usage conditions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-
- justification -

NIST added this control to the NIST High Baseline during the 1/15/2015

-
-

References: None -

-
-
-

- AC-2 (12) ACCOUNT MONITORING / ATYPICAL USAGE

-
-

- Parameter: - ac-2_o organization-defined atypical usage

-

- Value: organization-defined atypical usage

-
-
-

- Parameter: - ac-2_p organization-defined personnel or roles

-

- Value: at a minimum, the ISSO and/or similar role within the organization

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Monitors information system accounts for - - ac-2_o - - organization-defined atypical usage - organization-defined atypical usage - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Reports atypical usage of information system accounts to - - ac-2_p - - organization-defined personnel or roles - at a minimum, the ISSO and/or similar role within the organization - .

-
-
-
-
-
-

Supplemental guidance

-

Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines atypical usage to be monitored for information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors information system accounts for organization-defined atypical usage;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom atypical usage of information system accounts are to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports atypical usage of information system accounts to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system monitoring records

-

- information system audit records

-

- audit tracking and monitoring reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AC-2 (12)(a) Guidance: Required for privileged accounts. -AC-2 (12)(b) Guidance: Required for privileged accounts. -

-
-

References: None -

-
-
-

- AC-2 (13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS

-
-

- Parameter: - ac-2_q organization-defined time period

-

- Value: one (1) hour

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization disables accounts of users posing a significant risk within - - ac-2_q - - organization-defined time period - one (1) hour - of discovery of the risk.

-
-
-
-

Supplemental guidance

-

Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the time period within which accounts are disabled upon discovery of a significant risk posed by users of such accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

disables accounts of users posing a significant risk within the organization-defined time period of discovery of the risk.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-generated list of disabled accounts

-

- list of user activities posing significant organizational risk

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system account types to be identified and selected to support organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies and selects organization-defined information system account types to support organizational missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

(c)

-
-

establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

(d)

-
-

specifies for each account (as required):

-
- - - - - - - -
-

[1]

-
-

authorized users of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

group and role membership;

-
-
-
- - - - - - - -
-

[3]

-
-

access authorizations (i.e., privileges);

-
-
-
- - - - - - - -
-

[4]

-
-

other attributes;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to approve requests to create information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

requires approvals by organization-defined personnel or roles for requests to create information system accounts;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines procedures or conditions to:

-
- - - - - - - -
-

[a]

-
-

create information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enable information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modify information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disable information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

remove information system accounts;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined procedures or conditions:

-
- - - - - - - -
-

[a]

-
-

creates information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enables information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modifies information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disables information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

removes information system accounts;

-
-
-
-
-
-
-
- - - - - - - -
-

(g)

-
-

monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

(h)

-
-

notifies account managers:

-
- - - - - - - -
-

(1)

-
-

when accounts are no longer required;

-
-
-
- - - - - - - -
-

(2)

-
-

when users are terminated or transferred;

-
-
-
- - - - - - - -
-

(3)

-
-

when individual information system usage or need to know changes;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-

authorizes access to the information system based on;

-
- - - - - - - -
-

(1)

-
-

a valid access authorization;

-
-
-
- - - - - - - -
-

(2)

-
-

intended system usage;

-
-
-
- - - - - - - -
-

(3)

-
-

other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(j)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review accounts for compliance with account management requirements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews accounts for compliance with account management requirements with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(k)

-
-

establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of active system accounts along with the name of the individual associated with each account

-

- list of conditions for group and role membership

-

- notifications or records of recently transferred, separated, or terminated employees

-

- list of recently disabled information system accounts along with the name of the individual associated with each account

-

- access authorization records

-

- account management compliance reviews

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes account management on the information system

-

- automated mechanisms for implementing account management

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-3 ACCESS ENFORCEMENT

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Supplemental guidance

-

Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

- - - - - - - - - - - - - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access enforcement

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of approved authorizations (user privileges)

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access enforcement responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-4 INFORMATION FLOW ENFORCEMENT

-
-

- Parameter: - ac-4_a organization-defined information flow control policies

-

- Value: organization-defined information flow control policies

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on - - ac-4_a - - organization-defined information flow control policies - organization-defined information flow control policies - .

-
-
-
-

Supplemental guidance

-

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. -Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- information flow control policies

-

- procedures addressing information flow enforcement

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system baseline configuration

-

- list of information flow authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information flow enforcement policy

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-5 SEPARATION OF DUTIES

-
-

- Parameter: - ac-5_a organization-defined duties of individuals

-

- Value: organization-defined duties of individuals

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Separates - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

-
-
-
- - - - - - - -
-

b.

-
-

Documents separation of duties of individuals; and

-
-
-
- - - - - - - -
-

c.

-
-

Defines information system access authorizations to support separation of duties.

-
-
-
-
-
-

Supplemental guidance

-

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines duties of individuals to be separated;

-
-
-
- - - - - - - -
-

[2]

-
-

separates organization-defined duties of individuals;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents separation of duties; and

-
-
-
- - - - - - - -
-

(c)

-
-

defines information system access authorizations to support separation of duties.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing divisions of responsibility and separation of duties

-

- information system configuration settings and associated documentation

-

- list of divisions of responsibility and separation of duties

-

- information system access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing separation of duties policy

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AC-5 Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

-
-

References: None -

-
-
-

- AC-6 LEAST PRIVILEGE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

-
-
-
-

Supplemental guidance

-

Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.

- - - - - - -
-
-

- AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS

-
-

- Parameter: - ac-6_a organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information

-

- Value: all functions not publicly accessible and all security-relevant information not publicly available

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization explicitly authorizes access to - - ac-6_a - - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information - all functions not publicly accessible and all security-relevant information not publicly available - .

-
-
-
-

Supplemental guidance

-

Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security-relevant information for which access must be explicitly authorized;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security functions deployed in:

-
- - - - - - - -
-

[a]

-
-

hardware;

-
-
-
- - - - - - - -
-

[b]

-
-

software;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

explicitly authorizes access to:

-
- - - - - - - -
-

[a]

-
-

organization-defined security functions; and

-
-
-
- - - - - - - -
-

[b]

-
-

security-relevant information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

-
-

- Parameter: - ac-6_b organization-defined security functions or security-relevant information

-

- Value: all security functions

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that users of information system accounts, or roles, with access to - - ac-6_b - - organization-defined security functions or security-relevant information - all security functions - , use non-privileged accounts or roles, when accessing nonsecurity functions.

-
-
-
-

Supplemental guidance

-

This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and

-
-
-
- - - - - - - -
-

[2]

-
-

requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of system-generated security functions or security-relevant information assigned to information system accounts or roles

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AC-6 (2) Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

-
-

References: None -

-
-
-

- AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS

-
-

- Parameter: - ac-6_c organization-defined privileged commands

-

- Value: all privileged commands

-
-
-

- Parameter: - ac-6_d organization-defined compelling operational needs

-

- Value: organization-defined compelling operational needs

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes network access to - - ac-6_c - - organization-defined privileged commands - all privileged commands - only for - - ac-6_d - - organization-defined compelling operational needs - organization-defined compelling operational needs - and documents the rationale for such access in the security plan for the information system.

-
-
-
-

Supplemental guidance

-

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines privileged commands to which network access is to be authorized only for compelling operational needs;

-
-
-
- - - - - - - -
-

[2]

-
-

defines compelling operational needs for which network access to organization-defined privileged commands are to be solely authorized;

-
-
-
- - - - - - - -
-

[3]

-
-

authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs; and

-
-
-
- - - - - - - -
-

[4]

-
-

documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of operational needs for authorizing network access to privileged commands

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-6 (5) PRIVILEGED ACCOUNTS

-
-

- Parameter: - ac-6_e organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization restricts privileged accounts on the information system to - - ac-6_e - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles for which privileged accounts on the information system are to be restricted; and

-
-
-
- - - - - - - -
-

[2]

-
-

restricts privileged accounts on the information system to organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of system-generated privileged accounts

-

- list of system administration personnel

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system audits the execution of privileged functions.

-
-
-
-

Supplemental guidance

-

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system audits the execution of privileged functions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of privileged functions to be audited

-

- list of audited events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms auditing the execution of least privilege functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

-
-
-
-

Supplemental guidance

-

Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system prevents non-privileged users from executing privileged functions to include:

-
- - - - - - - -
-

[1]

-
-

disabling implemented security safeguards/countermeasures;

-
-
-
- - - - - - - -
-

[2]

-
-

circumventing security safeguards/countermeasures; or

-
-
-
- - - - - - - -
-

[3]

-
-

altering implemented security safeguards/countermeasures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of privileged functions and associated user account assignments

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions for non-privileged users

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of assigned access authorizations (user privileges)

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-7 UNSUCCESSFUL LOGON ATTEMPTS

-
-

- Parameter: - ac-7_a organization-defined number

-

- Value: not more than three (3)

-
-
-

- Parameter: - ac-7_b organization-defined time period

-

- Value: fifteen (15) minutes

-
-
-

- Parameter: - ac-7_c organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ac-7_d organization-defined delay algorithm

-

- Value: locks the account/node for a minimum of three (3) hours or until unlocked by an administrator

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Enforces a limit of - - ac-7_a - - organization-defined number - not more than three (3) - consecutive invalid logon attempts by a user during a - - ac-7_b - - organization-defined time period - fifteen (15) minutes - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Automatically [Selection: locks the account/node for an - - ac-7_c - - organization-defined time period - organization-defined time period - ; locks the account/node until released by an administrator; delays next logon prompt according to - - ac-7_d - - organization-defined delay algorithm - locks the account/node for a minimum of three (3) hours or until unlocked by an administrator - ] when the maximum number of unsuccessful attempts is exceeded.

-
-
-
-
-
-

Supplemental guidance

-

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:

-
- - - - - - - -
-

[a]

-
-

locks the account/node for the organization-defined time period;

-
-
-
- - - - - - - -
-

[b]

-
-

locks the account/node until released by an administrator; or

-
-
-
- - - - - - - -
-

[c]

-
-

delays next logon prompt according to the organization-defined delay algorithm.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing unsuccessful logon attempts

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system developers

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for unsuccessful logon attempts

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-8 SYSTEM USE NOTIFICATION

-
-

- Parameter: - ac-8_a organization-defined system use notification message or banner

-

- Value: [see additional Requirements and Guidance]

-
-
-

- Parameter: - ac-8_b organization-defined conditions

-

- Value: [see additional Requirements and Guidance]

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Displays to users - - ac-8_a - - organization-defined system use notification message or banner - [see additional Requirements and Guidance] - before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

-
- - - - - - - -
-

1.

-
-

Users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

2.

-
-

Information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

3.

-
-

Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

-
-
-
- - - - - - - -
-

4.

-
-

Use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

For publicly accessible systems:

-
- - - - - - - -
-

1.

-
-

Displays system use information - - ac-8_b - - organization-defined conditions - [see additional Requirements and Guidance] - , before granting further access;

-
-
-
- - - - - - - -
-

2.

-
-

Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

3.

-
-

Includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Supplemental guidance

-

System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:

-
- - - - - - - -
-

(1)

-
-

users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

(2)

-
-

information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

(3)

-
-

unauthorized use of the information system is prohibited and subject to criminal and civil penalties;

-
-
-
- - - - - - - -
-

(4)

-
-

use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;

-
-
-
- - - - - - - -
-

(c)

-
-

for publicly accessible systems:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines conditions for system use to be displayed by the information system before granting further access;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays organization-defined conditions before granting further access;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

(3)

-
-

the information system includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- privacy and security policies, procedures addressing system use notification

-

- documented approval of information system use notification messages or banners

-

- information system audit records

-

- user acknowledgements of notification message or banner

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system use notification messages

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for providing legal advice

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing system use notification

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AC-8 Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO. Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

-
-

References: None -

-
-
-

- AC-10 CONCURRENT SESSION CONTROL

-
-

- Parameter: - ac-10_a organization-defined account and/or account type

-

- Value: organization-defined account and/or account type

-
-
-

- Parameter: - ac-10_b organization-defined number

-

- Value: three (3) sessions for privileged access and two (2) sessions for non-privileged access

-
-

- priority: P3

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system limits the number of concurrent sessions for each - - ac-10_a - - organization-defined account and/or account type - organization-defined account and/or account type - to - - ac-10_b - - organization-defined number - three (3) sessions for privileged access and two (2) sessions for non-privileged access - .

-
-
-
-

Supplemental guidance

-

Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines account and/or account types for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the number of concurrent sessions to be allowed for each organization-defined account and/or account type; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system limits the number of concurrent sessions for each organization-defined account and/or account type to the organization-defined number of concurrent sessions allowed.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing concurrent session control

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for concurrent session control

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-11 SESSION LOCK

-
-

- Parameter: - ac-11_a organization-defined time period

-

- Value: fifteen (15) minutes

-
-

- priority: P3

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Prevents further access to the system by initiating a session lock after - - ac-11_a - - organization-defined time period - fifteen (15) minutes - of inactivity or upon receiving a request from a user; and

-
-
-
- - - - - - - -
-

b.

-
-

Retains the session lock until the user reestablishes access using established identification and authentication procedures.

-
-
-
-
-
-

Supplemental guidance

-

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

- -
-
-

- AC-11 (1) PATTERN-HIDING DISPLAYS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

-
-
-
-

Supplemental guidance

-

Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session lock

-

- display screen with session lock activated

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Information system session lock mechanisms

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the time period of user inactivity after which the information system initiates a session lock;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session lock

-

- procedures addressing identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for session lock

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

OMB Memorandum 06-16

-
-
-
-
-

- AC-12 SESSION TERMINATION

-
-

- Parameter: - ac-12_a organization-defined conditions or trigger events requiring session disconnect

-

- Value: organization-defined conditions or trigger events requiring session disconnect

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically terminates a user session after - - ac-12_a - - organization-defined conditions or trigger events requiring session disconnect - organization-defined conditions or trigger events requiring session disconnect - .

-
-
-
-

Supplemental guidance

-

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user�s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines conditions or trigger events requiring session disconnect; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session termination

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of conditions or trigger events requiring session disconnect

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing user session termination

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION

-
-

- Parameter: - ac-14_a organization-defined user actions

-

- Value: organization-defined user actions

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies - - ac-14_a - - organization-defined user actions - organization-defined user actions - that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing permitted actions without identification or authentication

-

- information system configuration settings and associated documentation

-

- security plan

-

- list of user actions that can be performed without identification or authentication

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-17 REMOTE ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

- - - - - - - - - - - - - - - - -
-
-

- AC-17 (1) AUTOMATED MONITORING / CONTROL

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system monitors and controls remote access methods.

-
-
-
-

Supplemental guidance

-

Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system monitors and controls remote access methods.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- information system monitoring records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms monitoring and controlling remote access methods

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

-
-
-
-

Supplemental guidance

-

The encryption strength of mechanism is selected based on the security categorization of the information.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic mechanisms and associated configuration documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-17 (3) MANAGED ACCESS CONTROL POINTS

-
-

- Parameter: - ac-17_a organization-defined number

-

- Value: organization-defined number

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system routes all remote accesses through - - ac-17_a - - organization-defined number - organization-defined number - managed network access control points.

-
-
-
-

Supplemental guidance

-

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the number of managed network access control points through which all remote accesses are to be routed; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system routes all remote accesses through the organization-defined number of managed network access control points.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- list of all managed network access control points

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms routing all remote accesses through managed network access control points

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-17 (4) PRIVILEGED COMMANDS / ACCESS

-
-

- Parameter: - ac-17_b organization-defined needs

-

- Value: organization-defined needs

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Authorizes the execution of privileged commands and access to security-relevant information via remote access only for - - ac-17_b - - organization-defined needs - organization-defined needs - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Documents the rationale for such access in the security plan for the information system.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents the rationale for such access in the information system security plan.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system configuration settings and associated documentation

-

- security plan

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing remote access management

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies the types of remote access allowed to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance; and

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system configuration settings and associated documentation

-

- remote access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing remote access connections

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Remote access management capability for the information system

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-46

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-113

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-121

-
-
-
-
-

- AC-18 WIRELESS ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

- - - - - - - - - - - - -
-
-

- AC-18 (1) AUTHENTICATION AND ENCRYPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system protects wireless access to the system using encryption and one or more of the following:

-
- - - - - - - -
-

[1]

-
-

authentication of users; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

authentication of devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless implementation and usage (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing wireless access protections to the information system

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-18 (4) RESTRICT CONFIGURATIONS BY USERS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

-
-
-
-

Supplemental guidance

-

Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies users allowed to independently configure wireless networking capabilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

explicitly authorizes the identified users allowed to independently configure wireless networking capabilities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless implementation and usage (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms authorizing independent user configuration of wireless networking capabilities

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-18 (5) ANTENNAS / TRANSMISSION POWER LEVELS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

-
-
-
-

Supplemental guidance

-

Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

selects radio antennas to reduce the probability that usable signals can be received outside of organization-controlled boundaries; and

-
-
-
- - - - - - - -
-

[2]

-
-

calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless implementation and usage (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Wireless access capability protecting usable signals from unauthorized access outside organization-controlled boundaries

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for wireless access:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- wireless access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing wireless access connections

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Wireless access management capability for the information system

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-48

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-97

-
-
-
-
-

- AC-19 ACCESS CONTROL FOR MOBILE DEVICES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Supplemental guidance

-

A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

- - - - - - - - - - - - - - - - -
-
-

- AC-19 (5) FULL DEVICE / CONTAINER-BASED ENCRYPTION

-
-

- Parameter: - ac-19_c organization-defined mobile devices

-

- Value: organization-defined mobile devices

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on - - ac-19_c - - organization-defined mobile devices - organization-defined mobile devices - .

-
-
-
-

Supplemental guidance

-

Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access control for mobile devices

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- encryption mechanism s and associated configuration documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities for mobile devices

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Encryption mechanisms protecting confidentiality and integrity of information on mobile devices

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for organization-controlled mobile devices:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access control for mobile device usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- authorizations for mobile device connections to organizational information systems

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel using mobile devices to access organizational information systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Access control capability authorizing mobile device connections to organizational information systems

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

OMB Memorandum 06-16

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-124

-
-
-

NIST Special Publication 800-164

-
-
-
-
-

- AC-20 USE OF EXTERNAL INFORMATION SYSTEMS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

a.

-
-

Access the information system from external information systems; and

-
-
-
- - - - - - - -
-

b.

-
-

Process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Supplemental guidance

-

External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. -For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. -This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

- - - - - - -
-
-

- AC-20 (1) LIMITS ON AUTHORIZED USE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

-
- - - - - - - -
-

(a)

-
-

Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or

-
-
-
- - - - - - - -
-

(b)

-
-

Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

-
- - - - - - - -
-

(a)

-
-

verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or

-
-
-
- - - - - - - -
-

(b)

-
-

retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- security plan

-

- information system connection or processing agreements

-

- account management documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing limits on use of external information systems

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-20 (2) PORTABLE STORAGE DEVICES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.

-
-
-
-

Supplemental guidance

-

Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system connection or processing agreements

-

- account management documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing restrictions on use of portable storage devices

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

(a)

-
-

access the information system from the external information systems; and

-
-
-
- - - - - - - -
-

(b)

-
-

process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- external information systems terms and conditions

-

- list of types of applications accessible from external information systems

-

- maximum security categorization for information processed, stored, or transmitted on external information systems

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing terms and conditions on use of external information systems

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

FIPS Publication 199

-
-
-
-
-

- AC-21 INFORMATION SHARING

-
-

- Parameter: - ac-21_a organization-defined information sharing circumstances where user discretion is required

-

- Value: organization-defined information sharing circumstances where user discretion is required

-
-
-

- Parameter: - ac-21_b organization-defined automated mechanisms or manual processes

-

- Value: organization-defined automated mechanisms or manual processes

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for - - ac-21_a - - organization-defined information sharing circumstances where user discretion is required - organization-defined information sharing circumstances where user discretion is required - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Employs - - ac-21_b - - organization-defined automated mechanisms or manual processes - organization-defined automated mechanisms or manual processes - to assist users in making information sharing/collaboration decisions.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information sharing circumstances where user discretion is required;

-
-
-
- - - - - - - -
-

[2]

-
-

facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines automated mechanisms or manual processes to be employed to assist users in making information sharing/collaboration decisions; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing user-based collaboration and information sharing (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of users authorized to make information sharing/collaboration decisions

-

- list of information sharing circumstances requiring user discretion

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel responsible for making information sharing/collaboration decisions

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AC-22 PUBLICLY ACCESSIBLE CONTENT

-
-

- Parameter: - ac-22_a organization-defined frequency

-

- Value: at least quarterly

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

b.

-
-

Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the content on the publicly accessible information system for nonpublic information - - ac-22_a - - organization-defined frequency - at least quarterly - and removes such information, if discovered.

-
-
-
-
-
-

Supplemental guidance

-

In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

(b)

-
-

trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

(c)

-
-

reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the content on the publicly accessible information system for nonpublic information;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[3]

-
-

removes nonpublic information from the publicly accessible information system, if discovered.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing publicly accessible content

-

- list of users authorized to post publicly accessible content on organizational information systems

-

- training materials and/or records

-

- records of publicly accessible information reviews

-

- records of response to nonpublic information on public websites

-

- system audit logs

-

- security awareness training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing management of publicly accessible content

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

AWARENESS AND TRAINING

-
-

- AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

-
-

- Parameter: - at-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - at-1_b organization-defined frequency

-

- Value: at least annually or whenever a significant change occurs

-
-
-

- Parameter: - at-1_c organization-defined frequency

-

- Value: at least annually or whenever a significant change occurs

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - at-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security awareness and training policy - - at-1_b - - organization-defined frequency - at least annually or whenever a significant change occurs - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security awareness and training procedures - - at-1_c - - organization-defined frequency - at least annually or whenever a significant change occurs - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an security awareness and training policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security awareness and training policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security awareness and training policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security awareness and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AT-2 SECURITY AWARENESS TRAINING

-
-

- Parameter: - at-2_a organization-defined frequency

-

- Value: at least annually

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

-
- - - - - - - -
-

a.

-
-

As part of initial training for new users;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-2_a - - organization-defined frequency - at least annually - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

- - - -
-
-

- AT-2 (2) INSIDER THREAT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

-
-
-
-

Supplemental guidance

-

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.

- - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security awareness training implementation

-

- security awareness training curriculum

-

- security awareness training materials

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel that participate in security awareness training

-

- organizational personnel with responsibilities for basic security awareness training

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;

-
-
-
- - - - - - - -
-

(b)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security awareness training implementation

-

- appropriate codes of federal regulations

-

- security awareness training curriculum

-

- security awareness training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for security awareness training

-

- organizational personnel with information security responsibilities

-

- organizational personnel comprising the general information system user community

-
-
-

Assessment: TEST

-

- Automated mechanisms managing security awareness training

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-3 ROLE-BASED SECURITY TRAINING

-
-

- Parameter: - at-3_a organization-defined frequency

-

- Value: at least annually

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-3_a - - organization-defined frequency - at least annually - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

(b)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training implementation

-

- codes of federal regulations

-

- security training curriculum

-

- security training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for role-based security training

-

- organizational personnel with assigned information system security roles and responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms managing role-based security training

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-4 SECURITY TRAINING RECORDS

-
-

- Parameter: - at-4_a organization-defined time period

-

- Value: five (5) years or 5 years after completion of a specific training program

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

-
-
-
- - - - - - - -
-

b.

-
-

Retains individual training records for - - at-4_a - - organization-defined time period - five (5) years or 5 years after completion of a specific training program - .

-
-
-
-
-
-

Supplemental guidance

-

Documentation for specialized training may be maintained by individual supervisors at the option of the organization.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

documents individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

monitors individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period to retain individual training records; and

-
-
-
- - - - - - - -
-

[2]

-
-

retains individual training records for the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training records

-

- security awareness and training records

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security training record retention responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting management of security training records

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

AUDIT AND ACCOUNTABILITY

-
-

- AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

-
-

- Parameter: - au-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-1_b organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - au-1_c organization-defined frequency

-

- Value: at least annually or whenever a significant change occurs

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - au-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Audit and accountability policy - - au-1_b - - organization-defined frequency - at least annually - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Audit and accountability procedures - - au-1_c - - organization-defined frequency - at least annually or whenever a significant change occurs - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an audit and accountability policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the audit and accountability policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the audit and accountability policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AU-2 AUDIT EVENTS

-
-

- Parameter: - au-2_a organization-defined auditable events

-

- Value: successful and unsuccessful account logon events, account management events, object - access, policy change, privilege functions, process tracking, and system events. For Web - applications: all administrator activity, authentication checks, authorization checks, - data deletions, data access, data changes, and permission changes

-
-
-

- Parameter: - au-2_b organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event

-

- Value: organization-defined subset of the auditable events defined in AU-2a to be audited - continually for each identified event

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines that the information system is capable of auditing the following events: - - au-2_a - - organization-defined auditable events - successful and unsuccessful account logon events, account management events, object - access, policy change, privilege functions, process tracking, and system events. For Web - applications: all administrator activity, authentication checks, authorization checks, - data deletions, data access, data changes, and permission changes - ;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

c.

-
-

Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

d.

-
-

Determines that the following events are to be audited within the information system: - - au-2_b - - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - organization-defined subset of the auditable events defined in AU-2a to be audited - continually for each identified event - .

-
-
-
-
-
-

Supplemental guidance

-

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

- - - - - - - - -
-
-

- AU-2 (3) REVIEWS AND UPDATES

-
-

- Parameter: - au-2_c organization-defined frequency

-

- Value: annually or whenever there is a change in the threat environment

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews and updates the audited events - - au-2_c - - organization-defined frequency - annually or whenever there is a change in the threat environment - .

-
-
-
-

Supplemental guidance

-

Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the audited events; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the auditable events with organization-defined frequency.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing auditable events

-

- security plan

-

- list of organization-defined auditable events

-

- auditable events review and update records

-

- information system audit records

-

- information system incident reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting review and update of auditable events

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AU-2 (3) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the auditable events that the information system must be capable of auditing;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the information system is capable of auditing organization-defined auditable events;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

(c)

-
-

provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the subset of auditable events defined in AU-2a that are to be audited within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

determines the frequency of (or situation requiring) auditing for each identified event.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing auditable events

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- information system auditable events

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AU-2 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

-
-
-

References

-
-

NIST Special Publication 800-92

-
-
-

http://idmanagement.gov

-
-
-
-
-

- AU-3 CONTENT OF AUDIT RECORDS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

-
-
-
-

Supplemental guidance

-

Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).

- - - - -
-
-

- AU-3 (1) ADDITIONAL AUDIT INFORMATION

-
-

- Parameter: - au-3_a organization-defined additional, more detailed information

-

- Value: session, connection, transaction, or activity duration; for client-server - transactions, the number of bytes received and bytes sent; additional informational - messages to diagnose or identify the event; characteristics that describe or identify - the object or resource being acted upon; individual identities of group account users; - full-text of privileged commands

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system generates audit records containing the following additional information: - - au-3_a - - organization-defined additional, more detailed information - session, connection, transaction, or activity duration; for client-server - transactions, the number of bytes received and bytes sent; additional informational - messages to diagnose or identify the event; characteristics that describe or identify - the object or resource being acted upon; individual identities of group account users; - full-text of privileged commands - .

-
-
-
-

Supplemental guidance

-

Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines additional, more detailed information to be contained in audit records that the information system generates; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system generates audit records containing the organization-defined additional, more detailed information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Information system audit capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AU-3 (1) Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

-
-

References: None -

-
-
-

- AU-3 (2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT

-
-

- Parameter: - au-3_b organization-defined information system components

-

- Value: all network, data storage, and computing devices

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides centralized management and configuration of the content to be captured in audit records generated by - - au-3_b - - organization-defined information system components - all network, data storage, and computing devices - .

-
-
-
-

Supplemental guidance

-

This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information system components that generate audit records whose content is to be centrally managed and configured by the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides centralized management and configuration of the content to be captured in audit records generated by the organization-defined information system components.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Information system capability implementing centralized management and configuration of audit record content

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system generates audit records containing information that establishes:

-
- - - - - - - -
-

[1]

-
-

what type of event occurred;

-
-
-
- - - - - - - -
-

[2]

-
-

when the event occurred;

-
-
-
- - - - - - - -
-

[3]

-
-

where the event occurred;

-
-
-
- - - - - - - -
-

[4]

-
-

the source of the event;

-
-
-
- - - - - - - -
-

[5]

-
-

the outcome of the event; and

-
-
-
- - - - - - - -
-

[6]

-
-

the identity of any individuals or subjects associated with the event.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- information system incident reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing of auditable events

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-4 AUDIT STORAGE CAPACITY

-
-

- Parameter: - au-4_a organization-defined audit record storage requirements

-

- Value: organization-defined audit record storage requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization allocates audit record storage capacity in accordance with - - au-4_a - - organization-defined audit record storage requirements - organization-defined audit record storage requirements - .

-
-
-
-

Supplemental guidance

-

Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines audit record storage requirements; and

-
-
-
- - - - - - - -
-

[2]

-
-

allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit storage capacity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit record storage requirements

-

- audit record storage capability for information system components

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Audit record storage capacity and related configuration settings

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-5 RESPONSE TO AUDIT PROCESSING FAILURES

-
-

- Parameter: - au-5_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-5_b organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)

-

- Value: organization-defined actions to be taken (overwrite oldest record)

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Alerts - - au-5_a - - organization-defined personnel or roles - organization-defined personnel or roles - in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

b.

-
-

Takes the following additional actions: - - au-5_b - - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - organization-defined actions to be taken (overwrite oldest record) - .

-
-
-
-
-
-

Supplemental guidance

-

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

- - -
-
-

- AU-5 (1) AUDIT STORAGE CAPACITY

-
-

- Parameter: - au-5_c organization-defined personnel, roles, and/or locations

-

- Value: organization-defined personnel, roles, and/or locations

-
-
-

- Parameter: - au-5_d organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - au-5_e organization-defined percentage

-

- Value: organization-defined percentage

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides a warning to - - au-5_c - - organization-defined personnel, roles, and/or locations - organization-defined personnel, roles, and/or locations - within - - au-5_d - - organization-defined time period - organization-defined time period - when allocated audit record storage volume reaches - - au-5_e - - organization-defined percentage - organization-defined percentage - of repository maximum audit record storage capacity.

-
-
-
-

Supplemental guidance

-

Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines:

-
- - - - - - - -
-

[a]

-
-

personnel to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;

-
-
-
- - - - - - - -
-

[b]

-
-

roles to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

locations to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the time period within which the information system is to provide a warning to the organization-defined personnel, roles, and/or locations when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines the percentage of repository maximum audit record storage capacity that, if reached, requires a warning to be provided; and

-
-
-
- - - - - - - -
-

[4]

-
-

the information system provides a warning to the organization-defined personnel, roles, and/or locations within the organization-defined time period when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit storage limit warnings

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-5 (2) REAL-TIME ALERTS

-
-

- Parameter: - au-5_f organization-defined real-time period

-

- Value: real-time

-
-
-

- Parameter: - au-5_g organization-defined personnel, roles, and/or locations

-

- Value: service provider personnel with authority to address failed audit events

-
-
-

- Parameter: - au-5_h organization-defined audit failure events requiring real-time alerts

-

- Value: audit failure events requiring real-time alerts, as defined by organization audit - policy

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides an alert in - - au-5_f - - organization-defined real-time period - real-time - to - - au-5_g - - organization-defined personnel, roles, and/or locations - service provider personnel with authority to address failed audit events - when the following audit failure events occur: - - au-5_h - - organization-defined audit failure events requiring real-time alerts - audit failure events requiring real-time alerts, as defined by organization audit - policy - .

-
-
-
-

Supplemental guidance

-

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines audit failure events requiring real-time alerts;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines:

-
- - - - - - - -
-

[a]

-
-

personnel to be alerted when organization-defined audit failure events requiring real-time alerts occur;

-
-
-
- - - - - - - -
-

[b]

-
-

roles to be alerted when organization-defined audit failure events requiring real-time alerts occur; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

locations to be alerted when organization-defined audit failure events requiring real-time alerts occur;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines the real-time period within which the information system is to provide an alert to the organization-defined personnel, roles, and/or locations when the organization-defined audit failure events requiring real-time alerts occur; and

-
-
-
- - - - - - - -
-

[4]

-
-

the information system provides an alert within the organization-defined real-time period to the organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- records of notifications or real-time alerts when audit processing failures occur

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing real-time audit alerts when organization-defined audit failure events occur

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles to be alerted in the event of an audit processing failure;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system takes the additional organization-defined actions in the event of an audit processing failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- list of personnel to be notified in case of an audit processing failure

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system response to audit processing failures

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING

-
-

- Parameter: - au-6_a organization-defined frequency

-

- Value: at least weekly

-
-
-

- Parameter: - au-6_b organization-defined inappropriate or unusual activity

-

- Value: organization-defined inappropriate or unusual activity

-
-
-

- Parameter: - au-6_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and analyzes information system audit records - - au-6_a - - organization-defined frequency - at least weekly - for indications of - - au-6_b - - organization-defined inappropriate or unusual activity - organization-defined inappropriate or unusual activity - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports findings to - - au-6_c - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-

- AU-6 (1) PROCESS INTEGRATION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

-
-
-
-

Supplemental guidance

-

Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

employs automated mechanisms to integrate:

-
- - - - - - - -
-

[a]

-
-

audit review;

-
-
-
- - - - - - - -
-

[b]

-
-

analysis;

-
-
-
- - - - - - - -
-

[c]

-
-

reporting processes;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

uses integrated audit review, analysis and reporting processes to support organizational processes for:

-
- - - - - - - -
-

[a]

-
-

investigation of suspicious activities; and

-
-
-
- - - - - - - -
-

[b]

-
-

response to suspicious activities.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- procedures addressing investigation and response to suspicious activities

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms integrating audit review, analysis, and reporting processes

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-6 (3) CORRELATE AUDIT REPOSITORIES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

-
-
-
-

Supplemental guidance

-

Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records across different repositories

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting analysis and correlation of audit records

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-6 (5) INTEGRATION / SCANNING AND MONITORING CAPABILITIES

-
-

- Parameter: - au-6_d organization-defined data/information collected from other sources

-

- Value: Selection (one or more): vulnerability scanning information; performance data; - information system monitoring information; penetration test data

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; - - au-6_d - - organization-defined data/information collected from other sources - Selection (one or more): vulnerability scanning information; performance data; - information system monitoring information; penetration test data - ] to further enhance the ability to identify inappropriate or unusual activity.

-
-
-
-

Supplemental guidance

-

This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines data/information to be collected from other sources;

-
-
-
- - - - - - - -
-

[2]

-
-

selects sources of data/information to be analyzed and integrated with the analysis of audit records from one or more of the following:

-
- - - - - - - -
-

[a]

-
-

vulnerability scanning information;

-
-
-
- - - - - - - -
-

[b]

-
-

performance data;

-
-
-
- - - - - - - -
-

[c]

-
-

information system monitoring information; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

organization-defined data/information collected from other sources; and

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

integrates the analysis of audit records with the analysis of selected data/information to further enhance the ability to identify inappropriate or unusual activity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing capability to integrate analysis of audit records with analysis of data/information sources

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-6 (6) CORRELATION WITH PHYSICAL MONITORING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

-
-
-
-

Supplemental guidance

-

The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual�s identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- procedures addressing physical access monitoring

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- documentation providing evidence of correlated information obtained from audit records and physical access monitoring records

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing capability to correlate information from audit records with information from monitoring physical access

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- additional -

AU-6 (6) Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports findings to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- reports of audit findings

-

- records of actions taken in response to reviews/analyses of audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AU-6 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

-
-

References: None -

-
-
-

- AU-7 AUDIT REDUCTION AND REPORT GENERATION

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides an audit reduction and report generation capability that:

-
- - - - - - - -
-

a.

-
-

Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

b.

-
-

Does not alter the original content or time ordering of audit records.

-
-
-
-
-
-

Supplemental guidance

-

Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.

- -
-
-

- AU-7 (1) AUTOMATIC PROCESSING

-
-

- Parameter: - au-7_a organization-defined audit fields within audit records

-

- Value: organization-defined audit fields within audit records

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides the capability to process audit records for events of interest based on - - au-7_a - - organization-defined audit fields within audit records - organization-defined audit fields within audit records - .

-
-
-
-

Supplemental guidance

-

Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines audit fields within audit records in order to process audit records for events of interest; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit reduction and report generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit reduction, review, analysis, and reporting tools

-

- audit record criteria (fields) establishing events of interest

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit reduction and report generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Audit reduction and report generation capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system provides an audit reduction and report generation capability that supports:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

on-demand audit review;

-
-
-
- - - - - - - -
-

[2]

-
-

analysis;

-
-
-
- - - - - - - -
-

[3]

-
-

reporting requirements;

-
-
-
- - - - - - - -
-

[4]

-
-

after-the-fact investigations of security incidents; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

does not alter the original content or time ordering of audit records.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit reduction and report generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit reduction, review, analysis, and reporting tools

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit reduction and report generation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Audit reduction and report generation capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-8 TIME STAMPS

-
-

- Parameter: - au-8_a organization-defined granularity of time measurement

-

- Value: one second granularity of time measurement

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Uses internal system clocks to generate time stamps for audit records; and

-
-
-
- - - - - - - -
-

b.

-
-

Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets - - au-8_a - - organization-defined granularity of time measurement - one second granularity of time measurement - .

-
-
-
-
-
-

Supplemental guidance

-

Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

- - -
-
-

- AU-8 (1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE

-
-

- Parameter: - au-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-8_c organization-defined authoritative time source

-

- Value: http://tf.nist.gov/tf-cgi/servers.cgi

-
-
-

- Parameter: - au-8_d organization-defined time period

-

- Value: At least hourly

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

(a)

-
-

Compares the internal information system clocks - - au-8_b - - organization-defined frequency - organization-defined frequency - with - - au-8_c - - organization-defined authoritative time source - http://tf.nist.gov/tf-cgi/servers.cgi - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than - - au-8_d - - organization-defined time period - At least hourly - .

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the authoritative time source to which internal information system clocks are to be compared;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing time stamp generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing internal information system clock synchronization

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AU-8 (1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. AU-8 (1) Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server. AU-8 (1) Guidance: Synchronization of system clocks improves the accuracy of log analysis.

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-

the information system uses internal system clocks to generate time stamps for audit records;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and

-
-
-
- - - - - - - -
-

[3]

-
-

the organization records time stamps for audit records that meet the organization-defined granularity of time measurement.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing time stamp generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing time stamp generation

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-9 PROTECTION OF AUDIT INFORMATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

-
-
-
-

Supplemental guidance

-

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

- - - - - - - -
-
-

- AU-9 (2) AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS

-
-

- Parameter: - au-9_a organization-defined frequency

-

- Value: at least weekly

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system backs up audit records - - au-9_a - - organization-defined frequency - at least weekly - onto a physically different system or system component than the system or component being audited.

-
-
-
-

Supplemental guidance

-

This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to back up audit records onto a physically different system or system component than the system or component being audited; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system backs up audit records with the organization-defined frequency, onto a physically different system or system component than the system or component being audited.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, system or media storing backups of information system audit records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing the backing up of audit records

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-9 (3) CRYPTOGRAPHIC PROTECTION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

-
-
-
-

Supplemental guidance

-

Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

uses cryptographic mechanisms to protect the integrity of audit information; and

-
-
-
- - - - - - - -
-

[2]

-
-

uses cryptographic mechanisms to protect the integrity of audit tools.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system hardware settings

-

- information system configuration settings and associated documentation, information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting integrity of audit information and tools

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-9 (4) ACCESS BY SUBSET OF PRIVILEGED USERS

-
-

- Parameter: - au-9_b organization-defined subset of privileged users

-

- Value: organization-defined subset of privileged users

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes access to management of audit functionality to only - - au-9_b - - organization-defined subset of privileged users - organization-defined subset of privileged users - .

-
-
-
-

Supplemental guidance

-

Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a subset of privileged users to be authorized access to management of audit functionality; and

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes access to management of audit functionality to only the organization-defined subset of privileged users.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality

-

- access authorizations

-

- access control list

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms managing access to audit functionality

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system protects audit information from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects audit tools from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification; and

-
-
-
- - - - - - - -
-

[c]

-
-

deletion.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, information system audit records

-

- audit tools

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit information protection

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-10 NON-REPUDIATION

-
-

- Parameter: - au-10_a organization-defined actions to be covered by non-repudiation

-

- Value: minimum actions including the addition, modification, deletion, approval, sending, - or receiving of data

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed - - au-10_a - - organization-defined actions to be covered by non-repudiation - minimum actions including the addition, modification, deletion, approval, sending, - or receiving of data - .

-
-
-
-

Supplemental guidance

-

Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines actions to be covered by non-repudiation; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing non-repudiation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing non-repudiation capability

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- AU-11 AUDIT RECORD RETENTION

-
-

- Parameter: - au-11_a organization-defined time period consistent with records retention policy

-

- Value: at least one (1) year

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization retains audit records for - - au-11_a - - organization-defined time period consistent with records retention policy - at least one (1) year - to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

-
-
-
-

Supplemental guidance

-

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period to retain audit records that is consistent with records retention policy;

-
-
-
- - - - - - - -
-

[2]

-
-

retains audit records for the organization-defined time period consistent with records retention policy to:

-
- - - - - - - -
-

[a]

-
-

provide support for after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

[b]

-
-

meet regulatory and organizational information retention requirements.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- audit record retention policy and procedures

-

- security plan

-

- organization-defined retention period for audit records

-

- audit record archives

-

- audit logs

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record retention responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

AU-11 Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

-
-

References: None -

-
-
-

- AU-12 AUDIT GENERATION

-
-

- Parameter: - au-12_a organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - au-12_b organization-defined personnel or roles

-

- Value: all information system and network components where audit capability is - deployed/available

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides audit record generation capability for the auditable events defined in AU-2 a. at - - au-12_a - - organization-defined information system components - organization-defined information system components - ;

-
-
-
- - - - - - - -
-

b.

-
-

Allows - - au-12_b - - organization-defined personnel or roles - all information system and network components where audit capability is - deployed/available - to select which auditable events are to be audited by specific components of the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

-
-
-
-
-
-

Supplemental guidance

-

Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.

- - - - - -
-
-

- AU-12 (1) SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL

-
-

- Parameter: - au-12_c organization-defined information system components

-

- Value: all network, data storage, and computing devices

-
-
-

- Parameter: - au-12_d organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail

-

- Value: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system compiles audit records from - - au-12_c - - organization-defined information system components - all network, data storage, and computing devices - into a system-wide (logical or physical) audit trail that is time-correlated to within - - au-12_d - - organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - .

-
-
-
-

Supplemental guidance

-

Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the information system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the level of tolerance for the relationship between time stamps of individual records in the audit trail; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-wide audit trail (logical or physical)

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-
- justification -

Non-repudiation

-
-

References: None -

-
-
-

- AU-12 (3) CHANGES BY AUTHORIZED INDIVIDUALS

-
-

- Parameter: - au-12_e organization-defined individuals or roles

-

- Value: service provider-defined individuals or roles with audit configuration - responsibilities

-
-
-

- Parameter: - au-12_f organization-defined information system components

-

- Value: all network, data storage, and computing devices

-
-
-

- Parameter: - au-12_g organization-defined selectable event criteria

-

- Value: organization-defined selectable event criteria

-
-
-

- Parameter: - au-12_h organization-defined time thresholds

-

- Value: organization-defined time thresholds

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides the capability for - - au-12_e - - organization-defined individuals or roles - service provider-defined individuals or roles with audit configuration - responsibilities - to change the auditing to be performed on - - au-12_f - - organization-defined information system components - all network, data storage, and computing devices - based on - - au-12_g - - organization-defined selectable event criteria - organization-defined selectable event criteria - within - - au-12_h - - organization-defined time thresholds - organization-defined time thresholds - .

-
-
-
-

Supplemental guidance

-

This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information system components on which auditing is to be performed;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines individuals or roles authorized to change the auditing to be performed on organization-defined information system components;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines time thresholds within which organization-defined individuals or roles can change the auditing to be performed on organization-defined information system components;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines selectable event criteria that support the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components; and

-
-
-
- - - - - - - -
-

[5]

-
-

the information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-generated list of individuals or roles authorized to change auditing to be performed

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-
- justification -

Non-repudiation

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

SECURITY ASSESSMENT AND AUTHORIZATION

-
-

- CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES

-
-

- Parameter: - ca-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-1_b organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - ca-1_c organization-defined frequency

-

- Value: at least annually or whenever a significant change occurs

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ca-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security assessment and authorization policy - - ca-1_b - - organization-defined frequency - at least annually - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security assessment and authorization procedures - - ca-1_c - - organization-defined frequency - at least annually or whenever a significant change occurs - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a security assessment and authorization policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security assessment and authorization policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment and authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CA-2 SECURITY ASSESSMENTS

-
-

- Parameter: - ca-2_a organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - ca-2_b organization-defined individuals or roles

-

- Value: individuals or roles to include FedRAMP PMO

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

1.

-
-

Security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

2.

-
-

Assessment procedures to be used to determine security control effectiveness; and

-
-
-
- - - - - - - -
-

3.

-
-

Assessment environment, assessment team, and assessment roles and responsibilities;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Assesses the security controls in the information system and its environment of operation - - ca-2_a - - organization-defined frequency - at least annually - to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Produces a security assessment report that documents the results of the assessment; and

-
-
-
- - - - - - - -
-

d.

-
-

Provides the results of the security control assessment to - - ca-2_b - - organization-defined individuals or roles - individuals or roles to include FedRAMP PMO - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

- - - - - - - - -
-
-

- CA-2 (1) INDEPENDENT ASSESSORS

-
-

- Parameter: - ca-2_c organization-defined level of independence

-

- Value: organization-defined level of independence

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs assessors or assessment teams with - - ca-2_c - - organization-defined level of independence - organization-defined level of independence - to conduct security control assessments.

-
-
-
-

Supplemental guidance

-

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the level of independence to be employed to conduct security control assessments; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessments

-

- security authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CA-2 (1) Requirement: For JAB Authorization, must use an accredited 3PAO.

-
-

References: None -

-
-
-

- CA-2 (2) SPECIALIZED ASSESSMENTS

-
-

- Parameter: - ca-2_d organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - ca-2_e organization-defined other forms of security assessment

-

- Value: organization-defined other forms of security assessment

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes as part of security control assessments, - - ca-2_d - - organization-defined frequency - at least annually - , [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; - - ca-2_e - - organization-defined other forms of security assessment - organization-defined other forms of security assessment - ].

-
-
-
-

Supplemental guidance

-

Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

selects one or more of the following forms of specialized security assessment to be included as part of security control assessments:

-
- - - - - - - -
-

[a]

-
-

in-depth monitoring;

-
-
-
- - - - - - - -
-

[b]

-
-

vulnerability scanning;

-
-
-
- - - - - - - -
-

[c]

-
-

malicious user testing;

-
-
-
- - - - - - - -
-

[d]

-
-

insider threat assessment;

-
-
-
- - - - - - - -
-

[e]

-
-

performance/load testing; and/or

-
-
-
- - - - - - - -
-

[f]

-
-

other forms of organization-defined specialized security assessment;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency for conducting the selected form(s) of specialized security assessment;

-
-
-
- - - - - - - -
-

[3]

-
-

defines whether the specialized security assessment will be announced or unannounced; and

-
-
-
- - - - - - - -
-

[4]

-
-

conducts announced or unannounced organization-defined forms of specialized security assessments with the organization-defined frequency as part of security control assessments.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessments

-

- security plan

-

- security assessment plan

-

- security assessment report

-

- security assessment evidence

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting security control assessment

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CA-2 (2) Requirement: To include 'announced', 'vulnerability scanning'

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

(1)

-
-

security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

(2)

-
-

assessment procedures to be used to determine security control effectiveness;

-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

assessment environment;

-
-
-
- - - - - - - -
-

[2]

-
-

assessment team;

-
-
-
- - - - - - - -
-

[3]

-
-

assessment roles and responsibilities;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to assess the security controls in the information system and its environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

produces a security assessment report that documents the results of the assessment;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines individuals or roles to whom the results of the security control assessment are to be provided; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides the results of the security control assessment to organization-defined individuals or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessment planning

-

- procedures addressing security assessments

-

- security assessment plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

Executive Order 13587

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-3 SYSTEM INTERCONNECTIONS

-
-

- Parameter: - ca-3_a organization-defined frequency

-

- Value: At least annually and on input from FedRAMP

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates Interconnection Security Agreements - - ca-3_a - - organization-defined frequency - At least annually and on input from FedRAMP - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.

- - - - - - - - - - - -
-
-

- CA-3 (5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

-
-

- Parameter: - ca-3_h organization-defined information systems

-

- Value: any systems

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing - - ca-3_h - - organization-defined information systems - any systems - to connect to external information systems.

-
-
-
-

Supplemental guidance

-

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems to be allowed to connect to external information systems;

-
-
-
- - - - - - - -
-

[2]

-
-

employs one of the following policies for allowing organization-defined information systems to connect to external information systems:

-
- - - - - - - -
-

[a]

-
-

allow-all policy;

-
-
-
- - - - - - - -
-

[b]

-
-

deny-by-exception policy;

-
-
-
- - - - - - - -
-

[c]

-
-

deny-all policy; or

-
-
-
- - - - - - - -
-

[d]

-
-

permit-by-exception policy.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- information system interconnection agreements

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security assessment report

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for managing connections to external information systems

-

- network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing restrictions on external system connections

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CA-3 (5) Guidance: For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each interconnection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update Interconnection Security Agreements; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates Interconnection Security Agreements with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- information system Interconnection Security Agreements

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements

-

- organizational personnel with information security responsibilities

-

- personnel managing the system(s) to which the Interconnection Security Agreement applies

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-47

-
-
-
-
-

- CA-5 PLAN OF ACTION AND MILESTONES

-
-

- Parameter: - ca-5_a organization-defined frequency

-

- Value: at least monthly

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

-
-
-
- - - - - - - -
-

b.

-
-

Updates existing plan of action and milestones - - ca-5_a - - organization-defined frequency - at least monthly - based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

-
-
-
-
-
-

Supplemental guidance

-

Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a plan of action and milestones for the information system to:

-
- - - - - - - -
-

[1]

-
-

document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

reduce or eliminate known vulnerabilities in the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the existing plan of action and milestones;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:

-
- - - - - - - -
-

[a]

-
-

security controls assessments;

-
-
-
- - - - - - - -
-

[b]

-
-

security impact analyses; and

-
-
-
- - - - - - - -
-

[c]

-
-

continuous monitoring activities.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing plan of action and milestones

-

- security plan

-

- security assessment plan

-

- security assessment report

-

- security assessment evidence

-

- plan of action and milestones

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with plan of action and milestones development and implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms for developing, implementing, and maintaining plan of action and milestones

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CA-5 Guidance: Requirement: POA&Ms must be provided at least monthly.

-
-
-

References

-
-

OMB Memorandum 02-01

-
-
-

NIST Special Publication 800-37

-
-
-
-
-

- CA-6 SECURITY AUTHORIZATION

-
-

- Parameter: - ca-6_a organization-defined frequency

-

- Value: at least every three (3) years or when a significant change occurs

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

-
-
-
- - - - - - - -
-

c.

-
-

Updates the security authorization - - ca-6_a - - organization-defined frequency - at least every three (3) years or when a significant change occurs - .

-
-
-
-
-
-

Supplemental guidance

-

Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

ensures that the authorizing official authorizes the information system for processing before commencing operations;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the security authorization; and

-
-
-
- - - - - - - -
-

[2]

-
-

updates the security authorization with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security authorization

-

- security authorization package (including security plan

-

- security assessment report

-

- plan of action and milestones

-

- authorization statement)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that facilitate security authorizations and updates

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CA-6 (c) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

-
-
-

References

-
-

OMB Circular A-130

-
-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-7 CONTINUOUS MONITORING

-
-

- Parameter: - ca-7_a organization-defined metrics

-

- Value: organization-defined metrics

-
-
-

- Parameter: - ca-7_b organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_c organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-7_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

-
- - - - - - - -
-

a.

-
-

Establishment of - - ca-7_a - - organization-defined metrics - organization-defined metrics - to be monitored;

-
-
-
- - - - - - - -
-

b.

-
-

Establishment of - - ca-7_b - - organization-defined frequencies - organization-defined frequencies - for monitoring and - - ca-7_c - - organization-defined frequencies - organization-defined frequencies - for assessments supporting such monitoring;

-
-
-
- - - - - - - -
-

c.

-
-

Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

d.

-
-

Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

e.

-
-

Correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

f.

-
-

Response actions to address results of the analysis of security-related information; and

-
-
-
- - - - - - - -
-

g.

-
-

Reporting the security status of organization and the information system to - - ca-7_d - - organization-defined personnel or roles - organization-defined personnel or roles - - - - ca-7_e - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.

- - - - - - - - - - - - -
-
-

- CA-7 (1) INDEPENDENT ASSESSMENT

-
-

- Parameter: - ca-7_f organization-defined level of independence

-

- Value: organization-defined level of independence

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs assessors or assessment teams with - - ca-7_f - - organization-defined level of independence - organization-defined level of independence - to monitor the security controls in the information system on an ongoing basis.

-
-
-
-

Supplemental guidance

-

Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing continuous monitoring of information system security controls

-

- security plan

-

- security assessment report

-

- plan of action and milestones

-

- information system monitoring records

-

- security impact analyses

-

- status reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with continuous monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines metrics to be monitored;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[3]

-
-

implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines frequencies for monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

defines frequencies for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security control assessments;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing continuous monitoring of information system security controls

-

- procedures addressing configuration management

-

- security plan

-

- security assessment report

-

- plan of action and milestones

-

- information system monitoring records

-

- configuration management records, security impact analyses

-

- status reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with continuous monitoring responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Mechanisms implementing continuous monitoring

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CA-7 Requirement: Operating System Scans: at least monthly

-

Database and Web Application Scans: at least monthly

-

All scans performed by Independent Assessor: at least annually

-

CA-7 Guidance: CSPs must provide evidence of closure and remediation of high - vulnerabilities within the timeframe for standard POA&M updates.

-

Operating System Scans: at least monthly

-

Database and Web Application Scans: at least monthly

-

All scans performed by Independent Assessor: at least annually

-
-
-

References

-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-

US-CERT Technical Cyber Security Alerts

-
-
-

DoD Information Assurance Vulnerability Alerts

-
-
-
-
-

- CA-8 PENETRATION TESTING

-
-

- Parameter: - ca-8_a organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - ca-8_b organization-defined information systems or system components

-

- Value: organization-defined information systems or system components

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization conducts penetration testing - - ca-8_a - - organization-defined frequency - at least annually - on - - ca-8_b - - organization-defined information systems or system components - organization-defined information systems or system components - .

-
-
-
-

Supplemental guidance

-

Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems or system components on which penetration testing is to be conducted;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to conduct penetration testing on organization-defined information systems or system components; and

-
-
-
- - - - - - - -
-

[3]

-
-

conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing penetration testing

-

- security plan

-

- security assessment plan

-

- penetration test report

-

- security assessment report

-

- security assessment evidence

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities, system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting penetration testing

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CA-9 INTERNAL SYSTEM CONNECTIONS

-
-

- Parameter: - ca-9_a organization-defined information system components or classes of components

-

- Value: organization-defined information system components or classes of components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes internal connections of - - ca-9_a - - organization-defined information system components or classes of components - organization-defined information system components or classes of components - to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components or classes of components to be authorized as internal connections to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes internal connections of organization-defined information system components or classes of components to the information system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each internal connection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements; and

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of components or classes of components authorized as internal system connections

-

- security assessment report

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

CONFIGURATION MANAGEMENT

-
-

- CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES

-
-

- Parameter: - cm-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cm-1_b organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - cm-1_c organization-defined frequency

-

- Value: at least annually or whenever a significant change occurs

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cm-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Configuration management policy - - cm-1_b - - organization-defined frequency - at least annually - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Configuration management procedures - - cm-1_c - - organization-defined frequency - at least annually or whenever a significant change occurs - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a configuration management policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the configuration management policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the configuration management policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CM-2 BASELINE CONFIGURATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

-
-
-
-

Supplemental guidance

-

This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.

- - - - - - - -
-
-

- CM-2 (1) REVIEWS AND UPDATES

-
-

- Parameter: - cm-2_a organization-defined frequency

-

- Value: at least annually or when a significant change occurs

-
-
-

- Parameter: - cm-2_b Assignment organization-defined circumstances

-

- Value: to include when directed by the JAB

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews and updates the baseline configuration of the information system:

-
- - - - - - - -
-

(a)

-
-

- - - cm-2_a - - organization-defined frequency - at least annually or when a significant change occurs - ;

-
-
-
- - - - - - - -
-

(b)

-
-

When required due to - - cm-2_b - - Assignment organization-defined circumstances - to include when directed by the JAB - ; and

-
-
-
- - - - - - - -
-

(c)

-
-

As an integral part of information system component installations and upgrades.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the baseline configuration of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the baseline configuration of the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines circumstances that require the baseline configuration of the information system to be reviewed and updated;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing the baseline configuration of the information system

-

- procedures addressing information system component installations and upgrades

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of information system baseline configuration reviews and updates

-

- information system component installations/upgrades and associated records

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms supporting review and update of the baseline configuration

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CM-2 (1) (a) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

-
-

References: None -

-
-
-

- CM-2 (2) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

-
-
-
-

Supplemental guidance

-

Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs automated mechanisms to maintain:

-
- - - - - - - -
-

[1]

-
-

an up-to-date baseline configuration of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

a complete baseline configuration of the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

an accurate baseline configuration of the information system; and

-
-
-
- - - - - - - -
-

[4]

-
-

a readily available baseline configuration of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- configuration change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms implementing baseline configuration maintenance

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS

-
-

- Parameter: - cm-2_c organization-defined previous versions of baseline configurations of the information system

-

- Value: organization-defined previous versions of baseline configurations of the previously - approved baseline configuration of IS components

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization retains - - cm-2_c - - organization-defined previous versions of baseline configurations of the information system - organization-defined previous versions of baseline configurations of the previously - approved baseline configuration of IS components - to support rollback.

-
-
-
-

Supplemental guidance

-

Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines previous versions of baseline configurations of the information system to be retained to support rollback; and

-
-
-
- - - - - - - -
-

[2]

-
-

retains organization-defined previous versions of baseline configurations of the information system to support rollback.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- copies of previous baseline configuration versions

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS

-
-

- Parameter: - cm-2_d organization-defined information systems, system components, or devices

-

- Value: organization-defined information systems, system components, or devices

-
-
-

- Parameter: - cm-2_e organization-defined configurations

-

- Value: organization-defined configurations

-
-
-

- Parameter: - cm-2_f organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Issues - - cm-2_d - - organization-defined information systems, system components, or devices - organization-defined information systems, system components, or devices - with - - cm-2_e - - organization-defined configurations - organization-defined configurations - to individuals traveling to locations that the organization deems to be of significant risk; and

-
-
-
- - - - - - - -
-

(b)

-
-

Applies - - cm-2_f - - organization-defined security safeguards - organization-defined security safeguards - to the devices when the individuals return.

-
-
-
-
-
-

Supplemental guidance

-

When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;

-
-
-
- - - - - - - -
-

[2]

-
-

defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;

-
-
-
- - - - - - - -
-

[3]

-
-

issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be applied to the devices when the individuals return; and

-
-
-
- - - - - - - -
-

[2]

-
-

applies organization-defined safeguards to the devices when the individuals return.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing the baseline configuration of the information system

-

- procedures addressing information system component installations and upgrades

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of information system baseline configuration reviews and updates

-

- information system component installations/upgrades and associated records

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

develops and documents a current baseline configuration of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains, under configuration control, a current baseline configuration of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- enterprise architecture documentation

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms supporting configuration control of the baseline configuration

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-3 CONFIGURATION CHANGE CONTROL

-
-

- Parameter: - cm-3_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - cm-3_b organization-defined configuration change control element (e.g., committee, board)

-

- Value: organization-defined configuration change control element (e.g., committee, board)

-
-
-

- Parameter: - cm-3_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-3_d organization-defined configuration change conditions

-

- Value: organization-defined configuration change conditions

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines the types of changes to the information system that are configuration-controlled;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

-
-
-
- - - - - - - -
-

c.

-
-

Documents configuration change decisions associated with the information system;

-
-
-
- - - - - - - -
-

d.

-
-

Implements approved configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

e.

-
-

Retains records of configuration-controlled changes to the information system for - - cm-3_a - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

f.

-
-

Audits and reviews activities associated with configuration-controlled changes to the information system; and

-
-
-
- - - - - - - -
-

g.

-
-

Coordinates and provides oversight for configuration change control activities through - - cm-3_b - - organization-defined configuration change control element (e.g., committee, board) - organization-defined configuration change control element (e.g., committee, board) - that convenes [Selection (one or more): - - cm-3_c - - organization-defined frequency - organization-defined frequency - ; - - cm-3_d - - organization-defined configuration change conditions - organization-defined configuration change conditions - ].

-
-
-
-
-
-

Supplemental guidance

-

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

- - - - - - - - - -
-
-

- CM-3 (1) AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES

-
-

- Parameter: - cm-3_e organized-defined approval authorities

-

- Value: organized-defined approval authorities

-
-
-

- Parameter: - cm-3_f organization-defined time period

-

- Value: organization agreed upon time period

-
-
-

- Parameter: - cm-3_g organization-defined personnel

-

- Value: organization defined configuration management approval authorities

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to:

-
- - - - - - - -
-

(a)

-
-

Document proposed changes to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

Notify - - cm-3_e - - organized-defined approval authorities - organized-defined approval authorities - of proposed changes to the information system and request change approval;

-
-
-
- - - - - - - -
-

(c)

-
-

Highlight proposed changes to the information system that have not been approved or disapproved by - - cm-3_f - - organization-defined time period - organization agreed upon time period - ;

-
-
-
- - - - - - - -
-

(d)

-
-

Prohibit changes to the information system until designated approvals are received;

-
-
-
- - - - - - - -
-

(e)

-
-

Document all changes to the information system; and

-
-
-
- - - - - - - -
-

(f)

-
-

Notify - - cm-3_g - - organization-defined personnel - organization defined configuration management approval authorities - when approved changes to the information system are completed.

-
-
-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs automated mechanisms to document proposed changes to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines approval authorities to be notified of proposed changes to the information system and request change approval;

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which proposed changes to the information system that have not been approved or disapproved must be highlighted;

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

employs automated mechanisms to prohibit changes to the information system until designated approvals are received;

-
-
-
- - - - - - - -
-

(e)

-
-

employs automated mechanisms to document all changes to the information system;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel to be notified when approved changes to the information system are completed; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system configuration change control

-

- configuration management plan

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- automated configuration control mechanisms

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- change approval requests

-

- change approvals

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms implementing configuration change control activities

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-3 (2) TEST / VALIDATE / DOCUMENT CHANGES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

-
-
-
-

Supplemental guidance

-

Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems).

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization, before implementing changes on the operational system:

-
- - - - - - - -
-

[1]

-
-

tests changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

validates changes to the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

documents changes to the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing information system configuration change control

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- test records

-

- validation records

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms supporting and/or implementing testing, validating, and documenting information system changes

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

determines the type of changes to the information system that must be configuration-controlled;

-
-
-
- - - - - - - -
-

(b)

-
-

reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

-
-
-
- - - - - - - -
-

(c)

-
-

documents configuration change decisions associated with the information system;

-
-
-
- - - - - - - -
-

(d)

-
-

implements approved configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period to retain records of configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

retains records of configuration-controlled changes to the information system for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

audits and reviews activities associated with configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency with which the configuration change control element must convene; and/or

-
-
-
- - - - - - - -
-

[3]

-
-

defines configuration change conditions that prompt the configuration change control element to convene; and

-
-
-
- - - - - - - -
-

[4]

-
-

coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system configuration change control

-

- configuration management plan

-

- information system architecture and configuration documentation

-

- security plan

-

- change control records

-

- information system audit records

-

- change control audit and review reports

-

- agenda /minutes from configuration change control oversight meetings

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- members of change control board or similar

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms that implement configuration change control

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CM-3 Requirement: The service provider establishes a central means of - communicating major changes to or developments in the information system or - environment of operations that may affect its services to the federal government - and associated service consumers (e.g., electronic bulletin board, web status - page). The means of communication are approved and accepted by the JAB/AO.

-

CM-3 (e) Guidance: In accordance with record retention policies and - procedures.

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-4 SECURITY IMPACT ANALYSIS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Supplemental guidance

-

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

- - - - - - - - -
-
-

- CM-4 (1) SEPARATE TEST ENVIRONMENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

-
-
-
-

Supplemental guidance

-

Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

analyzes changes to the information system in a separate test environment before implementation in an operational environment;

-
-
-
- - - - - - - -
-

[2]

-
-

when analyzing changes to the information system in a separate test environment, looks for security impacts due to:

-
- - - - - - - -
-

[a]

-
-

flaws;

-
-
-
- - - - - - - -
-

[b]

-
-

weaknesses;

-
-
-
- - - - - - - -
-

[c]

-
-

incompatibility; and

-
-
-
- - - - - - - -
-

[d]

-
-

intentional malice.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing security impact analysis for changes to the information system

-

- configuration management plan

-

- security impact analysis documentation

-

- analysis tools and associated outputs information system design documentation

-

- information system architecture and configuration documentation

-

- change control records

-

- information system audit records

-

- documentation evidence of separate test and operational environments

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for conducting security impact analysis

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for security impact analysis

-

- automated mechanisms supporting and/or implementing security impact analysis of changes

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing security impact analysis for changes to the information system

-

- configuration management plan

-

- security impact analysis documentation

-

- analysis tools and associated outputs

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for conducting security impact analysis

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for security impact analysis

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-5 ACCESS RESTRICTIONS FOR CHANGE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

-
-
-
-

Supplemental guidance

-

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

- - - -
-
-

- CM-5 (1) AUTOMATED ACCESS ENFORCEMENT / AUDITING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces access restrictions and supports auditing of the enforcement actions.

-
-
-
-

Supplemental guidance

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

enforces access restrictions for change; and

-
-
-
- - - - - - - -
-

[2]

-
-

supports auditing of the enforcement actions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms implementing enforcement of access restrictions for changes to the information system

-

- automated mechanisms supporting auditing of enforcement actions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-5 (2) REVIEW SYSTEM CHANGES

-
-

- Parameter: - cm-5_a organization-defined frequency

-

- Value: at least every thirty (30) days

-
-
-

- Parameter: - cm-5_b organization-defined circumstances

-

- Value: organization-defined circumstances

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews information system changes - - cm-5_a - - organization-defined frequency - at least every thirty (30) days - and - - cm-5_b - - organization-defined circumstances - organization-defined circumstances - to determine whether unauthorized changes have occurred.

-
-
-
-

Supplemental guidance

-

Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, in an effort to ascertain whether unauthorized changes have occurred:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to review information system changes;

-
-
-
- - - - - - - -
-

[2]

-
-

defines circumstances that warrant review of information system changes;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews information system changes with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

reviews information system changes with the organization-defined circumstances.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- configuration management plan

-

- security plan

-

- reviews of information system changes

-

- audit and review reports

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms supporting/implementing information system reviews to determine whether unauthorized changes have occurred

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-5 (3) SIGNED COMPONENTS

-
-

- Parameter: - cm-5_c organization-defined software and firmware components

-

- Value: organization-defined software and firmware components

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents the installation of - - cm-5_c - - organization-defined software and firmware components - organization-defined software and firmware components - without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

-
-
-
-

Supplemental guidance

-

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines software and firmware components that the information system will prevent from being installed without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents the installation of organization-defined software and firmware components without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- configuration management plan

-

- security plan

-

- list of software and firmware components to be prohibited from installation without a recognized and approved certificate

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms preventing installation of software and firmware components not signed with an organization-recognized and approved certificate

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CM-5 (3) Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

documents physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

approves physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

enforces physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[5]

-
-

defines logical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[6]

-
-

documents logical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[7]

-
-

approves logical access restrictions associated with changes to the information system; and

-
-
-
- - - - - - - -
-

[8]

-
-

enforces logical access restrictions associated with changes to the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- configuration management plan

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- logical access approvals

-

- physical access approvals

-

- access credentials

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with logical access control responsibilities

-

- organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms supporting/implementing/enforcing access restrictions associated with changes to the information system

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-6 CONFIGURATION SETTINGS

-
-

- Parameter: - cm-6_a organization-defined security configuration checklists

-

- Value: United States Government Configuration Baseline (USGCB)

-
-
-

- Parameter: - cm-6_b organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - cm-6_c organization-defined operational requirements

-

- Value: organization-defined operational requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents configuration settings for information technology products employed within the information system using - - cm-6_a - - organization-defined security configuration checklists - United States Government Configuration Baseline (USGCB) - that reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Implements the configuration settings;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies, documents, and approves any deviations from established configuration settings for - - cm-6_b - - organization-defined information system components - organization-defined information system components - based on - - cm-6_c - - organization-defined operational requirements - organization-defined operational requirements - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. -Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

- - - - - -
-
-

- CM-6 (1) AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION

-
-

- Parameter: - cm-6_d organization-defined information system components

-

- Value: organization-defined information system components

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for - - cm-6_d - - organization-defined information system components - organization-defined information system components - .

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system components for which automated mechanisms are to be employed to:

-
- - - - - - - -
-

[a]

-
-

centrally manage configuration settings of such components;

-
-
-
- - - - - - - -
-

[b]

-
-

apply configuration settings of such components;

-
-
-
- - - - - - - -
-

[c]

-
-

verify configuration settings of such components;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to:

-
- - - - - - - -
-

[a]

-
-

centrally manage configuration settings for organization-defined information system components;

-
-
-
- - - - - - - -
-

[b]

-
-

apply configuration settings for organization-defined information system components; and

-
-
-
- - - - - - - -
-

[c]

-
-

verify configuration settings for organization-defined information system components.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for managing configuration settings

-

- automated mechanisms implemented to centrally manage, apply, and verify information system configuration settings

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-6 (2) RESPOND TO UNAUTHORIZED CHANGES

-
-

- Parameter: - cm-6_e organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-
-

- Parameter: - cm-6_f organization-defined configuration settings

-

- Value: organization-defined configuration settings

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs - - cm-6_e - - organization-defined security safeguards - organization-defined security safeguards - to respond to unauthorized changes to - - cm-6_f - - organization-defined configuration settings - organization-defined configuration settings - .

-
-
-
-

Supplemental guidance

-

Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines configuration settings that, if modified by unauthorized changes, result in organizational security safeguards being employed to respond to such changes;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to be employed to respond to unauthorized changes to organization-defined configuration settings; and

-
-
-
- - - - - - - -
-

[3]

-
-

employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- alerts/notifications of unauthorized changes to information system configuration settings

-

- documented responses to unauthorized changes to information system configuration settings

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational process for responding to unauthorized changes to information system configuration settings

-

- automated mechanisms supporting and/or implementing security safeguards for response to unauthorized changes

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements the configuration settings established/documented in CM-6(a);;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components for which any deviations from established configuration settings must be:

-
- - - - - - - -
-

[a]

-
-

identified;

-
-
-
- - - - - - - -
-

[b]

-
-

documented;

-
-
-
- - - - - - - -
-

[c]

-
-

approved;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines operational requirements to support:

-
- - - - - - - -
-

[a]

-
-

the identification of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[b]

-
-

the documentation of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[c]

-
-

the approval of any deviations from established configuration settings;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[4]

-
-

documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[5]

-
-

approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

monitors changes to the configuration settings in accordance with organizational policies and procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- evidence supporting approved deviations from established configuration settings

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing configuration settings

-

- automated mechanisms that implement, monitor, and/or control information system configuration settings

-

- automated mechanisms that identify and/or document deviations from established configuration settings

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CM-6 (a)-1 Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. CM-6 (a)-2 Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc

-
-
-

References

-
-

OMB Memorandum 07-11

-
-
-

OMB Memorandum 07-18

-
-
-

OMB Memorandum 08-22

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-128

-
-
-

http://nvd.nist.gov

-
-
-

http://checklists.nist.gov

-
-
-

http://www.nsa.gov

-
-
-
-
-

- CM-7 LEAST FUNCTIONALITY

-
-

- Parameter: - cm-7_a organization-defined prohibited or restricted functions, ports, protocols, and/or services

-

- Value: [United States Government Configuration Baseline (USGCB)]

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Configures the information system to provide only essential capabilities; and

-
-
-
- - - - - - - -
-

b.

-
-

Prohibits or restricts the use of the following functions, ports, protocols, and/or services: - - cm-7_a - - organization-defined prohibited or restricted functions, ports, protocols, and/or services - [United States Government Configuration Baseline (USGCB)] - .

-
-
-
-
-
-

Supplemental guidance

-

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

- - - - - -
-
-

- CM-7 (1) PERIODIC REVIEW

-
-

- Parameter: - cm-7_b organization-defined frequency

-

- Value: at least monthly

-
-
-

- Parameter: - cm-7_c organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure

-

- Value: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Reviews the information system - - cm-7_b - - organization-defined frequency - at least monthly - to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

-
-
-
- - - - - - - -
-

(b)

-
-

Disables - - cm-7_c - - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - .

-
-
-
-
-
-

Supplemental guidance

-

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the information system to identify unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

reviews the information system with the organization-defined frequency to identify unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines, within the information system, unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

disables organization-defined unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- documented reviews of functions, ports, protocols, and/or services

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for reviewing/disabling nonsecure functions, ports, protocols, and/or services

-

- automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-7 (2) PREVENT PROGRAM EXECUTION

-
-

- Parameter: - cm-7_d organization-defined policies regarding software program usage and restrictions

-

- Value: organization-defined policies regarding software program usage and restrictions

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents program execution in accordance with [Selection (one or more): - - cm-7_d - - organization-defined policies regarding software program usage and restrictions - organization-defined policies regarding software program usage and restrictions - ; rules authorizing the terms and conditions of software program usage].

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines policies regarding software program usage and restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents program execution in accordance with one or more of the following:

-
- - - - - - - -
-

[a]

-
-

organization-defined policies regarding program usage and restrictions; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

rules authorizing the terms and conditions of software program usage.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- specifications for preventing software program execution

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes preventing program execution on the information system

-

- organizational processes for software program usage and restrictions

-

- automated mechanisms preventing program execution on the information system

-

- automated mechanisms supporting and/or implementing software program usage and restrictions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CM-7 (2) Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

-
-

References: None -

-
-
-

- CM-7 (5) AUTHORIZED SOFTWARE / WHITELISTING

-
-

- Parameter: - cm-7_h organization-defined software programs authorized to execute on the information system

-

- Value: organization-defined software programs authorized to execute on the information system

-
-
-

- Parameter: - cm-7_i organization-defined frequency

-

- Value: at least quarterly or when there is a change

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Identifies - - cm-7_h - - organization-defined software programs authorized to execute on the information system - organization-defined software programs authorized to execute on the information system - ;

-
-
-
- - - - - - - -
-

(b)

-
-

Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and

-
-
-
- - - - - - - -
-

(c)

-
-

Reviews and updates the list of authorized software programs - - cm-7_i - - organization-defined frequency - at least quarterly or when there is a change - .

-
-
-
-
-
-

Supplemental guidance

-

The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

Identifies/defines software programs authorized to execute on the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the list of authorized software programs on the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the list of authorized software programs with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of software programs authorized to execute on the information system

-

- security configuration checklists

-

- review and update records associated with list of authorized software programs

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for identifying software authorized to execute on the information system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational process for identifying, reviewing, and updating programs authorized to execute on the information system

-

- organizational process for implementing whitelisting

-

- automated mechanisms implementing whitelisting

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

configures the information system to provide only essential capabilities;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines prohibited or restricted:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

prohibits or restricts the use of organization-defined:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing least functionality in the information system

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes prohibiting or restricting functions, ports, protocols, and/or services

-

- automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CM-7 (b) Requirement: The service provider shall use the Center for Internet - Security guidelines (Level 1) to establish list of prohibited or restricted - functions, ports, protocols, and/or services or establishes its own list of - prohibited or restricted functions, ports, protocols, and/or services if USGCB is - not available.

-

CM-7 Guidance: Information on the USGCB checklists can be found at: - http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived from - AC-17(8).

-
-
-

References

-
-

DoD Instruction 8551.01

-
-
-
-
-

- CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

-
-

- Parameter: - cm-8_a organization-defined information deemed necessary to achieve effective information system component accountability

-

- Value: organization-defined information deemed necessary to achieve effective information system component accountability

-
-
-

- Parameter: - cm-8_b organization-defined frequency

-

- Value: at least monthly

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents an inventory of information system components that:

-
- - - - - - - -
-

1.

-
-

Accurately reflects the current information system;

-
-
-
- - - - - - - -
-

2.

-
-

Includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

3.

-
-

Is at the level of granularity deemed necessary for tracking and reporting; and

-
-
-
- - - - - - - -
-

4.

-
-

Includes - - cm-8_a - - organization-defined information deemed necessary to achieve effective information system component accountability - organization-defined information deemed necessary to achieve effective information system component accountability - ; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the information system component inventory - - cm-8_b - - organization-defined frequency - at least monthly - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

- - - -
-
-

- CM-8 (1) UPDATES DURING INSTALLATIONS / REMOVALS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization updates the inventory of information system components as an integral part of:

-
- - - - - - - -
-

[1]

-
-

component installations;

-
-
-
- - - - - - - -
-

[2]

-
-

component removals; and

-
-
-
- - - - - - - -
-

[3]

-
-

information system updates.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- inventory reviews and update records

-

- component installation records

-

- component removal records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for updating the information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for updating inventory of information system components

-

- automated mechanisms implementing updating of the information system component inventory

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-8 (2) AUTOMATED MAINTENANCE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

-
-
-
-

Supplemental guidance

-

Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs automated mechanisms to maintain an inventory of information system components that is:

-
- - - - - - - -
-

[1]

-
-

up-to-date;

-
-
-
- - - - - - - -
-

[2]

-
-

complete;

-
-
-
- - - - - - - -
-

[3]

-
-

accurate; and

-
-
-
- - - - - - - -
-

[4]

-
-

readily available.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing information system component inventory

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system inventory records

-

- change control records

-

- information system maintenance records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing the automated mechanisms implementing the information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining the inventory of information system components

-

- automated mechanisms implementing the information system component inventory

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION

-
-

- Parameter: - cm-8_c organization-defined frequency

-

- Value: Continuously, using automated mechanisms with a maximum five-minute delay in - detection.

-
-
-

- Parameter: - cm-8_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Employs automated mechanisms - - cm-8_c - - organization-defined frequency - Continuously, using automated mechanisms with a maximum five-minute delay in - detection. - to detect the presence of unauthorized hardware, software, and firmware components within the information system; and

-
-
-
- - - - - - - -
-

(b)

-
-

Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies - - cm-8_d - - organization-defined personnel or roles - organization-defined personnel or roles - ].

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to employ automated mechanisms to detect the presence of unauthorized:

-
- - - - - - - -
-

[a]

-
-

hardware components within the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

software components within the information system;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware components within the information system;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:

-
- - - - - - - -
-

[a]

-
-

hardware components within the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

software components within the information system;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware components within the information system;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when unauthorized components are detected;

-
-
-
- - - - - - - -
-

[2]

-
-

takes one or more of the following actions when unauthorized components are detected:

-
- - - - - - - -
-

[a]

-
-

disables network access by such components;

-
-
-
- - - - - - - -
-

[b]

-
-

isolates the components; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

notifies organization-defined personnel or roles.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system inventory records

-

- alerts/notifications of unauthorized components within the information system

-

- information system monitoring records

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for detection of unauthorized information system components

-

- automated mechanisms implementing the detection of unauthorized information system components

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-8 (4) ACCOUNTABILITY INFORMATION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.

-
-
-
-

Supplemental guidance

-

Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated).

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes in the information system component inventory for information system components, a means for identifying the individuals responsible and accountable for administering those components by one or more of the following:

-
- - - - - - - -
-

[1]

-
-

name;

-
-
-
- - - - - - - -
-

[2]

-
-

position; and/or

-
-
-
- - - - - - - -
-

[3]

-
-

role.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing the information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining the inventory of information system components

-

- automated mechanisms implementing the information system component inventory

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories.

-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system inventory responsibilities

-

- organizational personnel with responsibilities for defining information system components within the authorization boundary of the system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining the inventory of information system components

-

- automated mechanisms implementing the information system component inventory

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-

develops and documents an inventory of information system components that accurately reflects the current information system;

-
-
-
- - - - - - - -
-

(2)

-
-

develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

(3)

-
-

develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;

-
-
-
- - - - - - - -
-

(4)

-
-
- - - - - - - -
-

[1]

-
-

defines the information deemed necessary to achieve effective information system component accountability;

-
-
-
- - - - - - - -
-

[2]

-
-

develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the information system component inventory; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the information system component inventory with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- inventory reviews and update records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for developing and documenting an inventory of information system components

-

- automated mechanisms supporting and/or implementing the information system component inventory

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CM-8 Requirement: must be provided at least monthly or when there is a change.

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-9 CONFIGURATION MANAGEMENT PLAN

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops, documents, and implements a configuration management plan for the information system that:

-
- - - - - - - -
-

a.

-
-

Addresses roles, responsibilities, and configuration management processes and procedures;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

-
-
-
- - - - - - - -
-

c.

-
-

Defines the configuration items for the information system and places the configuration items under configuration management; and

-
-
-
- - - - - - - -
-

d.

-
-

Protects the configuration management plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization develops, documents, and implements a configuration management plan for the information system that:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

addresses roles;

-
-
-
- - - - - - - -
-

[2]

-
-

addresses responsibilities;

-
-
-
- - - - - - - -
-

[3]

-
-

addresses configuration management processes and procedures;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

establishes a process for:

-
- - - - - - - -
-

[1]

-
-

identifying configuration items throughout the SDLC;

-
-
-
- - - - - - - -
-

[2]

-
-

managing the configuration of the configuration items;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the configuration items for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

places the configuration items under configuration management;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects the configuration management plan from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure; and

-
-
-
- - - - - - - -
-

[2]

-
-

modification.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration management planning

-

- configuration management plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for developing the configuration management plan

-

- organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan

-

- organizational personnel with responsibilities for protecting the configuration management plan

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for developing and documenting the configuration management plan

-

- organizational processes for identifying and managing configuration items

-

- organizational processes for protecting the configuration management plan

-

- automated mechanisms implementing the configuration management plan

-

- automated mechanisms for managing configuration items

-

- automated mechanisms for protecting the configuration management plan

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-10 SOFTWARE USAGE RESTRICTIONS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

b.

-
-

Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

c.

-
-

Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Supplemental guidance

-

Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

(b)

-
-

tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

(c)

-
-

controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing software usage restrictions

-

- configuration management plan

-

- security plan

-

- software contract agreements and copyright laws

-

- site license documentation

-

- list of software usage restrictions

-

- software license tracking reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel with software license management responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for tracking the use of software protected by quantity licenses

-

- organization process for controlling/documenting the use of peer-to-peer file sharing technology

-

- automated mechanisms implementing software license tracking

-

- automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CM-11 USER-INSTALLED SOFTWARE

-
-

- Parameter: - cm-11_a organization-defined policies

-

- Value: organization-defined policies

-
-
-

- Parameter: - cm-11_b organization-defined methods

-

- Value: organization-defined methods

-
-
-

- Parameter: - cm-11_c organization-defined frequency

-

- Value: Continuously (via CM-7 (5))

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes - - cm-11_a - - organization-defined policies - organization-defined policies - governing the installation of software by users;

-
-
-
- - - - - - - -
-

b.

-
-

Enforces software installation policies through - - cm-11_b - - organization-defined methods - organization-defined methods - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Monitors policy compliance at - - cm-11_c - - organization-defined frequency - Continuously (via CM-7 (5)) - .

-
-
-
-
-
-

Supplemental guidance

-

If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved �app stores.� Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines policies to govern the installation of software by users;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes organization-defined policies governing the installation of software by users;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines methods to enforce software installation policies;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces software installation policies through organization-defined methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines frequency to monitor policy compliance; and

-
-
-
- - - - - - - -
-

[2]

-
-

monitors policy compliance at organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing user installed software

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of rules governing user installed software

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-

- continuous monitoring strategy

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for governing user-installed software

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel monitoring compliance with user-installed software policy

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes governing user-installed software on the information system

-

- automated mechanisms enforcing rules/methods for governing the installation of software by users

-

- automated mechanisms monitoring policy compliance

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

CONTINGENCY PLANNING

-
-

- CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - cp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-1_b organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - cp-1_c organization-defined frequency

-

- Value: at least annually or whenever a significant change occurs

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Contingency planning policy - - cp-1_b - - organization-defined frequency - at least annually - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Contingency planning procedures - - cp-1_c - - organization-defined frequency - at least annually or whenever a significant change occurs - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents a contingency planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the contingency planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CP-2 CONTINGENCY PLAN

-
-

- Parameter: - cp-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-2_b organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - cp-2_c organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - cp-2_d organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a contingency plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

2.

-
-

Provides recovery objectives, restoration priorities, and metrics;

-
-
-
- - - - - - - -
-

3.

-
-

Addresses contingency roles, responsibilities, assigned individuals with contact information;

-
-
-
- - - - - - - -
-

4.

-
-

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

5.

-
-

Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

-
-
-
- - - - - - - -
-

6.

-
-

Is reviewed and approved by - - cp-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the contingency plan to - - cp-2_b - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the contingency plan for the information system - - cp-2_c - - organization-defined frequency - at least annually - ;

-
-
-
- - - - - - - -
-

e.

-
-

Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

f.

-
-

Communicates contingency plan changes to - - cp-2_d - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

- - - - - - - - - - - - - -
-
-

- CP-2 (1) COORDINATE WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates contingency plan development with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business contingency plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- cyber incident response plan

-

- insider threat implementation plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-

- personnel with responsibility for related plans

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-2 (2) CAPACITY PLANNING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

-
-
-
-

Supplemental guidance

-

Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization conducts capacity planning so that necessary capacity exists during contingency operations for:

-
- - - - - - - -
-

[1]

-
-

information processing;

-
-
-
- - - - - - - -
-

[2]

-
-

telecommunications; and

-
-
-
- - - - - - - -
-

[3]

-
-

environmental support.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- capacity planning documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-2 (3) RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS

-
-

- Parameter: - cp-2_e organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans for the resumption of essential missions and business functions within - - cp-2_e - - organization-defined time period - organization-defined time period - of contingency plan activation.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- business impact assessment

-

- other related plans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for resumption of missions and business functions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-2 (4) RESUME ALL MISSIONS / BUSINESS FUNCTIONS

-
-

- Parameter: - cp-2_f organization-defined time period

-

- Value: time period defined in service provider and organization SLA

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans for the resumption of all missions and business functions within - - cp-2_f - - organization-defined time period - time period defined in service provider and organization SLA - of contingency plan activation.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the time period to plan for the resumption of all missions and business functions as a result of contingency plan activation; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- business impact assessment

-

- other related plans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for resumption of missions and business functions

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-2 (5) CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites).

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and

-
-
-
- - - - - - - -
-

[2]

-
-

sustains that operational continuity until full information system restoration at primary processing and/or storage sites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business impact assessment

-

- primary processing site agreements

-

- primary storage site agreements

-

- alternate processing site agreements

-

- alternate storage site agreements

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for continuing missions and business functions

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-2 (8) IDENTIFY CRITICAL ASSETS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies critical information system assets supporting essential missions and business functions.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies critical information system assets supporting essential missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business impact assessment

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents a contingency plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

provides recovery objectives;

-
-
-
- - - - - - - -
-

[2]

-
-

provides restoration priorities;

-
-
-
- - - - - - - -
-

[3]

-
-

provides metrics;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

addresses contingency roles;

-
-
-
- - - - - - - -
-

[2]

-
-

addresses contingency responsibilities;

-
-
-
- - - - - - - -
-

[3]

-
-

addresses assigned individuals with contact information;

-
-
-
-
-
- - - - - - - -
-

(4)

-
-

addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

(5)

-
-

addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;

-
-
-
- - - - - - - -
-

(6)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the contingency plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

updates the contingency plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the organization, information system, or environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems encountered during plan implementation, execution, and testing;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- evidence of contingency plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan development, review, update, and protection

-

- automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CP-2 Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-3 CONTINGENCY TRAINING

-
-

- Parameter: - cp-3_a organization-defined time period

-

- Value: ten (10) days

-
-
-

- Parameter: - cp-3_b organization-defined frequency

-

- Value: at least annually

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - cp-3_a - - organization-defined time period - ten (10) days - of assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - cp-3_b - - organization-defined frequency - at least annually - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan.

- - - - -
-
-

- CP-3 (1) SIMULATED EVENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency training

-

- contingency plan

-

- contingency training curriculum

-

- contingency training material

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency training

-

- automated mechanisms for simulating contingency events

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency for contingency training thereafter; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency training

-

- contingency plan

-

- contingency training curriculum

-

- contingency training material

-

- security plan

-

- contingency training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency training

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- CP-4 CONTINGENCY PLAN TESTING

-
-

- Parameter: - cp-4_a organization-defined frequency

-

- Value: at least annually

-
-
-

- Parameter: - cp-4_b organization-defined tests

-

- Value: functional exercises

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Tests the contingency plan for the information system - - cp-4_a - - organization-defined frequency - at least annually - using - - cp-4_b - - organization-defined tests - functional exercises - to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

c.

-
-

Initiates corrective actions, if needed.

-
-
-
-
-
-

Supplemental guidance

-

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

- - - -
-
-

- CP-4 (1) COORDINATE WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- incident response policy

-

- procedures addressing contingency plan testing

-

- contingency plan testing documentation

-

- contingency plan

-

- business continuity plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- cyber incident response plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan testing responsibilities

-

- organizational personnel

-

- personnel with responsibilities for related plans

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-4 (2) ALTERNATE PROCESSING SITE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests the contingency plan at the alternate processing site:

-
- - - - - - - -
-

(a)

-
-

To familiarize contingency personnel with the facility and available resources; and

-
-
-
- - - - - - - -
-

(b)

-
-

To evaluate the capabilities of the alternate processing site to support contingency operations.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization tests the contingency plan at the alternate processing site to:

-
- - - - - - - -
-

(a)

-
-

familiarize contingency personnel with the facility and available resources; and

-
-
-
- - - - - - - -
-

(b)

-
-

evaluate the capabilities of the alternate processing site to support contingency operations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency plan testing

-

- contingency plan

-

- contingency plan test documentation

-

- contingency plan test results

-

- alternate processing site agreements

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting the contingency plan and/or contingency plan testing

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

[2]

-
-

defines a frequency to test the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

(c)

-
-

initiates corrective actions, if needed.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency plan testing

-

- contingency plan

-

- security plan

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting the contingency plan and/or contingency plan testing

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CP-4 (a) Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-84

-
-
-
-
-

- CP-6 ALTERNATE STORAGE SITE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

-
-
-
-
-
-

Supplemental guidance

-

Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

- - - - - -
-
-

- CP-6 (1) SEPARATION FROM PRIMARY SITE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- alternate storage site agreements

-

- primary storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-6 (2) RECOVERY TIME / POINT OBJECTIVES

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives (as specified in the information system contingency plan).

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- alternate storage site agreements

-

- alternate storage site configurations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan testing responsibilities

-

- organizational personnel with responsibilities for testing related plans

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting recovery time/point objectives

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-6 (3) ACCESSIBILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

-
-
-
-

Supplemental guidance

-

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and

-
-
-
- - - - - - - -
-

[2]

-
-

outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- list of potential accessibility problems to alternate storage site

-

- mitigation actions for accessibility problems to alternate storage site

-

- organizational risk assessments

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site agreements

-

- primary storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for storing and retrieving information system backup information at the alternate storage site

-

- automated mechanisms supporting and/or implementing storage and retrieval of information system backup information at the alternate storage site

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-7 ALTERNATE PROCESSING SITE

-
-

- Parameter: - cp-7_a organization-defined information system operations

-

- Value: organization-defined information system operations

-
-
-

- Parameter: - cp-7_b organization-defined time period consistent with recovery time and recovery point objectives

-

- Value: organization-defined time period consistent with recovery time and recovery point objectives

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of - - cp-7_a - - organization-defined information system operations - organization-defined information system operations - for essential missions/business functions within - - cp-7_b - - organization-defined time period consistent with recovery time and recovery point objectives - organization-defined time period consistent with recovery time and recovery point objectives - when the primary processing capabilities are unavailable;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

-
-
-
-
-
-

Supplemental guidance

-

Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

- - - - - - -
-
-

- CP-7 (1) SEPARATION FROM PRIMARY SITE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- primary processing site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CP-7 (1) Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

-
-

References: None -

-
-
-

- CP-7 (2) ACCESSIBILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

-
-
-
-

Supplemental guidance

-

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and

-
-
-
- - - - - - - -
-

[2]

-
-

outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- primary processing site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-7 (3) PRIORITY OF SERVICE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

-
-
-
-

Supplemental guidance

-

Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan).

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site agreements

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-7 (4) PREPARATION FOR USE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

-
-
-
-

Supplemental guidance

-

Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- alternate processing site configurations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing recovery at the alternate processing site

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer/resumption of organization-defined information system operations for essential missions/business functions;

-
-
-
- - - - - - - -
-

[3]

-
-

establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site agreements

-

- primary processing site agreements

-

- spare equipment and supplies inventory at alternate processing site

-

- equipment and supply contracts

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for recovery at the alternate site

-

- automated mechanisms supporting and/or implementing recovery at the alternate processing site

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CP-7 (a) Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-8 TELECOMMUNICATIONS SERVICES

-
-

- Parameter: - cp-8_a organization-defined information system operations

-

- Value: organization-defined information system operations

-
-
-

- Parameter: - cp-8_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of - - cp-8_a - - organization-defined information system operations - organization-defined information system operations - for essential missions and business functions within - - cp-8_b - - organization-defined time period - organization-defined time period - when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

-
-
-
-

Supplemental guidance

-

This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

- - - -
-
-

- CP-8 (1) PRIORITY OF SERVICE PROVISIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and

-
-
-
- - - - - - - -
-

(b)

-
-

Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

-
-
-
-
-
-

Supplemental guidance

-

Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and

-
-
-
- - - - - - - -
-

[2]

-
-

requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- Telecommunications Service Priority documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting telecommunications

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-8 (2) SINGLE POINTS OF FAILURE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- primary and alternate telecommunications service providers

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-8 (3) SEPARATION OF PRIMARY / ALTERNATE PROVIDERS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- alternate telecommunications service provider site

-

- primary telecommunications service provider site

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- primary and alternate telecommunications service providers

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-8 (4) PROVIDER CONTINGENCY PLAN

-
-

- Parameter: - cp-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Requires primary and alternate telecommunications service providers to have contingency plans;

-
-
-
- - - - - - - -
-

(b)

-
-

Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and

-
-
-
- - - - - - - -
-

(c)

-
-

Obtains evidence of contingency testing/training by providers - - cp-8_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

requires primary telecommunications service provider to have contingency plans;

-
-
-
- - - - - - - -
-

[2]

-
-

requires alternate telecommunications service provider(s) to have contingency plans;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

reviews provider contingency plans to ensure that the plans meet organizational contingency requirements;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to obtain evidence of contingency testing/training by providers; and

-
-
-
- - - - - - - -
-

[2]

-
-

obtains evidence of contingency testing/training by providers with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- provider contingency plans

-

- evidence of contingency testing/training by providers

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and testing responsibilities

-

- primary and alternate telecommunications service providers

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

CP-8 (4) (c) [annually]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and

-
-
-
- - - - - - - -
-

[3]

-
-

establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting telecommunications

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

CP-8 Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-

National Communications Systems Directive 3-10

-
-
-

http://www.dhs.gov/telecommunications-service-priority-tsp

-
-
-
-
-

- CP-9 INFORMATION SYSTEM BACKUP

-
-

- Parameter: - cp-9_a organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_b organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_c organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts backups of user-level information contained in the information system - - cp-9_a - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

b.

-
-

Conducts backups of system-level information contained in the information system - - cp-9_b - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts backups of information system documentation including security-related documentation - - cp-9_c - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Supplemental guidance

-

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

- - - - - -
-
-

- CP-9 (1) TESTING FOR RELIABILITY / INTEGRITY

-
-

- Parameter: - cp-9_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests backup information - - cp-9_d - - organization-defined frequency - organization-defined frequency - to verify media reliability and information integrity.

-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to test backup information to verify media reliability and information integrity; and

-
-
-
- - - - - - - -
-

[2]

-
-

tests backup information with the organization-defined frequency to verify media reliability and information integrity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

CP-9 (1). [at least monthly]

-
-

References: None -

-
-
-

- CP-9 (2) TEST RESTORATION USING SAMPLING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with contingency planning/contingency plan testing responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-9 (3) SEPARATE STORAGE FOR CRITICAL INFORMATION

-
-

- Parameter: - cp-9_e organization-defined critical information system software and other security-related information

-

- Value: organization-defined critical information system software and other security-related information

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization stores backup copies of - - cp-9_e - - organization-defined critical information system software and other security-related information - organization-defined critical information system software and other security-related information - in a separate facility or in a fire-rated container that is not collocated with the operational system.

-
-
-
-

Supplemental guidance

-

Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or

-
-
-
- - - - - - - -
-

[b]

-
-

defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- backup storage location(s)

-

- information system backup configurations and associated documentation

-

- information system backup logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-9 (5) TRANSFER TO ALTERNATE STORAGE SITE

-
-

- Parameter: - cp-9_f organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives

-

- Value: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization transfers information system backup information to the alternate storage site - - cp-9_f - - organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives - organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives - .

-
-
-
-

Supplemental guidance

-

Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site;

-
-
-
- - - - - - - -
-

[2]

-
-

defines a transfer rate, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site; and

-
-
-
- - - - - - - -
-

[3]

-
-

transfers information system backup information to the alternate storage site with the organization-defined time period and transfer rate.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup logs or records

-

- evidence of system backup information transferred to alternate storage site

-

- alternate storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for transferring information system backups to the alternate storage site

-

- automated mechanisms supporting and/or implementing information system backups

-

- automated mechanisms supporting and/or implementing information transfer to the alternate storage site

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

CP-9 (5) [time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA].

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of user-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of system-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- backup storage location(s)

-

- information system backup logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

CP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]

-
-
- additional -

CP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check. CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

-
-
-
-

Supplemental guidance

-

Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.

- - - - - - - - -
-
-

- CP-10 (2) TRANSACTION RECOVERY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements transaction recovery for systems that are transaction-based.

-
-
-
-

Supplemental guidance

-

Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements transaction recovery for systems that are transaction-based.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system recovery and reconstitution

-

- contingency plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- contingency plan test documentation

-

- contingency plan test results

-

- information system transaction recovery records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for transaction recovery

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing transaction recovery capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- CP-10 (4) RESTORE WITHIN TIME PERIOD

-
-

- Parameter: - cp-10_a organization-defined restoration time-periods

-

- Value: organization-defined restoration time-periods

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides the capability to restore information system components within - - cp-10_a - - organization-defined restoration time-periods - organization-defined restoration time-periods - from configuration-controlled and integrity-protected information representing a known, operational state for the components.

-
-
-
-

Supplemental guidance

-

Restoration of information system components includes, for example, reimaging which restores components to known, operational states.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides the capability to restore information system components within the organization-defined time period from configuration-controlled and integrity-protected information representing a known, operational state for the components.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system recovery and reconstitution

-

- contingency plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- contingency plan test documentation

-

- contingency plan test results

-

- evidence of information system recovery and reconstitution operations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system recovery and reconstitution responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing recovery/reconstitution of information system information

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

CP-10 (4) [time period consistent with the restoration time-periods defined in the service provider and organization SLA]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides for:

-
- - - - - - - -
-

[1]

-
-

the recovery of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the reconstitution of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test results

-

- contingency plan test documentation

-

- redundant secondary system for information system backups

-

- location(s) of redundant secondary backup system(s)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes implementing information system recovery and reconstitution operations

-

- automated mechanisms supporting and/or implementing information system recovery and reconstitution operations

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-
-

IDENTIFICATION AND AUTHENTICATION

-
-

- IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES

-
-

- Parameter: - ia-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ia-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ia-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Identification and authentication policy - - ia-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Identification and authentication procedures - - ia-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an identification and authentication policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the identification and authentication policy is to be disseminated; and

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the identification and authentication policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication policy with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identification and authentication responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IA-1 (b) (1) [at least annually] IA-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Supplemental guidance

-

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. -Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

- - - - - - - - -
-
-

- IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-2 (2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for network access to non-privileged accounts.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for network access to non-privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-2 (3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for local access to privileged accounts.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for local access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-2 (4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for local access to non-privileged accounts.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for local access to non-privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-2 (8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

-
-
-
-

Supplemental guidance

-

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-2 (9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

-
-
-
-

Supplemental guidance

-

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of non-privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-2 (11) REMOTE ACCESS - SEPARATE DEVICE

-
-

- Parameter: - ia-2_d organization-defined strength of mechanism requirements

-

- Value: organization-defined strength of mechanism requirements

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets - - ia-2_d - - organization-defined strength of mechanism requirements - organization-defined strength of mechanism requirements - .

-
-
-
-

Supplemental guidance

-

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;

-
-
-
- - - - - - - -
-

[5]

-
-

the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and

-
-
-
- - - - - - - -
-

[6]

-
-

the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of privileged and non-privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IA-2 (11) [FIPS 140-2, NIAP Certification, or NSA approval]

-
-
- additional -

IA-2 (11) Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

-
-

References: None -

-
-
-

- IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

IA-2 (12) Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for uniquely identifying and authenticating users

-

- automated mechanisms supporting and/or implementing identification and authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

HSPD-12

-
-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 06-16

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION

-
-

- Parameter: - ia-3_a organization-defined specific and/or types of devices

-

- Value: organization-defined specific and/or types of devices

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates - - ia-3_a - - organization-defined specific and/or types of devices - organization-defined specific and/or types of devices - before establishing a [Selection (one or more): local; remote; network] connection.

-
-
-
-

Supplemental guidance

-

Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:

-
- - - - - - - -
-

[a]

-
-

a local connection;

-
-
-
- - - - - - - -
-

[b]

-
-

a remote connection; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

a network connection; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:

-
- - - - - - - -
-

[a]

-
-

a local connection;

-
-
-
- - - - - - - -
-

[b]

-
-

a remote connection; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

a network connection.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing device identification and authentication

-

- information system design documentation

-

- list of devices requiring unique identification and authentication

-

- device connection reports

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with operational responsibilities for device identification and authentication

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing device identification and authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-4 IDENTIFIER MANAGEMENT

-
-

- Parameter: - ia-4_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-4_b organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ia-4_c organization-defined time period of inactivity

-

- Value: organization-defined time period of inactivity

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system identifiers by:

-
- - - - - - - -
-

a.

-
-

Receiving authorization from - - ia-4_a - - organization-defined personnel or roles - organization-defined personnel or roles - to assign an individual, group, role, or device identifier;

-
-
-
- - - - - - - -
-

b.

-
-

Selecting an identifier that identifies an individual, group, role, or device;

-
-
-
- - - - - - - -
-

c.

-
-

Assigning the identifier to the intended individual, group, role, or device;

-
-
-
- - - - - - - -
-

d.

-
-

Preventing reuse of identifiers for - - ia-4_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Disabling the identifier after - - ia-4_c - - organization-defined time period of inactivity - organization-defined time period of inactivity - .

-
-
-
-
-
-

Supplemental guidance

-

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system identifiers by:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defining personnel or roles from whom authorization must be received to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

receiving authorization from organization-defined personnel or roles to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

selecting an identifier that identifies:

-
- - - - - - - -
-

[1]

-
-

an individual;

-
-
-
- - - - - - - -
-

[2]

-
-

a group;

-
-
-
- - - - - - - -
-

[3]

-
-

a role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

a device;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

assigning the identifier to the intended:

-
- - - - - - - -
-

[1]

-
-

individual;

-
-
-
- - - - - - - -
-

[2]

-
-

group;

-
-
-
- - - - - - - -
-

[3]

-
-

role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

device;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period for preventing reuse of identifiers;

-
-
-
- - - - - - - -
-

[2]

-
-

preventing reuse of identifiers for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period of inactivity to disable the identifier; and

-
-
-
- - - - - - - -
-

[2]

-
-

disabling the identifier after the organization-defined time period of inactivity.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing identifier management

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system accounts

-

- list of identifiers generated from physical access control devices

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identifier management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identifier management

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IA-4(a) [at a minimum, the ISSO (or similar role within the organization)] IA-4 (d) [at least two (2) years] IA-4 (e) [thirty-five (35) days] (See additional requirements and guidance.)

-
-
- additional -

IA-4 (e) Requirement: The service provider defines the time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-
-
-

- IA-5 AUTHENTICATOR MANAGEMENT

-
-

- Parameter: - ia-5_a organization-defined time period by authenticator type

-

- Value: organization-defined time period by authenticator type

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system authenticators by:

-
- - - - - - - -
-

a.

-
-

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

-
-
-
- - - - - - - -
-

b.

-
-

Establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

d.

-
-

Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

-
-
-
- - - - - - - -
-

e.

-
-

Changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

f.

-
-

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

-
-
-
- - - - - - - -
-

g.

-
-

Changing/refreshing authenticators - - ia-5_a - - organization-defined time period by authenticator type - organization-defined time period by authenticator type - ;

-
-
-
- - - - - - - -
-

h.

-
-

Protecting authenticator content from unauthorized disclosure and modification;

-
-
-
- - - - - - - -
-

i.

-
-

Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

-
-
-
- - - - - - - -
-

j.

-
-

Changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Supplemental guidance

-

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

- - - - - - - - - - - - - - -
-
-

- IA-5 (1) PASSWORD-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_b organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-

- Value: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-
-
-

- Parameter: - ia-5_c organization-defined number

-

- Value: organization-defined number

-
-
-

- Parameter: - ia-5_d organization-defined numbers for lifetime minimum, lifetime maximum

-

- Value: organization-defined numbers for lifetime minimum, lifetime maximum

-
-
-

- Parameter: - ia-5_e organization-defined number

-

- Value: organization-defined number

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-

Enforces minimum password complexity of - - ia-5_b - - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - ;

-
-
-
- - - - - - - -
-

(b)

-
-

Enforces at least the following number of changed characters when new passwords are created: - - ia-5_c - - organization-defined number - organization-defined number - ;

-
-
-
- - - - - - - -
-

(c)

-
-

Stores and transmits only cryptographically-protected passwords;

-
-
-
- - - - - - - -
-

(d)

-
-

Enforces password minimum and maximum lifetime restrictions of - - ia-5_d - - organization-defined numbers for lifetime minimum, lifetime maximum - organization-defined numbers for lifetime minimum, lifetime maximum - ;

-
-
-
- - - - - - - -
-

(e)

-
-

Prohibits password reuse for - - ia-5_e - - organization-defined number - organization-defined number - generations; and

-
-
-
- - - - - - - -
-

(f)

-
-

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

- -
-
-

Objectives

- - - - - - -
- -

Determine if, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines requirements for case sensitivity;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines requirements for number of characters;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines minimum requirements for each type of character;

-
-
-
- - - - - - - -
-

[5]

-
-

the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a minimum number of changed characters to be enforced when new passwords are created;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system stores and transmits only encrypted representations of passwords;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;

-
-
-
- - - - - - - -
-

[4]

-
-

the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of password generations to be prohibited from password reuse;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits password reuse for the organization-defined number of generations; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- password policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- password configurations and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing password-based authenticator management capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IA-5 (1) (a) [case sensitive, minimum of fourteen (14) characters, and at least one (1) each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b) [at least fifty percent (50%)] IA-5 (1) (d) [one (1) day minimum, sixty (60) day maximum] IA-5 (1) (e) [twenty four (24)]

-
-

References: None -

-
-
-

- IA-5 (2) PKI-BASED AUTHENTICATION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for PKI-based authentication:

-
- - - - - - - -
-

(a)

-
-

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

-
-
-
- - - - - - - -
-

(b)

-
-

Enforces authorized access to the corresponding private key;

-
-
-
- - - - - - - -
-

(c)

-
-

Maps the authenticated identity to the account of the individual or group; and

-
-
-
- - - - - - - -
-

(d)

-
-

Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

-
-
-
-
-
-

Supplemental guidance

-

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the information system, for PKI-based authentication:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

validates certifications by constructing a certification path to an accepted trust anchor;

-
-
-
- - - - - - - -
-

[2]

-
-

validates certifications by verifying a certification path to an accepted trust anchor;

-
-
-
- - - - - - - -
-

[3]

-
-

includes checking certificate status information when constructing and verifying the certification path;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

enforces authorized access to the corresponding private key;

-
-
-
- - - - - - - -
-

(c)

-
-

maps the authenticated identity to the account of the individual or group; and

-
-
-
- - - - - - - -
-

(d)

-
-

implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- PKI certification validation records

-

- PKI certification revocation lists

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with PKI-based, authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-5 (3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION

-
-

- Parameter: - ia-5_f organization-defined types of and/or specific authenticators

-

- Value: organization-defined types of and/or specific authenticators

-
-
-

- Parameter: - ia-5_g organization-defined registration authority

-

- Value: organization-defined registration authority

-
-
-

- Parameter: - ia-5_h organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that the registration process to receive - - ia-5_f - - organization-defined types of and/or specific authenticators - organization-defined types of and/or specific authenticators - be conducted [Selection: in person; by a trusted third party] before - - ia-5_g - - organization-defined registration authority - organization-defined registration authority - with authorization by - - ia-5_h - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of and/or specific authenticators to be received in person or by a trusted third party;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the registration authority with oversight of the registration process for receipt of organization-defined types of and/or specific authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

defines personnel or roles responsible for authorizing organization-defined registration authority;

-
-
-
- - - - - - - -
-

[4]

-
-

defines if the registration process is to be conducted:

-
- - - - - - - -
-

[a]

-
-

in person; or

-
-
-
- - - - - - - -
-

[b]

-
-

by a trusted third party; and

-
-
-
-
-
- - - - - - - -
-

[5]

-
-

requires that the registration process to receive organization-defined types of and/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- registration process for receiving information system authenticators

-

- list of authenticators requiring in-person registration

-

- list of authenticators requiring trusted third party registration

-

- authenticator registration documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- registration authority

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IA-5 (3)-1 [All hardware/biometric (multifactor authenticators] IA-5 (3)-2 [in person]

-
-

References: None -

-
-
-

- IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_l organization-defined token quality requirements

-

- Value: organization-defined token quality requirements

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for hardware token-based authentication, employs mechanisms that satisfy - - ia-5_l - - organization-defined token quality requirements - organization-defined token quality requirements - .

-
-
-
-

Supplemental guidance

-

Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

-
-
-

Objectives

- - - - - - -
- -

Determine if, for hardware token-based authentication:

-
- - - - - - - -
-

[1]

-
-

the organization defines token quality requirements to be satisfied; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system employs mechanisms that satisfy organization-defined token quality requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- automated mechanisms employing hardware token-based authentication for the information system

-

- list of token quality requirements

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system authenticators by:

-
- - - - - - - -
-

(a)

-
-

verifying, as part of the initial authenticator distribution, the identity of:

-
- - - - - - - -
-

[1]

-
-

the individual receiving the authenticator;

-
-
-
- - - - - - - -
-

[2]

-
-

the group receiving the authenticator;

-
-
-
- - - - - - - -
-

[3]

-
-

the role receiving the authenticator; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

the device receiving the authenticator;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

establishing and implementing administrative procedures for initial authenticator distribution;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing and implementing administrative procedures for lost/compromised or damaged authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing and implementing administrative procedures for revoking authenticators;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

establishing minimum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing maximum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing reuse conditions for authenticators;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period (by authenticator type) for changing/refreshing authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

changing/refreshing authenticators with the organization-defined time period by authenticator type;

-
-
-
-
-
- - - - - - - -
-

(h)

-
-

protecting authenticator content from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-
- - - - - - - -
-

[1]

-
-

requiring individuals to take specific security safeguards to protect authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

having devices implement specific security safeguards to protect authenticators; and

-
-
-
-
-
- - - - - - - -
-

(j)

-
-

changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system authenticator types

-

- change control records associated with managing information system authenticators

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing authenticator management capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IA-5 (g) [to include sixty (60) days for passwords]

-
-
- additional -

IA-5 Requirement: Authenticators must be compliant with NIST SP 800-63-2 Electronic Authentication Guideline assurance Level 4 (Link http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf)

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-6 AUTHENTICATOR FEEDBACK

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Supplemental guidance

-

The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator feedback

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Supplemental guidance

-

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing cryptographic module authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for cryptographic module authentication

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic module authentication

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/groups/STM/cmvp/index.html

-
-
-
-
-

- IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Supplemental guidance

-

Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

- - - - - - - - - - - -
-
-

- IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials from other agencies; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials from other agencies.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept and verify PIV credentials

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization

-

- third-party credential verification records

-

- evidence of FICAM-approved third-party credentials

-

- third-party credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept FICAM-approved credentials

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-8 (3) USE OF FICAM-APPROVED PRODUCTS

-
-

- Parameter: - ia-8_a organization-defined information systems

-

- Value: organization-defined information systems

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only FICAM-approved information system components in - - ia-8_a - - organization-defined information systems - organization-defined information systems - to accept third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- third-party credential validations

-

- third-party credential authorizations

-

- third-party credential records

-

- list of FICAM-approved information system components procured and implemented by organization

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information system security, acquisition, and contracting responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IA-8 (4) USE OF FICAM-ISSUED PROFILES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system conforms to FICAM-issued profiles.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system conforms to FICAM-issued profiles.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-issued profiles and associated, approved protocols

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-

- profile-title: IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS)

-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

OMB Memorandum 10-06-2011

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-116

-
-
-

National Strategy for Trusted Identities in Cyberspace

-
-
-

http://idmanagement.gov

-
-
-
-
-
-

INCIDENT RESPONSE

-
-

- IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES

-
-

- Parameter: - ir-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ir-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Incident response policy - - ir-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Incident response procedures - - ir-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an incident response policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the incident response policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the incident response policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IR-1 (b) (1) [at least annually] IR-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IR-2 INCIDENT RESPONSE TRAINING

-
-

- Parameter: - ir-2_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - ir-2_a - - organization-defined time period - organization-defined time period - of assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - ir-2_b - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.

- - - -
-
-

- IR-2 (1) SIMULATED EVENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that support and/or implement simulated events for incident response training

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- IR-2 (2) AUTOMATED TRAINING ENVIRONMENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- automated mechanisms supporting incident response training

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that provide a thorough and realistic incident response training environment

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- security plan

-

- incident response plan

-

- security plan

-

- incident response training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IR-2 (a) [within ten (10) days] IR-2 (c) [at least annually]

-
-
-

References

-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- IR-3 INCIDENT RESPONSE TESTING

-
-

- Parameter: - ir-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-3_b organization-defined tests

-

- Value: organization-defined tests

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests the incident response capability for the information system - - ir-3_a - - organization-defined frequency - organization-defined frequency - using - - ir-3_b - - organization-defined tests - organization-defined tests - to determine the incident response effectiveness and documents the results.

-
-
-
-

Supplemental guidance

-

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

- - -
-
-

- IR-3 (2) COORDINATION WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates incident response testing with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates incident response testing with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident response testing

-

- incident response testing documentation

-

- incident response plan

-

- business continuity plans

-

- contingency plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response testing responsibilities

-

- organizational personnel with responsibilities for testing organizational plans related to incident response testing

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines incident response tests to test the incident response capability for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to test the incident response capability for the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident response testing

-

- procedures addressing contingency plan testing

-

- incident response testing material

-

- incident response test results

-

- incident response test plan

-

- incident response plan

-

- contingency plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response testing responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IR-3-1 [at least every six (6) months]

-
-
- additional -

IR-3-2 Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

-
-
-

References

-
-

NIST Special Publication 800-84

-
-
-

NIST Special Publication 800-115

-
-
-
-
-

- IR-4 INCIDENT HANDLING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates incident handling activities with contingency planning activities; and

-
-
-
- - - - - - - -
-

c.

-
-

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

-
-
-
-
-
-

Supplemental guidance

-

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

- - - - - - - - - - - - - -
-
-

- IR-4 (1) AUTOMATED INCIDENT HANDLING PROCESSES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to support the incident handling process.

-
-
-
-

Supplemental guidance

-

Automated mechanisms supporting incident handling processes include, for example, online incident management systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to support the incident handling process.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident handling

-

- automated mechanisms supporting incident handling

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that support and/or implement the incident handling process

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IR-4 (4) INFORMATION CORRELATION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

-
-
-
-

Supplemental guidance

-

Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident handling

-

- incident response plan

-

- security plan

-

- automated mechanisms supporting incident and event correlation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident management correlation logs

-

- event management correlation logs

-

- security information and event management logs

-

- incident management correlation reports

-

- event management correlation reports

-

- security information and event management reports

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with whom incident information and individual incident responses are to be correlated

-
-
-

Assessment: TEST

-

- Organizational processes for correlating incident information and individual incident responses

-

- automated mechanisms that support and or implement correlation of incident response information with individual incident responses

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements an incident handling capability for security incidents that includes:

-
- - - - - - - -
-

[1]

-
-

preparation;

-
-
-
- - - - - - - -
-

[2]

-
-

detection and analysis;

-
-
-
- - - - - - - -
-

[3]

-
-

containment;

-
-
-
- - - - - - - -
-

[4]

-
-

eradication;

-
-
-
- - - - - - - -
-

[5]

-
-

recovery;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates incident handling activities with contingency planning activities;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

incorporates lessons learned from ongoing incident handling activities into:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training;

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

implements the resulting changes accordingly to:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training; and

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident handling

-

- incident response plan

-

- contingency plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident handling capability for the organization

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

IR-4 Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

-
-
-

References

-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-5 INCIDENT MONITORING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tracks and documents information system security incidents.

-
-
-
-

Supplemental guidance

-

Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

- - - - - - - - -
-
-

- IR-5 (1) AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

-
-
-
-

Supplemental guidance

-

Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs automated mechanisms to assist in:

-
- - - - - - - -
-

[1]

-
-

the tracking of security incidents;

-
-
-
- - - - - - - -
-

[2]

-
-

the collection of incident information; and

-
-
-
- - - - - - - -
-

[3]

-
-

the analysis of incident information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident monitoring

-

- automated mechanisms supporting incident monitoring

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

tracks information system security incidents; and

-
-
-
- - - - - - - -
-

[2]

-
-

documents information system security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident monitoring

-

- incident response records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident monitoring capability for the organization

-

- automated mechanisms supporting and/or implementing tracking and documenting of system security incidents

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-6 INCIDENT REPORTING

-
-

- Parameter: - ir-6_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-6_b organization-defined authorities

-

- Value: organization-defined authorities

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires personnel to report suspected security incidents to the organizational incident response capability within - - ir-6_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports security incident information to - - ir-6_b - - organization-defined authorities - organization-defined authorities - .

-
-
-
-
-
-

Supplemental guidance

-

The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.

- - - -
-
-

- IR-6 (1) AUTOMATED REPORTING

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to assist in the reporting of security incidents.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident reporting

-

- automated mechanisms supporting incident reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident reporting

-

- automated mechanisms supporting and/or implementing reporting of security incidents

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which personnel report suspected security incidents to the organizational incident response capability;

-
-
-
- - - - - - - -
-

[2]

-
-

requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines authorities to whom security incident information is to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports security incident information to organization-defined authorities.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident reporting

-

- incident reporting records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident reporting responsibilities

-

- organizational personnel with information security responsibilities

-

- personnel who have/should have reported incidents

-

- personnel (authorities) to whom incident information is to be reported

-
-
-

Assessment: TEST

-

- Organizational processes for incident reporting

-

- automated mechanisms supporting and/or implementing incident reporting

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IR-6 (a) [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]

-
-
- additional -

IR-6 Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

http://www.us-cert.gov

-
-
-
-
-

- IR-7 INCIDENT RESPONSE ASSISTANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-

Supplemental guidance

-

Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.

- - - - - -
-
-

- IR-7 (1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

-
-
-
-

Supplemental guidance

-

Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response assistance

-

- automated mechanisms supporting incident response support and assistance

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response support and assistance responsibilities

-

- organizational personnel with access to incident response support and assistance capability

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident response assistance

-

- automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides an incident response support resource:

-
- - - - - - - -
-

[1]

-
-

that is integral to the organizational incident response capability; and

-
-
-
- - - - - - - -
-

[2]

-
-

that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response assistance

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response assistance and support responsibilities

-

- organizational personnel with access to incident response support and assistance capability

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident response assistance

-

- automated mechanisms supporting and/or implementing incident response assistance

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IR-8 INCIDENT RESPONSE PLAN

-
-

- Parameter: - ir-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-8_b organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - ir-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-8_d organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops an incident response plan that:

-
- - - - - - - -
-

1.

-
-

Provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

2.

-
-

Describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

3.

-
-

Provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

4.

-
-

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

-
-
-
- - - - - - - -
-

5.

-
-

Defines reportable incidents;

-
-
-
- - - - - - - -
-

6.

-
-

Provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

7.

-
-

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

-
-
-
- - - - - - - -
-

8.

-
-

Is reviewed and approved by - - ir-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the incident response plan to - - ir-8_b - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the incident response plan - - ir-8_c - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

e.

-
-

Communicates incident response plan changes to - - ir-8_d - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

f.

-
-

Protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops an incident response plan that:

-
- - - - - - - -
-

(1)

-
-

provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

(2)

-
-

describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

(3)

-
-

provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

(4)

-
-

meets the unique requirements of the organization, which relate to:

-
- - - - - - - -
-

[1]

-
-

mission;

-
-
-
- - - - - - - -
-

[2]

-
-

size;

-
-
-
- - - - - - - -
-

[3]

-
-

structure;

-
-
-
- - - - - - - -
-

[4]

-
-

functions;

-
-
-
-
-
- - - - - - - -
-

(5)

-
-

defines reportable incidents;

-
-
-
- - - - - - - -
-

(6)

-
-

provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

(7)

-
-

defines the resources and management support needed to effectively maintain and mature an incident response capability;

-
-
-
- - - - - - - -
-

(8)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom copies of the incident response plan are to be distributed;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the incident response plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the incident response plan to address system/organizational changes or problems encountered during plan:

-
- - - - - - - -
-

[1]

-
-

implementation;

-
-
-
- - - - - - - -
-

[2]

-
-

execution; or

-
-
-
- - - - - - - -
-

[3]

-
-

testing;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom incident response plan changes are to be communicated;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response planning

-

- incident response plan

-

- records of incident response plan reviews and approvals

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational incident response plan and related organizational processes

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (c) [at least annually] IR-8 (e) [see additional FedRAMP Requirements and Guidance]

-
-
- additional -

IR-8 (b) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8 (e) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-
-

MAINTENANCE

-
-

- MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES

-
-

- Parameter: - ma-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ma-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ma-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System maintenance policy - - ma-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System maintenance procedures - - ma-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system maintenance policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system maintenance policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system maintenance policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Maintenance policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MA-1 (b) (1) [at least annually] MA-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MA-2 CONTROLLED MAINTENANCE

-
-

- Parameter: - ma-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-2_b organization-defined maintenance-related information

-

- Value: organization-defined maintenance-related information

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

c.

-
-

Requires that - - ma-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

d.

-
-

Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

e.

-
-

Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and

-
-
-
- - - - - - - -
-

f.

-
-

Includes - - ma-2_b - - organization-defined maintenance-related information - organization-defined maintenance-related information - in organizational maintenance records.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.

- - - - - - - -
-
-

- MA-2 (2) AUTOMATED MAINTENANCE ACTIVITIES

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and

-
-
-
- - - - - - - -
-

(b)

-
-

Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

-
-
-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs automated mechanisms to:

-
- - - - - - - -
-

[1]

-
-

schedule maintenance and repairs;

-
-
-
- - - - - - - -
-

[2]

-
-

conduct maintenance and repairs;

-
-
-
- - - - - - - -
-

[3]

-
-

document maintenance and repairs;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

produces up-to-date, accurate, and complete records of all maintenance and repair actions:

-
- - - - - - - -
-

[1]

-
-

requested;

-
-
-
- - - - - - - -
-

[2]

-
-

scheduled;

-
-
-
- - - - - - - -
-

[3]

-
-

in process; and

-
-
-
- - - - - - - -
-

[4]

-
-

completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing controlled information system maintenance

-

- automated mechanisms supporting information system maintenance activities

-

- information system configuration settings and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing controlled maintenance

-

- automated mechanisms supporting and/or implementing production of records of maintenance and repair actions

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

schedules maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

performs maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[4]

-
-

reviews records of maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

(e)

-
-

checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines maintenance-related information to be included in organizational maintenance records; and

-
-
-
- - - - - - - -
-

[2]

-
-

includes organization-defined maintenance-related information in organizational maintenance records.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing controlled information system maintenance

-

- maintenance records

-

- manufacturer/vendor maintenance specifications

-

- equipment sanitization records

-

- media sanitization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system

-

- organizational processes for sanitizing information system components

-

- automated mechanisms supporting and/or implementing controlled maintenance

-

- automated mechanisms implementing sanitization of information system components

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- MA-3 MAINTENANCE TOOLS

-

- priority: P3

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization approves, controls, and monitors information system maintenance tools.

-
-
-
-

Supplemental guidance

-

This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing �ping,� �ls,� �ipconfig,� or the hardware and software implementing the monitoring port of an Ethernet switch.

- - - -
-
-

- MA-3 (1) INSPECT TOOLS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

-
-
-
-

Supplemental guidance

-

If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance tool inspection records

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for inspecting maintenance tools

-

- automated mechanisms supporting and/or implementing inspection of maintenance tools

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- MA-3 (2) INSPECT MEDIA

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

-
-
-
-

Supplemental guidance

-

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for inspecting media for malicious code

-

- automated mechanisms supporting and/or implementing inspection of media used for maintenance

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- MA-3 (3) PREVENT UNAUTHORIZED REMOVAL

-
-

- Parameter: - ma-3_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

-
- - - - - - - -
-

(a)

-
-

Verifying that there is no organizational information contained on the equipment;

-
-
-
- - - - - - - -
-

(b)

-
-

Sanitizing or destroying the equipment;

-
-
-
- - - - - - - -
-

(c)

-
-

Retaining the equipment within the facility; or

-
-
-
- - - - - - - -
-

(d)

-
-

Obtaining an exemption from - - ma-3_a - - organization-defined personnel or roles - organization-defined personnel or roles - explicitly authorizing removal of the equipment from the facility.

-
-
-
-
-
-

Supplemental guidance

-

Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

-
- - - - - - - -
-

(a)

-
-

verifying that there is no organizational information contained on the equipment;

-
-
-
- - - - - - - -
-

(b)

-
-

sanitizing or destroying the equipment;

-
-
-
- - - - - - - -
-

(c)

-
-

retaining the equipment within the facility; or

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defining personnel or roles that can grant an exemption from explicitly authorizing removal of the equipment from the facility; and

-
-
-
- - - - - - - -
-

[2]

-
-

obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- equipment sanitization records

-

- media sanitization records

-

- exemptions for equipment removal

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-
-
-

Assessment: TEST

-

- Organizational process for preventing unauthorized removal of information

-

- automated mechanisms supporting media sanitization or destruction of equipment

-

- automated mechanisms supporting verification of media sanitization

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MA-3 (3) (d). [the information owner explicitly authorizing removal of the equipment from the facility]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

approves information system maintenance tools;

-
-
-
- - - - - - - -
-

[2]

-
-

controls information system maintenance tools; and

-
-
-
- - - - - - - -
-

[3]

-
-

monitors information system maintenance tools.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for approving, controlling, and monitoring maintenance tools

-

- automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-88

-
-
-
-
-

- MA-4 NONLOCAL MAINTENANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Approves and monitors nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

b.

-
-

Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

d.

-
-

Maintains records for nonlocal maintenance and diagnostic activities; and

-
-
-
- - - - - - - -
-

e.

-
-

Terminates session and network connections when nonlocal maintenance is completed.

-
-
-
-
-
-

Supplemental guidance

-

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

- - - - - - - - - - - - - - - - - -
-
-

- MA-4 (2) DOCUMENT NONLOCAL MAINTENANCE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization documents in the security plan for the information system:

-
- - - - - - - -
-

[1]

-
-

the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and

-
-
-
- - - - - - - -
-

[2]

-
-

the procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing non-local information system maintenance

-

- security plan

-

- maintenance records

-

- diagnostic records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- MA-4 (3) COMPARABLE SECURITY / SANITIZATION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

-
-
-
- - - - - - - -
-

(b)

-
-

Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

-
-
-
-
-
-

Supplemental guidance

-

Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

removes the component to be serviced from the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

sanitizes the component (with regard to organizational information) prior to nonlocal maintenance or diagnostic services and/or before removal from organizational facilities; and

-
-
-
- - - - - - - -
-

[3]

-
-

inspects and sanitizes the component (with regard to potentially malicious software) after service is performed on the component and before reconnecting the component to the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing nonlocal information system maintenance

-

- service provider contracts and/or service-level agreements

-

- maintenance records

-

- inspection records

-

- audit records

-

- equipment sanitization records

-

- media sanitization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- information system maintenance provider

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for comparable security and sanitization for nonlocal maintenance

-

- organizational processes for removal, sanitization, and inspection of components serviced via nonlocal maintenance

-

- automated mechanisms supporting and/or implementing component sanitization and inspection

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

approves nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors nonlocal maintenance and diagnostic activities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

allows the use of nonlocal maintenance and diagnostic tools only:

-
- - - - - - - -
-

[1]

-
-

as consistent with organizational policy;

-
-
-
- - - - - - - -
-

[2]

-
-

as documented in the security plan for the information system;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

(d)

-
-

maintains records for nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

terminates sessions when nonlocal maintenance or diagnostics is completed; and

-
-
-
- - - - - - - -
-

[2]

-
-

terminates network connections when nonlocal maintenance or diagnostics is completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing nonlocal information system maintenance

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- maintenance records

-

- diagnostic records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing nonlocal maintenance

-

- automated mechanisms implementing, supporting, and/or managing nonlocal maintenance

-

- automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

-

- automated mechanisms for terminating nonlocal maintenance sessions and network connections

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 197

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-88

-
-
-

CNSS Policy 15

-
-
-
-
-

- MA-5 MAINTENANCE PERSONNEL

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

c.

-
-

Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

- - - - - - - -
-
-

- MA-5 (1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

-
- - - - - - - -
-

(1)

-
-

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;

-
-
-
- - - - - - - -
-

(2)

-
-

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

-
- - - - - - - -
-

(1)

-
-

maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who:

-
- - - - - - - -
-

[1]

-
-

are fully cleared;

-
-
-
- - - - - - - -
-

[2]

-
-

have appropriate access authorizations;

-
-
-
- - - - - - - -
-

[3]

-
-

are technically qualified;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals:

-
- - - - - - - -
-

[1]

-
-

all volatile information storage components within the information system are sanitized; and

-
-
-
- - - - - - - -
-

[2]

-
-

all nonvolatile storage media are removed; or

-
-
-
- - - - - - - -
-

[3]

-
-

all nonvolatile storage media are physically disconnected from the system and secured; and

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

develops and implements alternative security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing maintenance personnel

-

- information system media protection policy

-

- physical and environmental protection policy

-

- security plan

-

- list of maintenance personnel requiring escort/supervision

-

- maintenance records

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with personnel security responsibilities

-

- organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing maintenance personnel without appropriate access

-

- automated mechanisms supporting and/or implementing alternative security safeguards

-

- automated mechanisms supporting and/or implementing information storage component sanitization

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes a process for maintenance personnel authorization;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains a list of authorized maintenance organizations or personnel;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

(c)

-
-

designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing maintenance personnel

-

- service provider contracts

-

- service-level agreements

-

- list of authorized personnel

-

- maintenance records

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for authorizing and managing maintenance personnel

-

- automated mechanisms supporting and/or implementing authorization of maintenance personnel

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- MA-6 TIMELY MAINTENANCE

-
-

- Parameter: - ma-6_a organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - ma-6_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains maintenance support and/or spare parts for - - ma-6_a - - organization-defined information system components - organization-defined information system components - within - - ma-6_b - - organization-defined time period - organization-defined time period - of failure.

-
-
-
-

Supplemental guidance

-

Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system components for which maintenance support and/or spare parts are to be obtained;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which maintenance support and/or spare parts are to be obtained after a failure;

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

[a]

-
-

obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

obtains spare parts for organization-defined information system components within the organization-defined time period of failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance

-

- service provider contracts

-

- service-level agreements

-

- inventory and availability of spare parts

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for ensuring timely maintenance

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

MEDIA PROTECTION

-
-

- MP-1 MEDIA PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - mp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - mp-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - mp-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - mp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Media protection policy - - mp-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Media protection procedures - - mp-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a media protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the media protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the media protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Media protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MP-1 (b) (1) [at least annually] MP-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MP-2 MEDIA ACCESS

-
-

- Parameter: - mp-2_a organization-defined types of digital and/or non-digital media

-

- Value: organization-defined types of digital and/or non-digital media

-
-
-

- Parameter: - mp-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization restricts access to - - mp-2_a - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - to - - mp-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of digital and/or non-digital media requiring restricted access;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and

-
-
-
- - - - - - - -
-

[3]

-
-

restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media access restrictions

-

- access control policy and procedures

-

- physical and environmental protection policy and procedures

-

- media storage facilities

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for restricting information media

-

- automated mechanisms supporting and/or implementing media access restrictions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MP-2-1 [any digital and non-digital media deemed sensitive]

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- MP-3 MEDIA MARKING

-
-

- Parameter: - mp-3_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-3_b organization-defined controlled areas

-

- Value: organization-defined controlled areas

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

-
-
-
- - - - - - - -
-

b.

-
-

Exempts - - mp-3_a - - organization-defined types of information system media - organization-defined types of information system media - from marking as long as the media remain within - - mp-3_b - - organization-defined controlled areas - organization-defined controlled areas - .

-
-
-
-
-
-

Supplemental guidance

-

The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

marks information system media indicating the:

-
- - - - - - - -
-

[1]

-
-

distribution limitations of the information;

-
-
-
- - - - - - - -
-

[2]

-
-

handling caveats of the information;

-
-
-
- - - - - - - -
-

[3]

-
-

applicable security markings (if any) of the information;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and

-
-
-
- - - - - - - -
-

[3]

-
-

exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media marking

-

- physical and environmental protection policy and procedures

-

- security plan

-

- list of information system media marking security attributes

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and marking responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for marking information media

-

- automated mechanisms supporting and/or implementing media marking

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MP-3 (b)-1 [no removable media types] MP-3 (b)-2 [organization-defined security safeguards not applicable]

-
-
- additional -

MP-3 (b) Guidance: Second parameter not-applicable

-
-
-

References

-
-

FIPS Publication 199

-
-
-
-
-

- MP-4 MEDIA STORAGE

-
-

- Parameter: - mp-4_a organization-defined types of digital and/or non-digital media

-

- Value: organization-defined types of digital and/or non-digital media

-
-
-

- Parameter: - mp-4_b organization-defined controlled areas

-

- Value: organization-defined controlled areas

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Physically controls and securely stores - - mp-4_a - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - within - - mp-4_b - - organization-defined controlled areas - organization-defined controlled areas - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media;

-
-
-
- - - - - - - -
-

[3]

-
-

physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas;

-
-
-
- - - - - - - -
-

[4]

-
-

securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media storage

-

- physical and environmental protection policy and procedures

-

- access control policy and procedures

-

- security plan

-

- information system media

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and storage responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for storing information media

-

- automated mechanisms supporting and/or implementing secure media storage/media protection

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MP-4 (a)-1 [all types of digital and non-digital media with sensitive information] MP-4 (a)-2 [see additional FedRAMP requirements and guidance]

-
-
- additional -

MP-4 (a) Requirement: The service provider defines controlled areas within facilities where the information and information system reside.

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- MP-5 MEDIA TRANSPORT

-
-

- Parameter: - mp-5_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-5_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Protects and controls - - mp-5_a - - organization-defined types of information system media - organization-defined types of information system media - during transport outside of controlled areas using - - mp-5_b - - organization-defined security safeguards - organization-defined security safeguards - ;

-
-
-
- - - - - - - -
-

b.

-
-

Maintains accountability for information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

c.

-
-

Documents activities associated with the transport of information system media; and

-
-
-
- - - - - - - -
-

d.

-
-

Restricts the activities associated with the transport of information system media to authorized personnel.

-
-
-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. -Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.

- - - - - - - - -
-
-

- MP-5 (4) CRYPTOGRAPHIC PROTECTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media transport

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system media transport records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media transport responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be protected and controlled during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

[3]

-
-

protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

maintains accountability for information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

(c)

-
-

documents activities associated with the transport of information system media; and

-
-
-
- - - - - - - -
-

(d)

-
-

restricts the activities associated with transport of information system media to authorized personnel.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media storage

-

- physical and environmental protection policy and procedures

-

- access control policy and procedures

-

- security plan

-

- information system media

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and storage responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for storing information media

-

- automated mechanisms supporting and/or implementing media storage/media protection

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MP-5 (a) [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container]

-
-
- additional -

MP-5 (a) Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-60

-
-
-
-
-

- MP-6 MEDIA SANITIZATION

-
-

- Parameter: - mp-6_a organization-defined information system media

-

- Value: organization-defined information system media

-
-
-

- Parameter: - mp-6_b organization-defined sanitization techniques and procedures

-

- Value: organization-defined sanitization techniques and procedures

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Sanitizes - - mp-6_a - - organization-defined information system media - organization-defined information system media - prior to disposal, release out of organizational control, or release for reuse using - - mp-6_b - - organization-defined sanitization techniques and procedures - organization-defined sanitization techniques and procedures - in accordance with applicable federal and organizational standards and policies; and

-
-
-
- - - - - - - -
-

b.

-
-

Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

- - - - -
-
-

- MP-6 (1) REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.

-
-
-
-

Supplemental guidance

-

Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

reviews media sanitization and disposal actions;

-
-
-
- - - - - - - -
-

[2]

-
-

approves media sanitization and disposal actions;

-
-
-
- - - - - - - -
-

[3]

-
-

tracks media sanitization and disposal actions;

-
-
-
- - - - - - - -
-

[4]

-
-

documents media sanitization and disposal actions; and

-
-
-
- - - - - - - -
-

[5]

-
-

verifies media sanitization and disposal actions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- media sanitization and disposal records

-

- review records for media sanitization and disposal actions

-

- approvals for media sanitization and disposal actions

-

- tracking records

-

- verification records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media sanitization and disposal responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- MP-6 (2) EQUIPMENT TESTING

-
-

- Parameter: - mp-6_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests sanitization equipment and procedures - - mp-6_c - - organization-defined frequency - organization-defined frequency - to verify that the intended sanitization is being achieved.

-
-
-
-

Supplemental guidance

-

Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers).

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved; and

-
-
-
- - - - - - - -
-

[2]

-
-

tests sanitization equipment and procedures with the organization-defined frequency to verify that the intended sanitization is being achieved.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- procedures addressing testing of media sanitization equipment

-

- results of media sanitization equipment and procedures testing

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MP-6 (2) [at least every six (6) months]

-
-
- additional -

MP-6 (2) Guidance: Equipment and procedures may be tested or validated for effectiveness

-
-

References: None -

-
-
-

- MP-6 (3) NONDESTRUCTIVE TECHNIQUES

-
-

- Parameter: - mp-6_d organization-defined circumstances requiring sanitization of portable storage devices

-

- Value: organization-defined circumstances requiring sanitization of portable storage devices

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: - - mp-6_d - - organization-defined circumstances requiring sanitization of portable storage devices - organization-defined circumstances requiring sanitization of portable storage devices - .

-
-
-
-

Supplemental guidance

-

This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines circumstances requiring sanitization of portable storage devices; and

-
-
-
- - - - - - - -
-

[2]

-
-

applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under organization-defined circumstances requiring sanitization of portable storage devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- list of circumstances requiring sanitization of portable storage devices

-

- media sanitization records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization of portable storage devices

-

- automated mechanisms supporting and/or implementing media sanitization

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system media to be sanitized prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- applicable federal standards and policies addressing media sanitization

-

- media sanitization records

-

- audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

MP-6(a)-2 [techniques and procedures IAW NIST SP 800-88 and Section 5.9: Reuse and Disposal of Storage Media and Hardware]

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-88

-
-
-

http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml

-
-
-
-
-

- MP-7 MEDIA USE

-
-

- Parameter: - mp-7_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-7_b organization-defined information systems or system components

-

- Value: organization-defined information systems or system components

-
-
-

- Parameter: - mp-7_c organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization [Selection: restricts; prohibits] the use of - - mp-7_a - - organization-defined types of information system media - organization-defined types of information system media - on - - mp-7_b - - organization-defined information systems or system components - organization-defined information systems or system components - using - - mp-7_c - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

- - -
-
-

- MP-7 (1) PROHIBIT USE WITHOUT OWNER

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

-
-
-
-

Supplemental guidance

-

Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- system use policy

-

- procedures addressing media usage restrictions

-

- security plan

-

- rules of behavior

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media use responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media use

-

- automated mechanisms prohibiting use of media on information systems or system components

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be:

-
- - - - - - - -
-

[a]

-
-

restricted on information systems or system components; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited from use on information systems or system components;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:

-
- - - - - - - -
-

[a]

-
-

restricted; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and

-
-
-
- - - - - - - -
-

[4]

-
-

restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- system use policy

-

- procedures addressing media usage restrictions

-

- security plan

-

- rules of behavior

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media use responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media use

-

- automated mechanisms restricting or prohibiting use of information system media on information systems or system components

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-
-

PHYSICAL AND ENVIRONMENTAL PROTECTION

-
-

- PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - pe-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pe-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pe-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Physical and environmental protection policy - - pe-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Physical and environmental protection procedures - - pe-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a physical and environmental protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the physical and environmental protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical and environmental protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PE-1 (b) (1) [at least annually] PE-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PE-2 PHYSICAL ACCESS AUTHORIZATIONS

-
-

- Parameter: - pe-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

b.

-
-

Issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the access list detailing authorized facility access by individuals - - pe-2_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

approves a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the access list detailing authorized facility access by individuals;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access authorizations

-

- security plan

-

- authorized personnel access list

-

- authorization credentials

-

- physical access list reviews

-

- physical access termination records and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access authorization responsibilities

-

- organizational personnel with physical access to information system facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access authorizations

-

- automated mechanisms supporting and/or implementing physical access authorizations

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PE-2 (c) [at least every ninety (90) days]

-
-

References: None -

-
-
-

- PE-3 PHYSICAL ACCESS CONTROL

-
-

- Parameter: - pe-3_a organization-defined entry/exit points to the facility where the information system resides

-

- Value: organization-defined entry/exit points to the facility where the information system resides

-
-
-

- Parameter: - pe-3_b organization-defined physical access control systems/devices

-

- Value: organization-defined physical access control systems/devices

-
-
-

- Parameter: - pe-3_c organization-defined entry/exit points

-

- Value: organization-defined entry/exit points

-
-
-

- Parameter: - pe-3_d organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-
-

- Parameter: - pe-3_e organization-defined circumstances requiring visitor escorts and monitoring

-

- Value: organization-defined circumstances requiring visitor escorts and monitoring

-
-
-

- Parameter: - pe-3_f organization-defined physical access devices

-

- Value: organization-defined physical access devices

-
-
-

- Parameter: - pe-3_g organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-3_h organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Enforces physical access authorizations at - - pe-3_a - - organization-defined entry/exit points to the facility where the information system resides - organization-defined entry/exit points to the facility where the information system resides - by;

-
- - - - - - - -
-

1.

-
-

Verifying individual access authorizations before granting access to the facility; and

-
-
-
- - - - - - - -
-

2.

-
-

Controlling ingress/egress to the facility using [Selection (one or more): - - pe-3_b - - organization-defined physical access control systems/devices - organization-defined physical access control systems/devices - ; guards];

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Maintains physical access audit logs for - - pe-3_c - - organization-defined entry/exit points - organization-defined entry/exit points - ;

-
-
-
- - - - - - - -
-

c.

-
-

Provides - - pe-3_d - - organization-defined security safeguards - organization-defined security safeguards - to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

d.

-
-

Escorts visitors and monitors visitor activity - - pe-3_e - - organization-defined circumstances requiring visitor escorts and monitoring - organization-defined circumstances requiring visitor escorts and monitoring - ;

-
-
-
- - - - - - - -
-

e.

-
-

Secures keys, combinations, and other physical access devices;

-
-
-
- - - - - - - -
-

f.

-
-

Inventories - - pe-3_f - - organization-defined physical access devices - organization-defined physical access devices - every - - pe-3_g - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Changes combinations and keys - - pe-3_h - - organization-defined frequency - organization-defined frequency - and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

- - - - - - - - - -
-
-

- PE-3 (1) INFORMATION SYSTEM ACCESS

-
-

- Parameter: - pe-3_i organization-defined physical spaces containing one or more components of the information system

-

- Value: organization-defined physical spaces containing one or more components of the information system

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at - - pe-3_i - - organization-defined physical spaces containing one or more components of the information system - organization-defined physical spaces containing one or more components of the information system - .

-
-
-
-

Supplemental guidance

-

This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers).

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical spaces containing one or more components of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

enforces physical access authorizations to the information system in addition to the physical access controls for the facility at organization-defined physical spaces containing one or more components of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access control

-

- physical access control logs or records

-

- physical access control devices

-

- access authorizations

-

- access credentials

-

- information system entry and exit points

-

- list of areas within the facility containing concentrations of information system components or information system components requiring additional physical protection

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access control to the information system/components

-

- automated mechanisms supporting and/or implementing physical access control for facility areas containing information system components

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:

-
- - - - - - - -
-

(1)

-
-

verifying individual access authorizations before granting access to the facility;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[a]

-
-

defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[b]

-
-

using one or more of the following ways to control ingress/egress to the facility:

-
- - - - - - - -
-

[1]

-
-

organization-defined physical access control systems/devices; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

guards;

-
-
-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points for which physical access audit logs are to be maintained;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains physical access audit logs for organization-defined entry/exit points;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines circumstances requiring visitor:

-
- - - - - - - -
-

[a]

-
-

escorts;

-
-
-
- - - - - - - -
-

[b]

-
-

monitoring;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined circumstances requiring visitor escorts and monitoring:

-
- - - - - - - -
-

[a]

-
-

escorts visitors;

-
-
-
- - - - - - - -
-

[b]

-
-

monitors visitor activities;

-
-
-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

secures keys;

-
-
-
- - - - - - - -
-

[2]

-
-

secures combinations;

-
-
-
- - - - - - - -
-

[3]

-
-

secures other physical access devices;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines physical access devices to be inventoried;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to inventory organization-defined physical access devices;

-
-
-
- - - - - - - -
-

[3]

-
-

inventories the organization-defined physical access devices with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to change combinations and keys; and

-
-
-
- - - - - - - -
-

[2]

-
-

changes combinations and keys with the organization-defined frequency and/or when:

-
- - - - - - - -
-

[a]

-
-

keys are lost;

-
-
-
- - - - - - - -
-

[b]

-
-

combinations are compromised;

-
-
-
- - - - - - - -
-

[c]

-
-

individuals are transferred or terminated.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access control

-

- security plan

-

- physical access control logs or records

-

- inventory records of physical access control devices

-

- information system entry and exit points

-

- records of key and lock combination changes

-

- storage locations for physical access control devices

-

- physical access control devices

-

- list of security safeguards controlling access to designated publicly accessible areas within facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access control

-

- automated mechanisms supporting and/or implementing physical access control

-

- physical access control devices

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 (d) [in all circumstances within restricted access area where the information system resides] PE-3 (f) [at least annually] PE-3 (g) [at least annually]

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-116

-
-
-

ICD 704

-
-
-

ICD 705

-
-
-

DoD Instruction 5200.39

-
-
-

Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)

-
-
-

http://idmanagement.gov

-
-
-

http://fips201ep.cio.gov

-
-
-
-
-

- PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM

-
-

- Parameter: - pe-4_a organization-defined information system distribution and transmission lines

-

- Value: organization-defined information system distribution and transmission lines

-
-
-

- Parameter: - pe-4_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization controls physical access to - - pe-4_a - - organization-defined information system distribution and transmission lines - organization-defined information system distribution and transmission lines - within organizational facilities using - - pe-4_b - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system distribution and transmission lines requiring physical access controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing access control for transmission medium

-

- information system design documentation

-

- facility communications and wiring diagrams

-

- list of physical security safeguards applied to information system distribution and transmission lines

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access control to distribution and transmission lines

-

- automated mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NSTISSI No. 7003

-
-
-
-
-

- PE-5 ACCESS CONTROL FOR OUTPUT DEVICES

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

-
-
-
-

Supplemental guidance

-

Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.

- - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing access control for display medium

-

- facility layout of information system components

-

- actual displays from information system components

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access control to output devices

-

- automated mechanisms supporting and/or implementing access control to output devices

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-6 MONITORING PHYSICAL ACCESS

-
-

- Parameter: - pe-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-6_b organization-defined events or potential indications of events

-

- Value: organization-defined events or potential indications of events

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews physical access logs - - pe-6_a - - organization-defined frequency - organization-defined frequency - and upon occurrence of - - pe-6_b - - organization-defined events or potential indications of events - organization-defined events or potential indications of events - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Supplemental guidance

-

Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

- - - -
-
-

- PE-6 (1) INTRUSION ALARMS / SURVEILLANCE EQUIPMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization monitors physical intrusion alarms and surveillance equipment.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization monitors physical intrusion alarms and surveillance equipment.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- security plan

-

- physical access logs or records

-

- physical access monitoring records

-

- physical access log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical intrusion alarms and surveillance equipment

-

- automated mechanisms supporting and/or implementing physical access monitoring

-

- automated mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-6 (4) MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS

-
-

- Parameter: - pe-6_g organization-defined physical spaces containing one or more components of the information system

-

- Value: organization-defined physical spaces containing one or more components of the information system

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as - - pe-6_g - - organization-defined physical spaces containing one or more components of the information system - organization-defined physical spaces containing one or more components of the information system - .

-
-
-
-

Supplemental guidance

-

This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers).

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical spaces containing one or more components of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

monitors physical access to the information system in addition to the physical access monitoring of the facility at organization-defined physical spaces containing one or more components of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- physical access control logs or records

-

- physical access control devices

-

- access authorizations

-

- access credentials

-

- list of areas within the facility containing concentrations of information system components or information system components requiring additional physical access monitoring

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical access to the information system

-

- automated mechanisms supporting and/or implementing physical access monitoring for facility areas containing information system components

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review physical access logs;

-
-
-
- - - - - - - -
-

[2]

-
-

defines events or potential indication of events requiring physical access logs to be reviewed;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- security plan

-

- physical access logs or records

-

- physical access monitoring records

-

- physical access log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical access

-

- automated mechanisms supporting and/or implementing physical access monitoring

-

- automated mechanisms supporting and/or implementing reviewing of physical access logs

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PE-6 (b) [at least monthly]

-
-

References: None -

-
-
-

- PE-8 VISITOR ACCESS RECORDS

-
-

- Parameter: - pe-8_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - pe-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains visitor access records to the facility where the information system resides for - - pe-8_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reviews visitor access records - - pe-8_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.

-
-
-

- PE-8 (1) AUTOMATED RECORDS MAINTENANCE / REVIEW

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing visitor access records

-

- automated mechanisms supporting management of visitor access records

-

- visitor access control logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with visitor access records responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining and reviewing visitor access records

-

- automated mechanisms supporting and/or implementing maintenance and review of visitor access records

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period to maintain visitor access records to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains visitor access records to the facility where the information system resides for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review visitor access records; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews visitor access records with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing visitor access records

-

- security plan

-

- visitor access control logs or records

-

- visitor access record or log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with visitor access records responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining and reviewing visitor access records

-

- automated mechanisms supporting and/or implementing maintenance and review of visitor access records

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PE-8 (a) [for a minimum of one (1) year] PE-8 (b) [at least monthly]

-
-

References: None -

-
-
-

- PE-9 POWER EQUIPMENT AND CABLING

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects power equipment and power cabling for the information system from damage and destruction.

-
-
-
-

Supplemental guidance

-

Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing power equipment/cabling protection

-

- facilities housing power equipment/cabling

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for protecting power equipment/cabling

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing protection of power equipment/cabling

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-10 EMERGENCY SHUTOFF

-
-

- Parameter: - pe-10_a organization-defined location by information system or system component

-

- Value: organization-defined location by information system or system component

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Provides the capability of shutting off power to the information system or individual system components in emergency situations;

-
-
-
- - - - - - - -
-

b.

-
-

Places emergency shutoff switches or devices in - - pe-10_a - - organization-defined location by information system or system component - organization-defined location by information system or system component - to facilitate safe and easy access for personnel; and

-
-
-
- - - - - - - -
-

c.

-
-

Protects emergency power shutoff capability from unauthorized activation.

-
-
-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides the capability of shutting off power to the information system or individual system components in emergency situations;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the location of emergency shutoff switches or devices by information system or system component;

-
-
-
- - - - - - - -
-

[2]

-
-

places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

protects emergency power shutoff capability from unauthorized activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing power source emergency shutoff

-

- security plan

-

- emergency shutoff controls or switches

-

- locations housing emergency shutoff switches and devices

-

- security safeguards protecting emergency power shutoff capability from unauthorized activation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing emergency power shutoff

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-11 EMERGENCY POWER

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.

-
-
-
-

Supplemental guidance

- - - -
-
-

- PE-11 (1) LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

-
-
-
-

Supplemental guidance

-

This control enhancement can be satisfied, for example, by the use of a secondary commercial power supply or other external power supply. Long-term alternate power supplies for the information system can be either manually or automatically activated.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency power

-

- alternate power supply

-

- alternate power supply documentation

-

- alternate power supply test records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing alternate power supply

-

- the alternate power supply

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:

-
- - - - - - - -
-

[1]

-
-

an orderly shutdown of the information system; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

transition of the information system to long-term alternate power.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency power

-

- uninterruptible power supply

-

- uninterruptible power supply documentation

-

- uninterruptible power supply test records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing uninterruptible power supply

-

- the uninterruptable power supply

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-12 EMERGENCY LIGHTING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs and maintains automatic emergency lighting for the information system that:

-
- - - - - - - -
-

[1]

-
-

activates in the event of a power outage or disruption; and

-
-
-
- - - - - - - -
-

[2]

-
-

covers emergency exits and evacuation routes within the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency lighting

-

- emergency lighting documentation

-

- emergency lighting test records

-

- emergency exits and evacuation routes

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency lighting and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing emergency lighting capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-13 FIRE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

-
-
-

- PE-13 (1) DETECTION DEVICES / SYSTEMS

-
-

- Parameter: - pe-13_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pe-13_b organization-defined emergency responders

-

- Value: organization-defined emergency responders

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs fire detection devices/systems for the information system that activate automatically and notify - - pe-13_a - - organization-defined personnel or roles - organization-defined personnel or roles - and - - pe-13_b - - organization-defined emergency responders - organization-defined emergency responders - in the event of a fire.

-
-
-
-

Supplemental guidance

-

Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified in the event of a fire;

-
-
-
- - - - - - - -
-

[2]

-
-

defines emergency responders to be notified in the event of a fire;

-
-
-
- - - - - - - -
-

[3]

-
-

employs fire detection devices/systems for the information system that, in the event of a fire,:

-
- - - - - - - -
-

[a]

-
-

activate automatically;

-
-
-
- - - - - - - -
-

[b]

-
-

notify organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[c]

-
-

notify organization-defined emergency responders.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- facility housing the information system

-

- alarm service-level agreements

-

- test records of fire suppression and detection devices/systems

-

- fire suppression and detection devices/systems documentation

-

- alerts/notifications of fire events

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire detection devices/systems

-

- activation of fire detection devices/systems (simulated)

-

- automated notifications

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

PE-13 (1) -1 [service provider building maintenance/physical security personnel] PE-13 (1) -2 [service provider emergency responders with incident response responsibilities]

-
-

References: None -

-
-
-

- PE-13 (2) SUPPRESSION DEVICES / SYSTEMS

-
-

- Parameter: - pe-13_c organization-defined emergency responders

-

- Value: organization-defined emergency responders

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and - - pe-13_c - - organization-defined emergency responders - organization-defined emergency responders - .

-
-
-
-

Supplemental guidance

-

Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be provided automatic notification of any activation of fire suppression devices/systems for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines emergency responders to be provided automatic notification of any activation of fire suppression devices/systems for the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

employs fire suppression devices/systems for the information system that provide automatic notification of any activation to:

-
- - - - - - - -
-

[a]

-
-

organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[b]

-
-

organization-defined emergency responders.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems documentation

-

- facility housing the information system

-

- alarm service-level agreements

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression devices/systems

-

- activation of fire suppression devices/systems (simulated)

-

- automated notifications

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-13 (3) AUTOMATIC FIRE SUPPRESSION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems documentation

-

- facility housing the information system

-

- alarm service-level agreements

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression devices/systems

-

- activation of fire suppression devices/systems (simulated)

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems

-

- fire suppression and detection devices/systems documentation

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-14 TEMPERATURE AND HUMIDITY CONTROLS

-
-

- Parameter: - pe-14_a organization-defined acceptable levels

-

- Value: organization-defined acceptable levels

-
-
-

- Parameter: - pe-14_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains temperature and humidity levels within the facility where the information system resides at - - pe-14_a - - organization-defined acceptable levels - organization-defined acceptable levels - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Monitors temperature and humidity levels - - pe-14_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines acceptable temperature levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

defines acceptable humidity levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains temperature levels within the facility where the information system resides at the organization-defined levels;

-
-
-
- - - - - - - -
-

[4]

-
-

maintains humidity levels within the facility where the information system resides at the organization-defined levels;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to monitor temperature levels;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to monitor humidity levels;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors temperature levels with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

monitors humidity levels with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing temperature and humidity control

-

- security plan

-

- temperature and humidity controls

-

- facility housing the information system

-

- temperature and humidity controls documentation

-

- temperature and humidity records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PE-14 (a) [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14 (b) [continuously]

-
-
- additional -

PE-14 (a) Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.

-
-

References: None -

-
-
-

- PE-15 WATER DAMAGE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

- -
-
-

- PE-15 (1) AUTOMATION SUPPORT

-
-

- Parameter: - pe-15_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts - - pe-15_a - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Automated mechanisms can include, for example, water detection sensors, alarms, and notification systems.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be alerted when the presence of water is detected in the vicinity of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to detect the presence of water in the vicinity of the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

alerts organization-defined personnel or roles when the presence of water is detected in the vicinity of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing water damage protection

-

- facility housing the information system

-

- automated mechanisms for water shutoff valves

-

- automated mechanisms detecting presence of water in vicinity of information system

-

- alerts/notifications of water detection in information system facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing water detection capability and alerts for the information system

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

PE-15 (1) [service provider building maintenance/physical security personnel]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:

-
- - - - - - - -
-

[1]

-
-

accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

working properly; and

-
-
-
- - - - - - - -
-

[3]

-
-

known to key personnel.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing water damage protection

-

- facility housing the information system

-

- master shutoff valves

-

- list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

-

- master shutoff valve documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Master water-shutoff valves

-

- organizational process for activating master water-shutoff

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- PE-16 DELIVERY AND REMOVAL

-
-

- Parameter: - pe-16_a organization-defined types of information system components

-

- Value: organization-defined types of information system components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes, monitors, and controls - - pe-16_a - - organization-defined types of information system components - organization-defined types of information system components - entering and exiting the facility and maintains records of those items.

-
-
-
-

Supplemental guidance

-

Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[4]

-
-

controls organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[5]

-
-

authorizes organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[6]

-
-

monitors organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[7]

-
-

controls organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[8]

-
-

maintains records of information system components entering the facility; and

-
-
-
- - - - - - - -
-

[9]

-
-

maintains records of information system components exiting the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing delivery and removal of information system components from the facility

-

- security plan

-

- facility housing the information system

-

- records of items entering and exiting the facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for controlling information system components entering and exiting the facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-

- automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PE-16 [all information system components]

-
-

References: None -

-
-
-

- PE-17 ALTERNATE WORK SITE

-
-

- Parameter: - pe-17_a organization-defined security controls

-

- Value: organization-defined security controls

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs - - pe-17_a - - organization-defined security controls - organization-defined security controls - at alternate work sites;

-
-
-
- - - - - - - -
-

b.

-
-

Assesses as feasible, the effectiveness of security controls at alternate work sites; and

-
-
-
- - - - - - - -
-

c.

-
-

Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

-
-
-
-
-
-

Supplemental guidance

-

Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security controls to be employed at alternate work sites;

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined security controls at alternate work sites;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

assesses, as feasible, the effectiveness of security controls at alternate work sites; and

-
-
-
- - - - - - - -
-

(c)

-
-

provides a means for employees to communicate with information security personnel in case of security incidents or problems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing alternate work sites for organizational personnel

-

- security plan

-

- list of security controls required for alternate work sites

-

- assessments of security controls at alternate work sites

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel approving use of alternate work sites

-

- organizational personnel using alternate work sites

-

- organizational personnel assessing controls at alternate work sites

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security at alternate work sites

-

- automated mechanisms supporting alternate work sites

-

- security controls employed at alternate work sites

-

- means of communications between personnel at alternate work sites and security personnel

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-46

-
-
-
-
-

- PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS

-
-

- Parameter: - pe-18_a organization-defined physical and environmental hazards

-

- Value: organization-defined physical and environmental hazards

-
-

- priority: P3

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization positions information system components within the facility to minimize potential damage from - - pe-18_a - - organization-defined physical and environmental hazards - organization-defined physical and environmental hazards - and to minimize the opportunity for unauthorized access.

-
-
-
-

Supplemental guidance

-

Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical hazards that could result in potential damage to information system components within the facility;

-
-
-
- - - - - - - -
-

[2]

-
-

defines environmental hazards that could result in potential damage to information system components within the facility;

-
-
-
- - - - - - - -
-

[3]

-
-

positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards; and

-
-
-
- - - - - - - -
-

[4]

-
-

positions information system components within the facility to minimize the opportunity for unauthorized access.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing positioning of information system components

-

- documentation providing the location and position of information system components within the facility

-

- locations housing information system components within the facility

-

- list of physical and environmental hazards with potential to damage information system components within the facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for positioning information system components

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for positioning information system components

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

PE-18 [physical and environmental hazards identified during threat assessment]

-
-

References: None -

-
-
-
-

PLANNING

-
-

- PL-1 SECURITY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - pl-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pl-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pl-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security planning policy - - pl-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security planning procedures - - pl-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PL-1 (b) (1) [at least annually] PL-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-18

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PL-2 SYSTEM SECURITY PLAN

-
-

- Parameter: - pl-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Is consistent with the organization�s enterprise architecture;

-
-
-
- - - - - - - -
-

2.

-
-

Explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

3.

-
-

Describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

4.

-
-

Provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

5.

-
-

Describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

6.

-
-

Provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

7.

-
-

Identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

8.

-
-

Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and

-
-
-
- - - - - - - -
-

9.

-
-

Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the security plan and communicates subsequent changes to the plan to - - pl-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the security plan for the information system - - pl-2_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

-
-
-
- - - - - - - -
-

e.

-
-

Protects the security plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. -Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.

- - - - - - - - - - - - - - - - - - - - - - - - -
-
-

- PL-2 (3) PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES

-
-

- Parameter: - pl-2_c organization-defined individuals or groups

-

- Value: organization-defined individuals or groups

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans and coordinates security-related activities affecting the information system with - - pl-2_c - - organization-defined individuals or groups - organization-defined individuals or groups - before conducting such activities in order to reduce the impact on other organizational entities.

-
-
-
-

Supplemental guidance

-

Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- access control policy

-

- contingency planning policy

-

- procedures addressing security-related activity planning for the information system

-

- security plan for the information system

-

- contingency plan for the information system

-

- information system design documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational individuals or groups with whom security-related activities are to be planned and coordinated

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

is consistent with the organization’s enterprise architecture;

-
-
-
- - - - - - - -
-

(2)

-
-

explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

(3)

-
-

describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

(4)

-
-

provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

(5)

-
-

describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

(6)

-
-

provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

(7)

-
-

identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

(8)

-
-

describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;

-
-
-
- - - - - - - -
-

(9)

-
-

is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the security plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the security plan for the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the information system/environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems identified during plan implementation;

-
-
-
- - - - - - - -
-

[3]

-
-

problems identified during security control assessments;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

protects the security plan from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure; and

-
-
-
- - - - - - - -
-

[2]

-
-

modification.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing security plan development and implementation

-

- procedures addressing security plan reviews and updates

-

- enterprise architecture documentation

-

- security plan for the information system

-

- records of security plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security plan development/review/update/approval

-

- automated mechanisms supporting the information system security plan

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PL-2 (c) [at least annually]

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-

- PL-4 RULES OF BEHAVIOR

-
-

- Parameter: - pl-4_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

b.

-
-

Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates the rules of behavior - - pl-4_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.

- - - - - - - - - - - - - - - - - - -
-
-

- PL-4 (1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes the following in the rules of behavior:

-
- - - - - - - -
-

[1]

-
-

explicit restrictions on the use of social media/networking sites; and

-
-
-
- - - - - - - -
-

[2]

-
-

posting organizational information on public websites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing rules of behavior for information system users

-

- rules of behavior

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

-

- organizational personnel who are authorized users of the information system and have signed rules of behavior

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for establishing rules of behavior

-

- automated mechanisms supporting and/or implementing the establishment of rules of behavior

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

[2]

-
-

makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the rules of behavior;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the rules of behavior with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing rules of behavior for information system users

-

- rules of behavior

-

- signed acknowledgements

-

- records for rules of behavior reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

-

- organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

-

- automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PL-4 (c) [annually]

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-

- PL-8 INFORMATION SECURITY ARCHITECTURE

-
-

- Parameter: - pl-8_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops an information security architecture for the information system that:

-
- - - - - - - -
-

1.

-
-

Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

-
-
-
- - - - - - - -
-

2.

-
-

Describes how the information security architecture is integrated into and supports the enterprise architecture; and

-
-
-
- - - - - - - -
-

3.

-
-

Describes any information security assumptions about, and dependencies on, external services;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the information security architecture - - pl-8_a - - organization-defined frequency - organization-defined frequency - to reflect updates in the enterprise architecture; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. -In today�s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization�s enterprise architecture and information security architecture.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops an information security architecture for the information system that describes:

-
- - - - - - - -
-

(1)

-
-

the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

-
-
-
- - - - - - - -
-

(2)

-
-

how the information security architecture is integrated into and supports the enterprise architecture;

-
-
-
- - - - - - - -
-

(3)

-
-

any information security assumptions about, and dependencies on, external services;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the information security architecture;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

ensures that planned information security architecture changes are reflected in:

-
- - - - - - - -
-

[1]

-
-

the security plan;

-
-
-
- - - - - - - -
-

[2]

-
-

the security Concept of Operations (CONOPS); and

-
-
-
- - - - - - - -
-

[3]

-
-

the organizational procurements/acquisitions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing information security architecture development

-

- procedures addressing information security architecture reviews and updates

-

- enterprise architecture documentation

-

- information security architecture documentation

-

- security plan for the information system

-

- security CONOPS for the information system

-

- records of information security architecture reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational personnel with information security architecture development responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for developing, reviewing, and updating the information security architecture

-

- automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PL-8 (b) [at least annually or when a significant change occurs]

-
-
- additional -

PL-8 (b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

-
-

References: None -

-
-
-
-

PERSONNEL SECURITY

-
-

- PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES

-
-

- Parameter: - ps-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ps-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Personnel security policy - - ps-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Personnel security procedures - - ps-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an personnel security policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the personnel security policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the personnel security policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-1 (b) (1) [at least annually] PS-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PS-2 POSITION RISK DESIGNATION

-
-

- Parameter: - ps-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes screening criteria for individuals filling those positions; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates position risk designations - - ps-2_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

(b)

-
-

establishes screening criteria for individuals filling those positions;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update position risk designations; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates position risk designations with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing position categorization

-

- appropriate codes of federal regulations

-

- list of risk designations for organizational positions

-

- security plan

-

- records of position risk designation reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for assigning, reviewing, and updating position risk designations

-

- organizational processes for establishing screening criteria

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-2 (c) [at least annually]

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-
-
-

- PS-3 PERSONNEL SCREENING

-
-

- Parameter: - ps-3_a organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-

- Value: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Screens individuals prior to authorizing access to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Rescreens individuals according to - - ps-3_a - - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - .

-
-
-
-
-
-

Supplemental guidance

-

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

screens individuals prior to authorizing access to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines conditions requiring re-screening;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency of re-screening where it is so indicated; and

-
-
-
- - - - - - - -
-

[3]

-
-

re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel screening

-

- records of screened personnel

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel screening

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-3 (b) [for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-

FIPS Publication 199

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

ICD 704

-
-
-
-
-

- PS-4 PERSONNEL TERMINATION

-
-

- Parameter: - ps-4_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ps-4_b organization-defined information security topics

-

- Value: organization-defined information security topics

-
-
-

- Parameter: - ps-4_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-4_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization, upon termination of individual employment:

-
- - - - - - - -
-

a.

-
-

Disables information system access within - - ps-4_a - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

b.

-
-

Terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts exit interviews that include a discussion of - - ps-4_b - - organization-defined information security topics - organization-defined information security topics - ;

-
-
-
- - - - - - - -
-

d.

-
-

Retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

e.

-
-

Retains access to organizational information and information systems formerly controlled by terminated individual; and

-
-
-
- - - - - - - -
-

f.

-
-

Notifies - - ps-4_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-4_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

- - - - - -
-
-

- PS-4 (2) AUTOMATED NOTIFICATION

-
-

- Parameter: - ps-4_e organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to notify - - ps-4_e - - organization-defined personnel or roles - organization-defined personnel or roles - upon termination of an individual.

-
-
-
-

Supplemental guidance

-

In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications�or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified upon termination of an individual; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel termination

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- records of personnel termination actions

-

- automated notifications of employee terminations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel termination

-

- automated mechanisms supporting and/or implementing personnel termination notifications

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

PS-4 (2) [access control personnel responsible for disabling access to the system]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization, upon termination of individual employment,:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which to disable information system access;

-
-
-
- - - - - - - -
-

[2]

-
-

disables information system access within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information security topics to be discussed when conducting exit interviews;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts exit interviews that include a discussion of organization-defined information security topics;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

(e)

-
-

retains access to organizational information and information systems formerly controlled by the terminated individual;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of the termination;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel termination

-

- records of personnel termination actions

-

- list of information system accounts

-

- records of terminated or revoked authenticators/credentials

-

- records of exit interviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel termination

-

- automated mechanisms supporting and/or implementing personnel termination notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-4 (a) [eight (8) hours]

-
-

References: None -

-
-
-

- PS-5 PERSONNEL TRANSFER

-
-

- Parameter: - ps-5_a organization-defined transfer or reassignment actions

-

- Value: organization-defined transfer or reassignment actions

-
-
-

- Parameter: - ps-5_b organization-defined time period following the formal transfer action

-

- Value: organization-defined time period following the formal transfer action

-
-
-

- Parameter: - ps-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-5_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

b.

-
-

Initiates - - ps-5_a - - organization-defined transfer or reassignment actions - organization-defined transfer or reassignment actions - within - - ps-5_b - - organization-defined time period following the formal transfer action - organization-defined time period following the formal transfer action - ;

-
-
-
- - - - - - - -
-

c.

-
-

Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

-
-
-
- - - - - - - -
-

d.

-
-

Notifies - - ps-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-5_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:

-
- - - - - - - -
-

[1]

-
-

logical access authorizations to information systems;

-
-
-
- - - - - - - -
-

[2]

-
-

physical access authorizations to information systems and facilities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines transfer or reassignment actions to be initiated following transfer or reassignment;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;

-
-
-
- - - - - - - -
-

[3]

-
-

initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel transfer

-

- security plan

-

- records of personnel transfer actions

-

- list of information system and facility access authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel transfer

-

- automated mechanisms supporting and/or implementing personnel transfer notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-5 (b)-2 [twenty-four (24) hours] PS-5 (d)-2 [twenty-four (24) hours]

-
-

References: None -

-
-
-

- PS-6 ACCESS AGREEMENTS

-
-

- Parameter: - ps-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-6_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the access agreements - - ps-6_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that individuals requiring access to organizational information and information systems:

-
- - - - - - - -
-

1.

-
-

Sign appropriate access agreements prior to being granted access; and

-
-
-
- - - - - - - -
-

2.

-
-

Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or - - ps-6_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the access agreements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the access agreements with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

(1)

-
-

ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing access agreements for organizational information and information systems

-

- security plan

-

- access agreements

-

- records of access agreement reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel who have signed/resigned access agreements

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access agreements

-

- automated mechanisms supporting access agreements

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-6 (b) [at least annually] PS-6 (c) (2) [at least annually and any time there is a change to the user's level of access]

-
-

References: None -

-
-
-

- PS-7 THIRD-PARTY PERSONNEL SECURITY

-
-

- Parameter: - ps-7_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-7_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes personnel security requirements including security roles and responsibilities for third-party providers;

-
-
-
- - - - - - - -
-

b.

-
-

Requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Documents personnel security requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Requires third-party providers to notify - - ps-7_a - - organization-defined personnel or roles - organization-defined personnel or roles - of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within - - ps-7_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Monitors provider compliance.

-
-
-
-
-
-

Supplemental guidance

-

Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes personnel security requirements, including security roles and responsibilities, for third-party providers;

-
-
-
- - - - - - - -
-

(b)

-
-

requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

documents personnel security requirements;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[3]

-
-

requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

monitors provider compliance.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing third-party personnel security

-

- list of personnel security requirements

-

- acquisition documents

-

- service-level agreements

-

- compliance monitoring process

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- third-party providers

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing and monitoring third-party personnel security

-

- automated mechanisms supporting and/or implementing monitoring of provider compliance

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-7 (d)-2 [terminations: immediately; transfers: within twenty-four (24) hours]

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-

- PS-8 PERSONNEL SANCTIONS

-
-

- Parameter: - ps-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-8_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

-
-
-
- - - - - - - -
-

b.

-
-

Notifies - - ps-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-8_b - - organization-defined time period - organization-defined time period - when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-

Supplemental guidance

-

Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when a formal employee sanctions process is initiated;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel sanctions

-

- rules of behavior

-

- records of formal sanctions

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing personnel sanctions

-

- automated mechanisms supporting and/or implementing notifications

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

PS-8(b)-1 [at a minimum, the ISSO and/or similar role within the organization]

-
-

References: None -

-
-
-
-

RISK ASSESSMENT

-
-

- RA-1 RISK ASSESSMENT POLICY AND PROCEDURES

-
-

- Parameter: - ra-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ra-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Risk assessment policy - - ra-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Risk assessment procedures - - ra-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a risk assessment policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the risk assessment policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the risk assessment policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- risk assessment policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

RA-1 (b) (1) [at least annually] RA-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- RA-2 SECURITY CATEGORIZATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

(b)

-
-

documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

(c)

-
-

ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing security categorization of organizational information and information systems

-

- security plan

-

- security categorization documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security categorization and risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security categorization

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-60

-
-
-
-
-

- RA-3 RISK ASSESSMENT

-
-

- Parameter: - ra-3_a organization-defined document

-

- Value: organization-defined document

-
-
-

- Parameter: - ra-3_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-3_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-3_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

-
-
-
- - - - - - - -
-

b.

-
-

Documents risk assessment results in [Selection: security plan; risk assessment report; - - ra-3_a - - organization-defined document - organization-defined document - ];

-
-
-
- - - - - - - -
-

c.

-
-

Reviews risk assessment results - - ra-3_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Disseminates risk assessment results to - - ra-3_c - - organization-defined personnel or roles - organization-defined personnel or roles - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Updates the risk assessment - - ra-3_d - - organization-defined frequency - organization-defined frequency - or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. -Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:

-
- - - - - - - -
-

[1]

-
-

the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information the system processes, stores, or transmits;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);

-
-
-
- - - - - - - -
-

[2]

-
-

documents risk assessment results in one of the following:

-
- - - - - - - -
-

[a]

-
-

the security plan;

-
-
-
- - - - - - - -
-

[b]

-
-

the risk assessment report; or

-
-
-
- - - - - - - -
-

[c]

-
-

the organization-defined document;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review risk assessment results;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews risk assessment results with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom risk assessment results are to be disseminated;

-
-
-
- - - - - - - -
-

[2]

-
-

disseminates risk assessment results to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the risk assessment;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the risk assessment:

-
- - - - - - - -
-

[a]

-
-

with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and

-
-
-
- - - - - - - -
-

[c]

-
-

whenever there are other conditions that may impact the security state of the system.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing organizational assessments of risk

-

- security plan

-

- risk assessment

-

- risk assessment results

-

- risk assessment reviews

-

- risk assessment updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for risk assessment

-

- automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

RA-3 (b) [security assessment report]

-

RA-3 (c) [at least annually or whenever a significant change occurs]

-

RA-3 (e) [annually]

-
-
- additional -

RA-3 Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3 (d) Requirement: Include all Authoring Officials and FedRAMP ISSOs.

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

http://idmanagement.gov

-
-
-
-
-

- RA-5 VULNERABILITY SCANNING

-
-

- Parameter: - ra-5_a organization-defined frequency and/or randomly in accordance with organization-defined process

-

- Value: organization-defined frequency and/or randomly in accordance with organization-defined process

-
-
-

- Parameter: - ra-5_b organization-defined response times

-

- Value: organization-defined response times

-
-
-

- Parameter: - ra-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Scans for vulnerabilities in the information system and hosted applications - - ra-5_a - - organization-defined frequency and/or randomly in accordance with organization-defined process - organization-defined frequency and/or randomly in accordance with organization-defined process - and when new vulnerabilities potentially affecting the system/applications are identified and reported;

-
-
-
- - - - - - - -
-

b.

-
-

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

1.

-
-

Enumerating platforms, software flaws, and improper configurations;

-
-
-
- - - - - - - -
-

2.

-
-

Formatting checklists and test procedures; and

-
-
-
- - - - - - - -
-

3.

-
-

Measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Analyzes vulnerability scan reports and results from security control assessments;

-
-
-
- - - - - - - -
-

d.

-
-

Remediates legitimate vulnerabilities - - ra-5_b - - organization-defined response times - organization-defined response times - in accordance with an organizational assessment of risk; and

-
-
-
- - - - - - - -
-

e.

-
-

Shares information obtained from the vulnerability scanning process and security control assessments with - - ra-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-

Supplemental guidance

-

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

- - - - - - - - -
-
-

- RA-5 (1) UPDATE TOOL CAPABILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

-
-
-
-

Supplemental guidance

-

The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- RA-5 (2) UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED

-
-

- Parameter: - ra-5_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization updates the information system vulnerabilities scanned [Selection (one or more): - - ra-5_d - - organization-defined frequency - organization-defined frequency - ; prior to a new scan; when new vulnerabilities are identified and reported].

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the information system vulnerabilities scanned;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the information system vulnerabilities scanned one or more of the following:

-
- - - - - - - -
-

[a]

-
-

with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

prior to a new scan; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

when new vulnerabilities are identified and reported.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

RA-5 (2) [prior to a new scan]

-
-

References: None -

-
-
-

- RA-5 (4) DISCOVERABLE INFORMATION

-
-

- Parameter: - ra-5_e organization-defined corrective actions

-

- Value: organization-defined corrective actions

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization determines what information about the information system is discoverable by adversaries and subsequently takes - - ra-5_e - - organization-defined corrective actions - organization-defined corrective actions - .

-
-
-
-

Supplemental guidance

-

Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines corrective actions to be taken if information about the information system is discoverable by adversaries;

-
-
-
- - - - - - - -
-

[2]

-
-

determines what information about the information system is discoverable by adversaries; and

-
-
-
- - - - - - - -
-

[3]

-
-

subsequently takes organization-defined corrective actions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security assessment report

-

- penetration test results

-

- vulnerability scanning results

-

- risk assessment report

-

- records of corrective actions taken

-

- incident response records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning and/or penetration testing responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel responsible for risk response

-

- organizational personnel responsible for incident management and response

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- organizational processes for risk response

-

- organizational processes for incident management and response

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-

- automated mechanisms supporting and/or implementing risk response

-

- automated mechanisms supporting and/or implementing incident management and response

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

RA-5 (4) [notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]

-
-

References: None -

-
-
-

- RA-5 (5) PRIVILEGED ACCESS

-
-

- Parameter: - ra-5_f organization-identified information system components

-

- Value: organization-identified information system components

-
-
-

- Parameter: - ra-5_g organization-defined vulnerability scanning activities

-

- Value: organization-defined vulnerability scanning activities

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements privileged access authorization to - - ra-5_f - - organization-identified information system components - organization-identified information system components - for selected - - ra-5_g - - organization-defined vulnerability scanning activities - organization-defined vulnerability scanning activities - .

-
-
-
-

Supplemental guidance

-

In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- procedures addressing vulnerability scanning

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system components for vulnerability scanning

-

- personnel access authorization list

-

- authorization credentials

-

- access authorization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- system/network administrators

-

- organizational personnel responsible for access control to the information system

-

- organizational personnel responsible for configuration management of the information system

-

- system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- organizational processes for access control

-

- automated mechanisms supporting and/or implementing access control

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

RA-5 (5)-1 [operating systems / web applications / databases] RA-5 (5)-2 [all scans]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

defines the process for conducting random vulnerability scans on the information system and hosted applications;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

enumerating platforms;

-
-
-
- - - - - - - -
-

[2]

-
-

enumerating software flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

enumerating improper configurations;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

formatting checklists;

-
-
-
- - - - - - - -
-

[2]

-
-

formatting test procedures;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

analyzes vulnerability scan reports;

-
-
-
- - - - - - - -
-

[2]

-
-

analyzes results from security control assessments;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

-
-
-
- - - - - - - -
-

[2]

-
-

remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;

-
-
-
- - - - - - - -
-

[2]

-
-

shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and

-
-
-
- - - - - - - -
-

[3]

-
-

shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- procedures addressing vulnerability scanning

-

- risk assessment

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel with vulnerability remediation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

-

- automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

RA-5 (a) [monthly operating system/infrastructure; monthly web applications and databases] RA-5 (d) [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery]

-
-
- additional -

RA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. RA-5 (e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-115

-
-
-

http://cwe.mitre.org

-
-
-

http://nvd.nist.gov

-
-
-
-
-
-

SYSTEM AND SERVICES ACQUISITION

-
-

- SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES

-
-

- Parameter: - sa-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sa-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sa-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sa-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and services acquisition policy - - sa-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and services acquisition procedures - - sa-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and services acquisition policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and services acquisition policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and services acquisition policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SA-1 (b) (1) [at least annually] SA-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SA-2 ALLOCATION OF RESOURCES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

b.

-
-

Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and

-
-
-
- - - - - - - -
-

c.

-
-

Establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Supplemental guidance

-

Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

(b)

-
-

to protect the information system or information system service as part of its capital planning and investment control process:

-
- - - - - - - -
-

[1]

-
-

determines the resources required;

-
-
-
- - - - - - - -
-

[2]

-
-

documents the resources required;

-
-
-
- - - - - - - -
-

[3]

-
-

allocates the resources required; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the allocation of resources to information security requirements

-

- procedures addressing capital planning and investment control

-

- organizational programming and budgeting documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities

-

- organizational personnel responsible for determining information security requirements for information systems/services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information security requirements

-

- organizational processes for capital planning, programming, and budgeting

-

- automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-65

-
-
-
-
-

- SA-3 SYSTEM DEVELOPMENT LIFE CYCLE

-
-

- Parameter: - sa-3_a organization-defined system development life cycle

-

- Value: organization-defined system development life cycle

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Manages the information system using - - sa-3_a - - organization-defined system development life cycle - organization-defined system development life cycle - that incorporates information security considerations;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

d.

-
-

Integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Supplemental guidance

-

A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a system development life cycle that incorporates information security considerations to be used to manage the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

manages the information system using the organization-defined system development life cycle;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

(c)

-
-

identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

(d)

-
-

integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security into the system development life cycle process

-

- information system development life cycle documentation

-

- information security risk management strategy/program documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security and system life cycle development responsibilities

-

- organizational personnel with information security risk management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining and documenting the SDLC

-

- organizational processes for identifying SDLC roles and responsibilities

-

- organizational process for integrating information security risk management into the SDLC

-

- automated mechanisms supporting and/or implementing the SDLC

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-
-
-

- SA-4 ACQUISITION PROCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

a.

-
-

Security functional requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Security strength requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Security assurance requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Security-related documentation requirements;

-
-
-
- - - - - - - -
-

e.

-
-

Requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

f.

-
-

Description of the information system development environment and environment in which the system is intended to operate; and

-
-
-
- - - - - - - -
-

g.

-
-

Acceptance criteria.

-
-
-
-
-
-

Supplemental guidance

-

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. -Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

- - - - - - - - -
-
-

- SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

-
-
-
-

Supplemental guidance

-

Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documents

-

- acquisition documentation

-

- acquisition contracts for the information system, system component, or information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security functional requirements

-

- information system developer or service provider

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information system security functional, requirements

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SA-4 (2) DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS

-
-

- Parameter: - sa-4_a organization-defined design/implementation information

-

- Value: organization-defined design/implementation information

-
-
-

- Parameter: - sa-4_b organization-defined level of detail

-

- Value: organization-defined level of detail

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; - - sa-4_a - - organization-defined design/implementation information - organization-defined design/implementation information - ] at - - sa-4_b - - organization-defined level of detail - organization-defined level of detail - .

-
-
-
-

Supplemental guidance

-

Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[2]

-
-

defines design/implementation information that the developer is to provide for the security controls to be employed (if selected);

-
-
-
- - - - - - - -
-

[3]

-
-

requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:

-
- - - - - - - -
-

[a]

-
-

security-relevant external system interfaces;

-
-
-
- - - - - - - -
-

[b]

-
-

high-level design;

-
-
-
- - - - - - - -
-

[c]

-
-

low-level design;

-
-
-
- - - - - - - -
-

[d]

-
-

source code;

-
-
-
- - - - - - - -
-

[e]

-
-

hardware schematics; and/or

-
-
-
- - - - - - - -
-

[f]

-
-

organization-defined design/implementation information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documents

-

- acquisition documentation

-

- acquisition contracts for the information system, system components, or information system services

-

- design and implementation information for security controls employed in the information system, system component, or information system service

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- information system developer or service provider

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining level of detail for system design and security controls

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing development of system design details

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SA-4 (2)-1 [at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]]

-
-

References: None -

-
-
-

- SA-4 (9) FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

-
-
-
-

Supplemental guidance

-

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:

-
- - - - - - - -
-

[1]

-
-

the functions intended for organizational use;

-
-
-
- - - - - - - -
-

[2]

-
-

the ports intended for organizational use;

-
-
-
- - - - - - - -
-

[3]

-
-

the protocols intended for organizational use; and

-
-
-
- - - - - - - -
-

[4]

-
-

the services intended for organizational use.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- information system design documentation

-

- information system documentation including functions, ports, protocols, and services intended for organizational use

-

- acquisition contracts for information systems or services

-

- acquisition documentation

-

- solicitation documentation

-

- service-level agreements

-

- organizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- system/network administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SA-4 (10) USE OF APPROVED PIV PRODUCTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Supplemental guidance

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documentation

-

- acquisition documentation

-

- acquisition contracts for the information system, system component, or information system service

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- organizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for selecting and employing FIPS 201-approved products

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

(a)

-
-

security functional requirements;

-
-
-
- - - - - - - -
-

(b)

-
-

security strength requirements;

-
-
-
- - - - - - - -
-

(c)

-
-

security assurance requirements;

-
-
-
- - - - - - - -
-

(d)

-
-

security-related documentation requirements;

-
-
-
- - - - - - - -
-

(e)

-
-

requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

(f)

-
-

description of:

-
- - - - - - - -
-

[1]

-
-

the information system development environment;

-
-
-
- - - - - - - -
-

[2]

-
-

the environment in which the system is intended to operate; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

acceptance criteria.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- acquisition contracts for the information system, system component, or information system service

-

- information system design documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information system security functional, strength, and assurance requirements

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

SA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.

-
-
-

References

-
-

HSPD-12

-
-
-

ISO/IEC 15408

-
-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-23

-
-
-

NIST Special Publication 800-35

-
-
-

NIST Special Publication 800-36

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-137

-
-
-

Federal Acquisition Regulation

-
-
-

http://www.niap-ccevs.org

-
-
-

http://fips201ep.cio.gov

-
-
-

http://www.acquisition.gov/far

-
-
-
-
-

- SA-5 INFORMATION SYSTEM DOCUMENTATION

-
-

- Parameter: - sa-5_a organization-defined actions

-

- Value: organization-defined actions

-
-
-

- Parameter: - sa-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

Secure configuration, installation, and operation of the system, component, or service;

-
-
-
- - - - - - - -
-

2.

-
-

Effective use and maintenance of security functions/mechanisms; and

-
-
-
- - - - - - - -
-

3.

-
-

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

-
-
-
- - - - - - - -
-

2.

-
-

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

-
-
-
- - - - - - - -
-

3.

-
-

User responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes - - sa-5_a - - organization-defined actions - organization-defined actions - in response;

-
-
-
- - - - - - - -
-

d.

-
-

Protects documentation as required, in accordance with the risk management strategy; and

-
-
-
- - - - - - - -
-

e.

-
-

Distributes documentation to - - sa-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

secure configuration of the system, system component, or service;

-
-
-
- - - - - - - -
-

[2]

-
-

secure installation of the system, system component, or service;

-
-
-
- - - - - - - -
-

[3]

-
-

secure operation of the system, system component, or service;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

effective use of the security features/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

effective maintenance of the security features/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

user-accessible security functions/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

how to effectively use those functions/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;

-
-
-
- - - - - - - -
-

(3)

-
-

user responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[2]

-
-

documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[3]

-
-

takes organization-defined actions in response;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects documentation as required, in accordance with the risk management strategy;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom documentation is to be distributed; and

-
-
-
- - - - - - - -
-

[2]

-
-

distributes documentation to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing information system documentation

-

- information system documentation including administrator and user guides

-

- records documenting attempts to obtain unavailable or nonexistent information system documentation

-

- list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation

-

- risk management strategy documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- system administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SA-5E [at a minimum, the ISSO (or similar role within the organization)]

-
-

References: None -

-
-
-

- SA-8 SECURITY ENGINEERING PRINCIPLES

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

-
-
-
-

Supplemental guidance

-

Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization applies information system security engineering principles in:

-
- - - - - - - -
-

[1]

-
-

the specification of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the design of the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

the development of the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

the implementation of the information system; and

-
-
-
- - - - - - - -
-

[5]

-
-

the modification of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system

-

- information system design documentation

-

- information security requirements and specifications for the information system

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- organizational personnel with information system specification, design, development, implementation, and modification responsibilities

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification

-

- automated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-27

-
-
-
-
-

- SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

-
-

- Parameter: - sa-9_a organization-defined security controls

-

- Value: organization-defined security controls

-
-
-

- Parameter: - sa-9_b organization-defined processes, methods, and techniques

-

- Value: organization-defined processes, methods, and techniques

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires that providers of external information system services comply with organizational information security requirements and employ - - sa-9_a - - organization-defined security controls - organization-defined security controls - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

-
-
-
- - - - - - - -
-

c.

-
-

Employs - - sa-9_b - - organization-defined processes, methods, and techniques - organization-defined processes, methods, and techniques - to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-

Supplemental guidance

-

External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - -
-
-

- SA-9 (2) IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES

-
-

- Parameter: - sa-9_d organization-defined external information system services

-

- Value: organization-defined external information system services

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires providers of - - sa-9_d - - organization-defined external information system services - organization-defined external information system services - to identify the functions, ports, protocols, and other services required for the use of such services.

-
-
-
-

Supplemental guidance

-

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;

-
-
-
- - - - - - - -
-

[2]

-
-

requires providers of organization-defined external information system services to identify:

-
- - - - - - - -
-

[a]

-
-

the functions required for the use of such services;

-
-
-
- - - - - - - -
-

[b]

-
-

the ports required for the use of such services;

-
-
-
- - - - - - - -
-

[c]

-
-

the protocols required for the use of such services; and

-
-
-
- - - - - - - -
-

[d]

-
-

the other services required for the use of such services.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing external information system services

-

- acquisition contracts for the information system, system component, or information system service

-

- acquisition documentation

-

- solicitation documentation, service-level agreements

-

- organizational security requirements and security specifications for external service providers

-

- list of required functions, ports, protocols, and other services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- external providers of information system services

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SA-9 (2) [all external systems where Federal information is processed or stored]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security controls to be employed by providers of external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that providers of external information system services comply with organizational information security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines and documents government oversight with regard to external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

defines and documents user roles and responsibilities with regard to external information system services;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing external information system services

-

- procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services

-

- acquisition contracts, service-level agreements

-

- organizational security requirements and security specifications for external provider services

-

- security control assessment evidence from external providers of information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- external providers of information system services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring security control compliance by external service providers on an ongoing basis

-

- automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SA-9 (a) [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] SA-9 (c) [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored]

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-

- SA-10 DEVELOPER CONFIGURATION MANAGEMENT

-
-

- Parameter: - sa-10_a organization-defined configuration items under configuration management

-

- Value: organization-defined configuration items under configuration management

-
-
-

- Parameter: - sa-10_b organization-defined personnel

-

- Value: organization-defined personnel

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

a.

-
-

Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];

-
-
-
- - - - - - - -
-

b.

-
-

Document, manage, and control the integrity of changes to - - sa-10_a - - organization-defined configuration items under configuration management - organization-defined configuration items under configuration management - ;

-
-
-
- - - - - - - -
-

c.

-
-

Implement only organization-approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

d.

-
-

Document approved changes to the system, component, or service and the potential security impacts of such changes; and

-
-
-
- - - - - - - -
-

e.

-
-

Track security flaws and flaw resolution within the system, component, or service and report findings to - - sa-10_b - - organization-defined personnel - organization-defined personnel - .

-
-
-
-
-
-

Supplemental guidance

-

This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:

-
- - - - - - - -
-

[1]

-
-

system, component, or service design;

-
-
-
- - - - - - - -
-

[2]

-
-

system, component, or service development;

-
-
-
- - - - - - - -
-

[3]

-
-

system, component, or service implementation; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

system, component, or service operation;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines configuration items to be placed under configuration management;

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

[a]

-
-

document the integrity of changes to organization-defined items under configuration management;

-
-
-
- - - - - - - -
-

[b]

-
-

manage the integrity of changes to organization-defined items under configuration management;

-
-
-
- - - - - - - -
-

[c]

-
-

control the integrity of changes to organization-defined items under configuration management;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-

requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

(d)

-
-

requires the developer of the information system, system component, or information system service to document:

-
- - - - - - - -
-

[1]

-
-

approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

[2]

-
-

the potential security impacts of such changes;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

[a]

-
-

track security flaws within the system, component, or service;

-
-
-
- - - - - - - -
-

[b]

-
-

track security flaw resolution within the system, component, or service; and

-
-
-
- - - - - - - -
-

[c]

-
-

report findings to organization-defined personnel.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing system developer configuration management

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer configuration management plan

-

- security flaw and flaw resolution tracking records

-

- system change authorization records

-

- change control records

-

- configuration management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with configuration management responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring developer configuration management

-

- automated mechanisms supporting and/or implementing the monitoring of developer configuration management

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SA-10 (a) [development, implementation, AND operation]

-
-
- additional -

SA-10 (e) Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- SA-11 DEVELOPER SECURITY TESTING AND EVALUATION

-
-

- Parameter: - sa-11_a organization-defined depth and coverage

-

- Value: organization-defined depth and coverage

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

a.

-
-

Create and implement a security assessment plan;

-
-
-
- - - - - - - -
-

b.

-
-

Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at - - sa-11_a - - organization-defined depth and coverage - organization-defined depth and coverage - ;

-
-
-
- - - - - - - -
-

c.

-
-

Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

-
-
-
- - - - - - - -
-

d.

-
-

Implement a verifiable flaw remediation process; and

-
-
-
- - - - - - - -
-

e.

-
-

Correct flaws identified during security testing/evaluation.

-
-
-
-
-
-

Supplemental guidance

-

Developmental security testing/evaluation occurs at all post-design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to create and implement a security plan;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[3]

-
-

requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage:

-
- - - - - - - -
-

[a]

-
-

unit testing/evaluation;

-
-
-
- - - - - - - -
-

[b]

-
-

integration testing/evaluation;

-
-
-
- - - - - - - -
-

[c]

-
-

system testing/evaluation; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

regression testing/evaluation;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-

requires the developer of the information system, system component, or information system service to produce evidence of:

-
- - - - - - - -
-

[1]

-
-

the execution of the security assessment plan;

-
-
-
- - - - - - - -
-

[2]

-
-

the results of the security testing/evaluation;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and

-
-
-
- - - - - - - -
-

(e)

-
-

requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing system developer security testing

-

- procedures addressing flaw remediation

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer security test plans

-

- records of developer security testing results for the information system, system component, or information system service

-

- security flaw and remediation tracking records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with developer security testing responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring developer security testing and evaluation

-

- automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

ISO/IEC 15408

-
-
-

NIST Special Publication 800-53A

-
-
-

http://nvd.nist.gov

-
-
-

http://cwe.mitre.org

-
-
-

http://cve.mitre.org

-
-
-

http://capec.mitre.org

-
-
-
-
-

- SA-12 SUPPLY CHAIN PROTECTION

-
-

- Parameter: - sa-12_a organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects against supply chain threats to the information system, system component, or information system service by employing - - sa-12_a - - organization-defined security safeguards - organization-defined security safeguards - as part of a comprehensive, defense-in-breadth information security strategy.

-
-
-
-

Supplemental guidance

-

Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.

- - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service; and

-
-
-
- - - - - - - -
-

[2]

-
-

protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing supply chain protection

-

- procedures addressing the integration of information security requirements into the acquisition process

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- list of supply chain threats

-

- list of security safeguards to be taken against supply chain threats

-

- system development life cycle documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with supply chain protection responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining safeguards for and protecting against supply chain threats

-

- automated mechanisms supporting and/or implementing safeguards for supply chain threats

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

SA-12 [organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures]

-
-
-

References

-
-

NIST Special Publication 800-161

-
-
-

NIST Interagency Report 7622

-
-
-
-
-

- SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS

-
-

- Parameter: - sa-15_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sa-15_b organization-defined security requirements

-

- Value: organization-defined security requirements

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires the developer of the information system, system component, or information system service to follow a documented development process that:

-
- - - - - - - -
-

1.

-
-

Explicitly addresses security requirements;

-
-
-
- - - - - - - -
-

2.

-
-

Identifies the standards and tools used in the development process;

-
-
-
- - - - - - - -
-

3.

-
-

Documents the specific tool options and tool configurations used in the development process; and

-
-
-
- - - - - - - -
-

4.

-
-

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews the development process, standards, tools, and tool options/configurations - - sa-15_a - - organization-defined frequency - organization-defined frequency - to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy - - sa-15_b - - organization-defined security requirements - organization-defined security requirements - .

-
-
-
-
-
-

Supplemental guidance

-

Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to follow a documented development process that:

-
- - - - - - - -
-

(1)

-
-

explicitly addresses security requirements;

-
-
-
- - - - - - - -
-

(2)

-
-

identifies the standards and tools used in the development process;

-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

documents the specific tool options used in the development process;

-
-
-
- - - - - - - -
-

[2]

-
-

documents the specific tool configurations used in the development process;

-
-
-
-
-
- - - - - - - -
-

(4)

-
-
- - - - - - - -
-

[1]

-
-

documents changes to the process and/or tools used in the development;

-
-
-
- - - - - - - -
-

[2]

-
-

manages changes to the process and/or tools used in the development;

-
-
-
- - - - - - - -
-

[3]

-
-

ensures the integrity of changes to the process and/or tools used in the development;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review the development process, standards, tools, and tool options/configurations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security requirements to be satisfied by the process, standards, tools, and tool option/configurations selected and employed; and

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

[a]

-
-

reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements;

-
-
-
- - - - - - - -
-

[b]

-
-

reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements; and

-
-
-
- - - - - - - -
-

[d]

-
-

reviews the development tool options/configurations with the organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing development process, standards, and tools

-

- procedures addressing the integration of security requirements during the development process

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer documentation listing tool options/configuration guides, configuration management records

-

- change control records

-

- configuration control records

-

- documented reviews of development process, standards, tools, and tool options/configurations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-
- parameters -

SA-15 (b)-1 [as needed and as dictated by the current threat posture] SA-15 (b)-2 [organization and service provider- defined security requirements]

-
-

References: None -

-
-
-

- SA-16 DEVELOPER-PROVIDED TRAINING

-
-

- Parameter: - sa-16_a organization-defined training

-

- Value: organization-defined training

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide - - sa-16_a - - organization-defined training - organization-defined training - on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

-
-
-
-

Supplemental guidance

-

This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines training to be provided by the developer of the information system, system component, or information system service; and

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing developer-provided training

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- developer-provided training materials

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information system security responsibilities

-

- system developer

-

- organizational or third-party developers with training responsibilities for the information system, system component, or information system service

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN

-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

-
- - - - - - - -
-

a.

-
-

Is consistent with and supportive of the organization�s security architecture which is established within and is an integrated part of the organization�s enterprise architecture;

-
-
-
- - - - - - - -
-

b.

-
-

Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and

-
-
-
- - - - - - - -
-

c.

-
-

Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

-
-
-
-
-
-

Supplemental guidance

-

This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization�s enterprise architecture and information security architecture.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

-
- - - - - - - -
-

(a)

-
-

is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;

-
-
-
- - - - - - - -
-

(b)

-
-

accurately and completely describes:

-
- - - - - - - -
-

[1]

-
-

the required security functionality;

-
-
-
- - - - - - - -
-

[2]

-
-

the allocation of security controls among physical and logical components; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- enterprise architecture policy

-

- procedures addressing developer security architecture and design specification for the information system

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- design specification and security architecture documentation for the system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with security architecture and design responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-
-

SYSTEM AND COMMUNICATIONS PROTECTION

-
-

- SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - sc-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sc-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sc-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sc-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and communications protection policy - - sc-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and communications protection procedures - - sc-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and communications protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and communications protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and communications protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and communications protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-1 (b) (1) [at least annually] SC-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SC-2 APPLICATION PARTITIONING

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system separates user functionality (including user interface services) from information system management functionality.

-
-
-
-

Supplemental guidance

-

Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system separates user functionality (including user interface services) from information system management functionality.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing application partitioning

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Separation of user functionality from information system management functionality

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-3 SECURITY FUNCTION ISOLATION

-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system isolates security functions from nonsecurity functions.

-
-
-
-

Supplemental guidance

-

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.

- - - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system isolates security functions from nonsecurity functions.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing security function isolation

-

- list of security functions to be isolated from nonsecurity functions

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Separation of security functions from nonsecurity functions within the information system

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-4 INFORMATION IN SHARED RESOURCES

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents unauthorized and unintended information transfer via shared system resources.

-
-
-
-

Supplemental guidance

-

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system prevents unauthorized and unintended information transfer via shared system resources.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing information protection in shared system resources

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-5 DENIAL OF SERVICE PROTECTION

-
-

- Parameter: - sc-5_a organization-defined types of denial of service attacks or references to sources for such information

-

- Value: organization-defined types of denial of service attacks or references to sources for such information

-
-
-

- Parameter: - sc-5_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects against or limits the effects of the following types of denial of service attacks: - - sc-5_a - - organization-defined types of denial of service attacks or references to sources for such information - organization-defined types of denial of service attacks or references to sources for such information - by employing - - sc-5_b - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing denial of service protection

-

- information system design documentation

-

- security plan

-

- list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks

-

- list of security safeguards protecting against or limiting the effects of denial of service attacks

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with incident response responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms protecting against or limiting the effects of denial of service attacks

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-7 BOUNDARY PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

b.

-
-

Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and

-
-
-
- - - - - - - -
-

c.

-
-

Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Supplemental guidance

-

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

- - - - - - - - - -
-
-

- SC-7 (3) ACCESS POINTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization limits the number of external network connections to the information system.

-
-
-
-

Supplemental guidance

-

Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization limits the number of external network connections to the information system.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- communications and network traffic monitoring logs

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-

- automated mechanisms limiting the number of external network connections to the information system

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES

-
-

- Parameter: - sc-7_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Implements a managed interface for each external telecommunication service;

-
-
-
- - - - - - - -
-

(b)

-
-

Establishes a traffic flow policy for each managed interface;

-
-
-
- - - - - - - -
-

(c)

-
-

Protects the confidentiality and integrity of the information being transmitted across each interface;

-
-
-
- - - - - - - -
-

(d)

-
-

Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and

-
-
-
- - - - - - - -
-

(e)

-
-

Reviews exceptions to the traffic flow policy - - sc-7_a - - organization-defined frequency - organization-defined frequency - and removes exceptions that are no longer supported by an explicit mission/business need.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements a managed interface for each external telecommunication service;

-
-
-
- - - - - - - -
-

(b)

-
-

establishes a traffic flow policy for each managed interface;

-
-
-
- - - - - - - -
-

(c)

-
-

protects the confidentiality and integrity of the information being transmitted across each interface;

-
-
-
- - - - - - - -
-

(d)

-
-

documents each exception to the traffic flow policy with:

-
- - - - - - - -
-

[1]

-
-

a supporting mission/business need;

-
-
-
- - - - - - - -
-

[2]

-
-

duration of that need;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review exceptions to traffic flow policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews exceptions to the traffic flow policy with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[3]

-
-

removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- traffic flow policy

-

- information flow control policy

-

- procedures addressing boundary protection

-

- information system security architecture

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of traffic flow policy exceptions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for documenting and reviewing exceptions to the traffic flow policy

-

- organizational processes for removing exceptions to the traffic flow policy

-

- automated mechanisms implementing boundary protection capability

-

- managed interfaces implementing traffic flow policy

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-7 (4) (e) [at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions]

-
-

References: None -

-
-
-

- SC-7 (5) DENY BY DEFAULT / ALLOW BY EXCEPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

-
-
-
-

Supplemental guidance

-

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system, at managed interfaces:

-
- - - - - - - -
-

[1]

-
-

denies network traffic by default; and

-
-
-
- - - - - - - -
-

[2]

-
-

allows network traffic by exception.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing traffic management at managed interfaces

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

-
-
-
-

Supplemental guidance

-

This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system hardware and software

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-

- automated mechanisms supporting/restricting non-remote connections

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS

-
-

- Parameter: - sc-7_b organization-defined internal communications traffic

-

- Value: organization-defined internal communications traffic

-
-
-

- Parameter: - sc-7_c organization-defined external networks

-

- Value: organization-defined external networks

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system routes - - sc-7_b - - organization-defined internal communications traffic - organization-defined internal communications traffic - to - - sc-7_c - - organization-defined external networks - organization-defined external networks - through authenticated proxy servers at managed interfaces.

-
-
-
-

Supplemental guidance

-

External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines internal communications traffic to be routed to external networks;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines external networks to which organization-defined internal communications traffic is to be routed; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system hardware and software

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing traffic management through authenticated proxy servers at managed interfaces

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-7 (18) FAIL SECURE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system fails securely in the event of an operational failure of a boundary protection device.

-
-
-
-

Supplemental guidance

-

Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system fails securely in the event of an operational failure of a boundary protection device.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing secure failure

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS

-
-

- Parameter: - sc-7_l organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - sc-7_m organization-defined missions and/or business functions

-

- Value: organization-defined missions and/or business functions

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs boundary protection mechanisms to separate - - sc-7_l - - organization-defined information system components - organization-defined information system components - supporting - - sc-7_m - - organization-defined missions and/or business functions - organization-defined missions and/or business functions - .

-
-
-
-

Supplemental guidance

-

Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system components to be separated by boundary protection mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

defines missions and/or business functions to be supported by organization-defined information system components separated by boundary protection mechanisms; and

-
-
-
- - - - - - - -
-

[3]

-
-

employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system hardware and software

-

- enterprise architecture documentation

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the capability to separate information system components supporting organizational missions and/or business functions

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

monitors communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors communications at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

[3]

-
-

controls communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

controls communications at key internal boundaries within the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements subnetworks for publicly accessible system components that are either:

-
- - - - - - - -
-

[1]

-
-

physically separated from internal organizational networks; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

logically separated from internal organizational networks; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- list of key internal boundaries of the information system

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system configuration settings and associated documentation

-

- enterprise security architecture documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-41

-
-
-

NIST Special Publication 800-77

-
-
-
-
-

- SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

-
-
-
-

Supplemental guidance

-

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.

- - -
-
-

- SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION

-
-

- Parameter: - sc-8_a organization-defined alternative physical safeguards

-

- Value: organization-defined alternative physical safeguards

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by - - sc-8_a - - organization-defined alternative physical safeguards - organization-defined alternative physical safeguards - .

-
-
-
-

Supplemental guidance

-

Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:

-
- - - - - - - -
-

[a]

-
-

prevent unauthorized disclosure of information; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

detect changes to information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing transmission confidentiality and integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

-

- automated mechanisms supporting and/or implementing alternative physical safeguards

-

- organizational processes for defining and implementing alternative physical safeguards

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-8 (1)-1 [prevent unauthorized disclosure of information AND detect changes to information] SC-8 (1)-1 [a hardened or alarmed carrier Protective Distribution System (PDS)]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system protects one or more of the following:

-
- - - - - - - -
-

[1]

-
-

confidentiality of transmitted information; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

integrity of transmitted information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing transmission confidentiality and integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-8 [confidentiality AND integrity]

-
-
-

References

-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 197

-
-
-

NIST Special Publication 800-52

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-81

-
-
-

NIST Special Publication 800-113

-
-
-

CNSS Policy 15

-
-
-

NSTISSI No. 7003

-
-
-
-
-

- SC-10 NETWORK DISCONNECT

-
-

- Parameter: - sc-10_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system terminates the network connection associated with a communications session at the end of the session or after - - sc-10_a - - organization-defined time period - organization-defined time period - of inactivity.

-
-
-
-

Supplemental guidance

-

This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing network disconnect

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing network disconnect capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-10 [no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions]

-
-

References: None -

-
-
-

- SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

-
-

- Parameter: - sc-12_a organization-defined requirements for key generation, distribution, storage, access, and destruction

-

- Value: organization-defined requirements for key generation, distribution, storage, access, and destruction

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with - - sc-12_a - - organization-defined requirements for key generation, distribution, storage, access, and destruction - organization-defined requirements for key generation, distribution, storage, access, and destruction - .

-
-
-
-

Supplemental guidance

-

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

- - -
-
-

- SC-12 (1) AVAILABILITY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

-
-
-
-

Supplemental guidance

-

Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase).

-
-
-

Objective

- - - - - - -
- -

Determine if the organization maintains availability of information in the event of the loss of cryptographic keys by users.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic key establishment, management, and recovery

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for cryptographic key establishment or management

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic key establishment and management

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines requirements for cryptographic key:

-
- - - - - - - -
-

[a]

-
-

generation;

-
-
-
- - - - - - - -
-

[b]

-
-

distribution;

-
-
-
- - - - - - - -
-

[c]

-
-

storage;

-
-
-
- - - - - - - -
-

[d]

-
-

access;

-
-
-
- - - - - - - -
-

[e]

-
-

destruction; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic key establishment and management

-

- information system design documentation

-

- cryptographic mechanisms

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for cryptographic key establishment and/or management

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic key establishment and management

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

SC-12 Guidance: Federally approved cryptography

-
-
-

References

-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-
-
-

- SC-13 CRYPTOGRAPHIC PROTECTION

-
-

- Parameter: - sc-13_a organization-defined cryptographic uses and type of cryptography required for each use

-

- Value: organization-defined cryptographic uses and type of cryptography required for each use

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements - - sc-13_a - - organization-defined cryptographic uses and type of cryptography required for each use - organization-defined cryptographic uses and type of cryptography required for each use - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-

Supplemental guidance

-

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

- - - - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines cryptographic uses; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the type of cryptography required for each use; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic protection

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic module validation certificates

-

- list of FIPS validated cryptographic modules

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for cryptographic protection

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic protection

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-13 [FIPS-validated or NSA-approved cryptography]

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/cryptval

-
-
-

http://www.cnss.gov

-
-
-
-
-

- SC-15 COLLABORATIVE COMPUTING DEVICES

-
-

- Parameter: - sc-15_a organization-defined exceptions where remote activation is to be allowed

-

- Value: organization-defined exceptions where remote activation is to be allowed

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Prohibits remote activation of collaborative computing devices with the following exceptions: - - sc-15_a - - organization-defined exceptions where remote activation is to be allowed - organization-defined exceptions where remote activation is to be allowed - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Supplemental guidance

-

Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing collaborative computing

-

- access control policy and procedures

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for managing collaborative computing devices

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing management of remote activation of collaborative computing devices

-

- automated mechanisms providing an indication of use of collaborative computing devices

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-15 (a) [no exceptions]

-
-
- additional -

SC-15 Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

-
-

References: None -

-
-
-

- SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES

-
-

- Parameter: - sc-17_a organization-defined certificate policy

-

- Value: organization-defined certificate policy

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization issues public key certificates under an - - sc-17_a - - organization-defined certificate policy - organization-defined certificate policy - or obtains public key certificates from an approved service provider.

-
-
-
-

Supplemental guidance

-

For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a certificate policy for issuing public key certificates;

-
-
-
- - - - - - - -
-

[2]

-
-

issues public key certificates:

-
- - - - - - - -
-

[a]

-
-

under an organization-defined certificate policy: or

-
-
-
- - - - - - - -
-

[b]

-
-

obtains public key certificates from an approved service provider.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing public key infrastructure certificates

-

- public key certificate policy or policies

-

- public key issuing process

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for issuing public key certificates

-

- service providers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the management of public key infrastructure certificates

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

OMB Memorandum 05-24

-
-
-

NIST Special Publication 800-32

-
-
-

NIST Special Publication 800-63

-
-
-
-
-

- SC-18 MOBILE CODE

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Defines acceptable and unacceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and

-
-
-
- - - - - - - -
-

c.

-
-

Authorizes, monitors, and controls the use of mobile code within the information system.

-
-
-
-
-
-

Supplemental guidance

-

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

defines acceptable and unacceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

establishes usage restrictions for acceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes implementation guidance for acceptable mobile code and mobile code technologies;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

authorizes the use of mobile code within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the use of mobile code within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls the use of mobile code within the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing mobile code

-

- mobile code usage restrictions, mobile code implementation policy and procedures

-

- list of acceptable mobile code and mobile code technologies

-

- list of unacceptable mobile code and mobile technologies

-

- authorization records

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing mobile code

-
-
-

Assessment: TEST

-

- Organizational process for controlling, authorizing, monitoring, and restricting mobile code

-

- automated mechanisms supporting and/or implementing the management of mobile code

-

- automated mechanisms supporting and/or implementing the monitoring of mobile code

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-28

-
-
-

DoD Instruction 8552.01

-
-
-
-
-

- SC-19 VOICE OVER INTERNET PROTOCOL

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes, monitors, and controls the use of VoIP within the information system.

-
-
-
-
-
-

Supplemental guidance

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

authorizes the use of VoIP within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the use of VoIP within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls the use of VoIP within the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing VoIP

-

- VoIP usage restrictions

-

- VoIP implementation guidance

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing VoIP

-
-
-

Assessment: TEST

-

- Organizational process for authorizing, monitoring, and controlling VoIP

-

- automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling VoIP

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-58

-
-
-
-
-

- SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

-
-
-
-
-
-

Supplemental guidance

-

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-

provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;

-
-
-
- - - - - - - -
-

(b)

-
-

provides the means to, when operating as part of a distributed, hierarchical namespace:

-
- - - - - - - -
-

[1]

-
-

indicate the security status of child zones; and

-
-
-
- - - - - - - -
-

[2]

-
-

enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (authoritative source)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing secure name/address resolution service

-
-

- profile-title: SECURE NAME /ADDRESS RESOLUTION SERVICE -(AUTHORITATIVE SOURCE)

-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

OMB Memorandum 08-23

-
-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-

Supplemental guidance

-

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[2]

-
-

requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[3]

-
-

performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and

-
-
-
- - - - - - - -
-

[4]

-
-

performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (recursive or caching resolver)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

-
-

- profile-title: SECURE NAME /ADDRESS RESOLUTION SERVICE -(RECURSIVE OR CACHING RESOLVER)

-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

-
-
-
-

Supplemental guidance

-

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information systems that collectively provide name/address resolution service for an organization:

-
- - - - - - - -
-

[1]

-
-

are fault tolerant; and

-
-
-
- - - - - - - -
-

[2]

-
-

implement internal/external role separation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing architecture and provisioning for name/address resolution service

-

- access control policy and procedures

-

- information system design documentation

-

- assessment results from independent, testing organizations

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing name/address resolution service for fault tolerance and role separation

-
-

- profile-title: ARCHITECTURE AND PROVISIONING FOR -NAME/ADDRESS RESOLUTION SERVICE

-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-23 SESSION AUTHENTICITY

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the authenticity of communications sessions.

-
-
-
-

Supplemental guidance

-

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system protects the authenticity of communications sessions.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing session authenticity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing session authenticity

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-52

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-95

-
-
-
-
-

- SC-24 FAIL IN KNOWN STATE

-
-

- Parameter: - sc-24_a organization-defined known-state

-

- Value: organization-defined known-state

-
-
-

- Parameter: - sc-24_b organization-defined types of failures

-

- Value: organization-defined types of failures

-
-
-

- Parameter: - sc-24_c organization-defined system state information

-

- Value: organization-defined system state information

-
-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system fails to a - - sc-24_a - - organization-defined known-state - organization-defined known-state - for - - sc-24_b - - organization-defined types of failures - organization-defined types of failures - preserving - - sc-24_c - - organization-defined system state information - organization-defined system state information - in failure.

-
-
-
-

Supplemental guidance

-

Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines a known-state to which the information system is to fail in the event of a system failure;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines types of failures for which the information system is to fail to an organization-defined known-state;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines system state information to be preserved in the event of a system failure;

-
-
-
- - - - - - - -
-

[4]

-
-

the information system fails to the organization-defined known-state for organization-defined types of failures; and

-
-
-
- - - - - - - -
-

[5]

-
-

the information system preserves the organization-defined system state information in the event of a system failure.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing information system failure to known state

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of failures requiring information system to fail in a known state

-

- state information to be preserved in system failure

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fail-in-known state capability

-

- automated mechanisms preserving system state information in the event of a system failure

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- SC-28 PROTECTION OF INFORMATION AT REST

-
-

- Parameter: - sc-28_a organization-defined information at rest

-

- Value: organization-defined information at rest

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the [Selection (one or more): confidentiality; integrity] of - - sc-28_a - - organization-defined information at rest - organization-defined information at rest - .

-
-
-
-

Supplemental guidance

-

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information at rest requiring one or more of the following:

-
- - - - - - - -
-

[a]

-
-

confidentiality protection; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

integrity protection;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects:

-
- - - - - - - -
-

[a]

-
-

the confidentiality of organization-defined information at rest; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

the integrity of organization-defined information at rest.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing protection of information at rest

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic mechanisms and associated configuration documentation

-

- list of information at rest requiring confidentiality and integrity protections

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SC-28 [confidentiality AND integrity]

-
-
- additional -

SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.

-
-
-

References

-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- SC-39 PROCESS ISOLATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system maintains a separate execution domain for each executing process.

-
-
-
-

Supplemental guidance

-

Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.

- - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system maintains a separate execution domain for each executing process.

-
-
-
-

Assessment: EXAMINE

-

- Information system design documentation

-

- information system architecture

-

- independent verification and validation documentation

-

- testing and evaluation documentation, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Information system developers/integrators

-

- information system security architect

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing separate execution domains for each executing process

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

SYSTEM AND INFORMATION INTEGRITY

-
-

- SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES

-
-

- Parameter: - si-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - si-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and information integrity policy - - si-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and information integrity procedures - - si-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and information integrity policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and information integrity policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and information integrity policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and information integrity responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-1 (b) (1) [at least annually] SI-1 (b) (2) [at least annually or whenever a significant change occurs]

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SI-2 FLAW REMEDIATION

-
-

- Parameter: - si-2_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies, reports, and corrects information system flaws;

-
-
-
- - - - - - - -
-

b.

-
-

Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

c.

-
-

Installs security-relevant software and firmware updates within - - si-2_a - - organization-defined time period - organization-defined time period - of the release of the updates; and

-
-
-
- - - - - - - -
-

d.

-
-

Incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Supplemental guidance

-

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - - - - - - - - - -
-
-

- SI-2 (1) CENTRAL MANAGEMENT

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages the flaw remediation process.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages the flaw remediation process.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- automated mechanisms supporting centralized management of flaw remediation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-
-
-

Assessment: TEST

-

- Organizational processes for central management of the flaw remediation process

-

- automated mechanisms supporting and/or implementing central management of the flaw remediation process

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-2 (2) AUTOMATED FLAW REMEDIATION STATUS

-
-

- Parameter: - si-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms - - si-2_b - - organization-defined frequency - organization-defined frequency - to determine the state of information system components with regard to flaw remediation.

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- automated mechanisms supporting centralized management of flaw remediation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-
-
-

Assessment: TEST

-

- Automated mechanisms used to determine the state of information system components with regard to flaw remediation

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-2 (2) [at least monthly]

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies information system flaws;

-
-
-
- - - - - - - -
-

[2]

-
-

reports information system flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

corrects information system flaws;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

tests software updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

[2]

-
-

tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which to install security-relevant software updates after the release of the updates;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to install security-relevant firmware updates after the release of the updates;

-
-
-
- - - - - - - -
-

[3]

-
-

installs software updates within the organization-defined time period of the release of the updates;

-
-
-
- - - - - - - -
-

[4]

-
-

installs firmware updates within the organization-defined time period of the release of the updates; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- procedures addressing configuration management

-

- list of flaws and vulnerabilities potentially affecting the information system

-

- list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)

-

- test results from the installation of software and firmware updates to correct information system flaws

-

- installation/change control records for security-relevant software and firmware updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for identifying, reporting, and correcting information system flaws

-

- organizational process for installing software and firmware updates

-

- automated mechanisms supporting and/or implementing reporting, and correcting information system flaws

-

- automated mechanisms supporting and/or implementing testing software and firmware updates

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-2 (c) [thirty (30) days of release of updates]

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-128

-
-
-
-
-

- SI-3 MALICIOUS CODE PROTECTION

-
-

- Parameter: - si-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-3_b organization-defined action

-

- Value: organization-defined action

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

-
-
-
- - - - - - - -
-

b.

-
-

Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

-
-
-
- - - - - - - -
-

c.

-
-

Configures malicious code protection mechanisms to:

-
- - - - - - - -
-

1.

-
-

Perform periodic scans of the information system - - si-3_a - - organization-defined frequency - organization-defined frequency - and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and

-
-
-
- - - - - - - -
-

2.

-
-

[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; - - si-3_b - - organization-defined action - organization-defined action - ] in response to malicious code detection; and

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

-
-
-
-
-
-

Supplemental guidance

-

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files.

- - - - - - - - - - - - -
-
-

- SI-3 (1) CENTRAL MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages malicious code protection mechanisms.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages malicious code protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing malicious code protection

-

- automated mechanisms supporting centralized management of malicious code protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-
-
-

Assessment: TEST

-

- Organizational processes for central management of malicious code protection mechanisms

-

- automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-3 (2) AUTOMATIC UPDATES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically updates malicious code protection mechanisms.

-
-
-
-

Supplemental guidance

-

Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system automatically updates malicious code protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing malicious code protection

-

- automated mechanisms supporting centralized management of malicious code protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs malicious code protection mechanisms to detect and eradicate malicious code at information system:

-
- - - - - - - -
-

[1]

-
-

entry points;

-
-
-
- - - - - - - -
-

[2]

-
-

exit points;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines action to be initiated by malicious protection mechanisms in response to malicious code detection;

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

(1)

-
-

configures malicious code protection mechanisms to:

-
- - - - - - - -
-

[a]

-
-

perform periodic scans of the information system with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

configures malicious code protection mechanisms to do one or more of the following:

-
- - - - - - - -
-

[a]

-
-

block malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[b]

-
-

quarantine malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[c]

-
-

send alert to administrator in response to malicious code detection; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

initiate organization-defined action in response to malicious code detection;

-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

addresses the receipt of false positives during malicious code detection and eradication; and

-
-
-
- - - - - - - -
-

[2]

-
-

addresses the resulting potential impact on the availability of the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- configuration management policy and procedures

-

- procedures addressing malicious code protection

-

- malicious code protection mechanisms

-

- records of malicious code protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- scan results from malicious code protection mechanisms

-

- record of actions initiated by malicious code protection mechanisms in response to malicious code detection

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for employing, updating, and configuring malicious code protection mechanisms

-

- organizational process for addressing false positives and resulting potential impact

-

- automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms

-

- automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-3 (c) (1)-1 [at least weekly] SI-3 (c) (1)-2 [to include endpoints] SI-3 (c) (2) [to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime]

-
-
-

References

-
-

NIST Special Publication 800-83

-
-
-
-
-

- SI-4 INFORMATION SYSTEM MONITORING

-
-

- Parameter: - si-4_a organization-defined monitoring objectives

-

- Value: organization-defined monitoring objectives

-
-
-

- Parameter: - si-4_b organization-defined techniques and methods

-

- Value: organization-defined techniques and methods

-
-
-

- Parameter: - si-4_c organization-defined information system monitoring information

-

- Value: organization-defined information system monitoring information

-
-
-

- Parameter: - si-4_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-4_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors the information system to detect:

-
- - - - - - - -
-

1.

-
-

Attacks and indicators of potential attacks in accordance with - - si-4_a - - organization-defined monitoring objectives - organization-defined monitoring objectives - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Unauthorized local, network, and remote connections;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Identifies unauthorized use of the information system through - - si-4_b - - organization-defined techniques and methods - organization-defined techniques and methods - ;

-
-
-
- - - - - - - -
-

c.

-
-

Deploys monitoring devices:

-
- - - - - - - -
-

1.

-
-

Strategically within the information system to collect organization-determined essential information; and

-
-
-
- - - - - - - -
-

2.

-
-

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

-
-
-
- - - - - - - -
-

e.

-
-

Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

f.

-
-

Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

-
-
-
- - - - - - - -
-

g.

-
-

Provides - - si-4_c - - organization-defined information system monitoring information - organization-defined information system monitoring information - to - - si-4_d - - organization-defined personnel or roles - organization-defined personnel or roles - [Selection (one or more): as needed; - - si-4_e - - organization-defined frequency - organization-defined frequency - ].

-
-
-
-
-
-

Supplemental guidance

-

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

- - - - - - - - - - - - - - - - - - -
-
-

- SI-4 (2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated tools to support near real-time analysis of events.

-
-
-
-

Supplemental guidance

-

Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated tools to support near real-time analysis of events.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for incident response/management

-
-
-

Assessment: TEST

-

- Organizational processes for near real-time analysis of events

-

- organizational processes for information system monitoring

-

- automated mechanisms supporting and/or implementing information system monitoring

-

- automated mechanisms/tools supporting and/or implementing analysis of events

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-4 (4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC

-
-

- Parameter: - si-4_f organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system monitors inbound and outbound communications traffic - - si-4_f - - organization-defined frequency - organization-defined frequency - for unusual or unauthorized activities or conditions.

-
-
-
-

Supplemental guidance

-

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a frequency to monitor:

-
- - - - - - - -
-

[a]

-
-

inbound communications traffic for unusual or unauthorized activities or conditions;

-
-
-
- - - - - - - -
-

[b]

-
-

outbound communications traffic for unusual or unauthorized activities or conditions;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

monitors, with the organization-defined frequency:

-
- - - - - - - -
-

[a]

-
-

inbound communications traffic for unusual or unauthorized activities or conditions; and

-
-
-
- - - - - - - -
-

[b]

-
-

outbound communications traffic for unusual or unauthorized activities or conditions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- information system protocols

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for the intrusion detection system

-
-
-

Assessment: TEST

-

- Organizational processes for intrusion detection/information system monitoring

-

- automated mechanisms supporting and/or implementing intrusion detection capability/information system monitoring

-

- automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-4 (4) [continuously]

-
-

References: None -

-
-
-

- SI-4 (5) SYSTEM-GENERATED ALERTS

-
-

- Parameter: - si-4_g organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-4_h organization-defined compromise indicators

-

- Value: organization-defined compromise indicators

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system alerts - - si-4_g - - organization-defined personnel or roles - organization-defined personnel or roles - when the following indications of compromise or potential compromise occur: - - si-4_h - - organization-defined compromise indicators - organization-defined compromise indicators - .

-
-
-
-

Supplemental guidance

-

Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines compromise indicators for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- alerts/notifications generated based on compromise indicators

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-

- -

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for the intrusion detection system

-
-
-

Assessment: TEST

-

- Organizational processes for intrusion detection/information system monitoring

-

- automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability

-

- automated mechanisms supporting and/or implementing alerts for compromise indicators

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

SI-4 (5) Guidance: In accordance with the incident response plan.

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the information system to detect, in accordance with organization-defined monitoring objectives,:

-
- - - - - - - -
-

[a]

-
-

attacks;

-
-
-
- - - - - - - -
-

[b]

-
-

indicators of potential attacks;

-
-
-
-
-
-
-
- - - - - - - -
-

(2)

-
-

monitors the information system to detect unauthorized:

-
- - - - - - - -
-

[1]

-
-

local connections;

-
-
-
- - - - - - - -
-

[2]

-
-

network connections;

-
-
-
- - - - - - - -
-

[3]

-
-

remote connections;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

(1)

-
-

defines techniques and methods to identify unauthorized use of the information system;

-
-
-
- - - - - - - -
-

(2)

-
-

identifies unauthorized use of the information system through organization-defined techniques and methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

deploys monitoring devices:

-
- - - - - - - -
-

[1]

-
-

strategically within the information system to collect organization-determined essential information;

-
-
-
- - - - - - - -
-

[2]

-
-

at ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects information obtained from intrusion-monitoring tools from unauthorized:

-
- - - - - - - -
-

[1]

-
-

access;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
- - - - - - - -
-

[3]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

(f)

-
-

obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;

-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom information system monitoring information is to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines information system monitoring information to be provided to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[4]

-
-

provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:

-
- - - - - - - -
-

[a]

-
-

as needed; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Continuous monitoring strategy

-

- system and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- facility diagram/layout

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- locations within information system where monitoring devices are deployed

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility monitoring the information system

-
-
-

Assessment: TEST

-

- Organizational processes for information system monitoring

-

- automated mechanisms supporting and/or implementing information system monitoring capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- additional -

SI-4 Guidance: See US-CERT Incident Response Reporting Guidelines.

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-92

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

-
-

- Parameter: - si-5_a organization-defined external organizations

-

- Value: organization-defined external organizations

-
-
-

- Parameter: - si-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-5_c organization-defined elements within the organization

-

- Value: organization-defined elements within the organization

-
-
-

- Parameter: - si-5_d organization-defined external organizations

-

- Value: organization-defined external organizations

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Receives information system security alerts, advisories, and directives from - - si-5_a - - organization-defined external organizations - organization-defined external organizations - on an ongoing basis;

-
-
-
- - - - - - - -
-

b.

-
-

Generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

c.

-
-

Disseminates security alerts, advisories, and directives to: [Selection (one or more): - - si-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - ; - - si-5_c - - organization-defined elements within the organization - organization-defined elements within the organization - ; - - si-5_d - - organization-defined external organizations - organization-defined external organizations - ]; and

-
-
-
- - - - - - - -
-

d.

-
-

Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-

Supplemental guidance

-

The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations.

- -
-
-

- SI-5 (1) AUTOMATED ALERTS AND ADVISORIES

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

-
-
-
-

Supplemental guidance

-

The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission/business process/enterprise architecture level, and the information system level.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security alerts, advisories, and directives

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- automated mechanisms supporting the distribution of security alert and advisory information

-

- records of security alerts and advisories

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security alert and advisory responsibilities

-

- organizational personnel implementing, operating, maintaining, and using the information system

-

- organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories

-

- automated mechanisms supporting and/or implementing dissemination of security alerts and advisories

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines external organizations from whom information system security alerts, advisories and directives are to be received;

-
-
-
- - - - - - - -
-

[2]

-
-

receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines elements within the organization to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[3]

-
-

defines external organizations to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[4]

-
-

disseminates security alerts, advisories, and directives to one or more of the following:

-
- - - - - - - -
-

[a]

-
-

organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[b]

-
-

organization-defined elements within the organization; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

organization-defined external organizations; and

-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

implements security directives in accordance with established time frames; or

-
-
-
- - - - - - - -
-

[2]

-
-

notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security alerts, advisories, and directives

-

- records of security alerts and advisories

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security alert and advisory responsibilities

-

- organizational personnel implementing, operating, maintaining, and using the information system

-

- organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing security directives

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-5 (a) [to include US-CERT] SI-5 (c) [to include system security personnel and administrators with configuration/patch-management responsibilities]

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-
-
-

- SI-6 SECURITY FUNCTION VERIFICATION

-
-

- Parameter: - si-6_a organization-defined security functions

-

- Value: organization-defined security functions

-
-
-

- Parameter: - si-6_b organization-defined system transitional states

-

- Value: organization-defined system transitional states

-
-
-

- Parameter: - si-6_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-6_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-6_e organization-defined alternative action(s)

-

- Value: organization-defined alternative action(s)

-
-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Verifies the correct operation of - - si-6_a - - organization-defined security functions - organization-defined security functions - ;

-
-
-
- - - - - - - -
-

b.

-
-

Performs this verification [Selection (one or more): - - si-6_b - - organization-defined system transitional states - organization-defined system transitional states - ; upon command by user with appropriate privilege; - - si-6_c - - organization-defined frequency - organization-defined frequency - ];

-
-
-
- - - - - - - -
-

c.

-
-

Notifies - - si-6_d - - organization-defined personnel or roles - organization-defined personnel or roles - of failed security verification tests; and

-
-
-
- - - - - - - -
-

d.

-
-

[Selection (one or more): shuts the information system down; restarts the information system; - - si-6_e - - organization-defined alternative action(s) - organization-defined alternative action(s) - ] when anomalies are discovered.

-
-
-
-
-
-

Supplemental guidance

-

Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines security functions to be verified for correct operation;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system verifies the correct operation of organization-defined security functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines system transitional states requiring verification of organization-defined security functions;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines a frequency to verify the correct operation of organization-defined security functions;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system performs this verification one or more of the following:

-
- - - - - - - -
-

[a]

-
-

at organization-defined system transitional states;

-
-
-
- - - - - - - -
-

[b]

-
-

upon command by user with appropriate privilege; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

with the organization-defined frequency;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines personnel or roles to be notified of failed security verification tests;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system notifies organization-defined personnel or roles of failed security verification tests;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines alternative action(s) to be performed when anomalies are discovered;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system performs one or more of the following actions when anomalies are discovered:

-
- - - - - - - -
-

[a]

-
-

shuts the information system down;

-
-
-
- - - - - - - -
-

[b]

-
-

restarts the information system; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

performs organization-defined alternative action(s).

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security function verification

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- alerts/notifications of failed security verification tests

-

- list of system transition states requiring security functionality verification

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security function verification responsibilities

-

- organizational personnel implementing, operating, and maintaining the information system

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for security function verification

-

- automated mechanisms supporting and/or implementing security function verification capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-6 (b) [to include upon system startup and/or restart and at least monthly] SI-6 (c) [to include system administrators and security personnel] SI-6 (d) [to include notification of system administrators and security personnel]

-
-

References: None -

-
-
-

- SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

-
-

- Parameter: - si-7_a organization-defined software, firmware, and information

-

- Value: organization-defined software, firmware, and information

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs integrity verification tools to detect unauthorized changes to - - si-7_a - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - .

-
-
-
-

Supplemental guidance

-

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.

- - - - -
-
-

- SI-7 (1) INTEGRITY CHECKS

-
-

- Parameter: - si-7_b organization-defined software, firmware, and information

-

- Value: organization-defined software, firmware, and information

-
-
-

- Parameter: - si-7_c organization-defined transitional states or security-relevant events

-

- Value: organization-defined transitional states or security-relevant events

-
-
-

- Parameter: - si-7_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system performs an integrity check of - - si-7_b - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - [Selection (one or more): at startup; at - - si-7_c - - organization-defined transitional states or security-relevant events - organization-defined transitional states or security-relevant events - ; - - si-7_d - - organization-defined frequency - organization-defined frequency - ].

-
-
-
-

Supplemental guidance

-

Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines:

-
- - - - - - - -
-

[a]

-
-

software requiring integrity checks to be performed;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware requiring integrity checks to be performed;

-
-
-
- - - - - - - -
-

[c]

-
-

information requiring integrity checks to be performed;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware;

-
-
-
- - - - - - - -
-

[c]

-
-

information;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines a frequency with which to perform an integrity check of organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware;

-
-
-
- - - - - - - -
-

[c]

-
-

information;

-
-
-
-
-
- - - - - - - -
-

[4]

-
-

the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:

-
- - - - - - - -
-

[a]

-
-

at startup;

-
-
-
- - - - - - - -
-

[b]

-
-

at organization-defined transitional states or security-relevant events; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records of integrity scans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

SI-7(1)-1 [selection to include security relevant events] SI-7(1)-2 [at least monthly]

-
-

References: None -

-
-
-

- SI-7 (2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS

-
-

- Parameter: - si-7_e organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated tools that provide notification to - - si-7_e - - organization-defined personnel or roles - organization-defined personnel or roles - upon discovering discrepancies during integrity verification.

-
-
-
-

Supplemental guidance

-

The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records of integrity scans

-

- automated tools supporting alerts and notifications for integrity discrepancies

-

- alerts/notifications provided upon discovering discrepancies during integrity verifications

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-

- automated mechanisms providing integrity discrepancy notifications

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-7 (5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS

-
-

- Parameter: - si-7_f organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements - - si-7_f - - organization-defined security safeguards - organization-defined security safeguards - ] when integrity violations are discovered.

-
-
-
-

Supplemental guidance

-

Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines security safeguards to be implemented when integrity violations are discovered;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically performs one or more of the following actions when integrity violations are discovered:

-
- - - - - - - -
-

[a]

-
-

shuts the information system down;

-
-
-
- - - - - - - -
-

[b]

-
-

restarts the information system; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

implements the organization-defined security safeguards.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records of integrity scans

-

- records of integrity checks and responses to integrity violations

-

- information audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-

- automated mechanisms providing an automated response to integrity violations

-

- automated mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-7 (7) INTEGRATION OF DETECTION AND RESPONSE

-
-

- Parameter: - si-7_g organization-defined security-relevant changes to the information system

-

- Value: organization-defined security-relevant changes to the information system

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization incorporates the detection of unauthorized - - si-7_g - - organization-defined security-relevant changes to the information system - organization-defined security-relevant changes to the information system - into the organizational incident response capability.

-
-
-
-

Supplemental guidance

-

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines unauthorized security-relevant changes to the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- procedures addressing incident response

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response records

-

- information audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- organizational personnel with incident response responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability

-

- software, firmware, and information integrity verification tools

-

- automated mechanisms supporting and/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-7 (14) BINARY OR MACHINE EXECUTABLE CODE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and

-
-
-
- - - - - - - -
-

(b)

-
-

Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

prohibits the use of binary or machine-executable code from sources with limited or no warranty;

-
-
-
- - - - - - - -
-

[2]

-
-

prohibits the use of binary or machine-executable code without the provision of source code;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

provides exceptions to the source code requirement only for compelling mission/operational requirements; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides exceptions to the source code requirement only with the approval of the authorizing official.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- approval records for execution of binary and machine-executable code

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- authorizing official

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing prohibition of the execution of binary or machine-executable code

-
-
- justification -

Included in NIST High Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines software requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
- - - - - - - -
-

[b]

-
-

defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
- - - - - - - -
-

[c]

-
-

defines information requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs integrity verification tools to detect unauthorized changes to organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware; and

-
-
-
- - - - - - - -
-

[c]

-
-

information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-147

-
-
-

NIST Special Publication 800-155

-
-
-
-
-

- SI-8 SPAM PROTECTION

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and

-
-
-
- - - - - - - -
-

b.

-
-

Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.

- - - - - -
-
-

- SI-8 (1) CENTRAL MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages spam protection mechanisms.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages spam protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for central management of spam protection

-

- automated mechanisms supporting and/or implementing central management of spam protection

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-8 (2) AUTOMATIC UPDATES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically updates spam protection mechanisms.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system automatically updates spam protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- records of spam protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for spam protection

-

- automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs spam protection mechanisms:

-
- - - - - - - -
-

[1]

-
-

at information system entry points to detect unsolicited messages;

-
-
-
- - - - - - - -
-

[2]

-
-

at information system entry points to take action on unsolicited messages;

-
-
-
- - - - - - - -
-

[3]

-
-

at information system exit points to detect unsolicited messages;

-
-
-
- - - - - - - -
-

[4]

-
-

at information system exit points to take action on unsolicited messages; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- configuration management policy and procedures (CM-1)

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- records of spam protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for implementing spam protection

-

- automated mechanisms supporting and/or implementing spam protection

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-
-

References

-
-

NIST Special Publication 800-45

-
-
-
-
-

- SI-10 INFORMATION INPUT VALIDATION

-
-

- Parameter: - si-10_a organization-defined information inputs

-

- Value: organization-defined information inputs

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system checks the validity of - - si-10_a - - organization-defined information inputs - organization-defined information inputs - .

-
-
-
-

Supplemental guidance

-

Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information inputs requiring validity checks; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system checks the validity of organization-defined information inputs.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- access control policy and procedures

-

- separation of duties policy and procedures

-

- procedures addressing information input validation

-

- documentation for automated tools and applications to verify validity of information

-

- list of information inputs requiring validity checks

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information input validation

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing validity checks on information inputs

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-11 ERROR HANDLING

-
-

- Parameter: - si-11_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and

-
-
-
- - - - - - - -
-

b.

-
-

Reveals error messages only to - - si-11_a - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-

the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines personnel or roles to whom error messages are to be revealed; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system reveals error messages only to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system error handling

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- documentation providing structure/content of error messages

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information input validation

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for error handling

-

- automated mechanisms supporting and/or implementing error handling

-

- automated mechanisms supporting and/or implementing management of error messages

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-12 INFORMATION HANDLING AND RETENTION

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

-
-
-
-

Supplemental guidance

-

Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:

-
- - - - - - - -
-

[1]

-
-

handles information within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

handles output from the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

retains information within the information system; and

-
-
-
- - - - - - - -
-

[4]

-
-

retains output from the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention

-

- media protection policy and procedures

-

- procedures addressing information system output handling and retention

-

- information retention records, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information handling and retention

-

- organizational personnel with information security responsibilities/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for information handling and retention

-

- automated mechanisms supporting and/or implementing information handling and retention

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- SI-16 MEMORY PROTECTION

-
-

- Parameter: - si-16_a organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements - - si-16_a - - organization-defined security safeguards - organization-defined security safeguards - to protect its memory from unauthorized code execution.

-
-
-
-

Supplemental guidance

-

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing memory protection for the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of security safeguards protecting information system memory from unauthorized code execution

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for memory protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing safeguards to protect information system memory from unauthorized code execution

-
-
- justification -

Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-
-
-
-
-

../SP800-53/SP800-53-rev4-catalog.xml ➭ Included: - - Subcontrol ac.2.7. - - Subcontrol ac.2.9. - - Subcontrol ac.2.10. - - Subcontrol ac.4.8. - - Subcontrol ac.4.21. - - Subcontrol ac.6.7. - - Subcontrol ac.6.8. - - Subcontrol ac.7.2. - - Subcontrol ac.12.1. - - Subcontrol ac.17.9. - - Subcontrol ac.18.3. - - Subcontrol at.3.3. - - Subcontrol at.3.4. - - Subcontrol au.6.4. - - Subcontrol au.6.7. - - Subcontrol au.6.10. - - Subcontrol ca.2.3. - - Subcontrol ca.3.3. - - Subcontrol ca.7.3. - - Subcontrol ca.8.1. - - Subcontrol cm.3.4. - - Subcontrol cm.3.6. - - Subcontrol cm.5.5. - - Subcontrol cm.10.1. - - Subcontrol cm.11.1. - - Subcontrol ia.2.5. - - Subcontrol ia.4.4. - - Subcontrol ia.5.4. - - Subcontrol ia.5.6. - - Subcontrol ia.5.7. - - Subcontrol ia.5.8. - - Subcontrol ia.5.13. - - Subcontrol ir.4.2. - - Subcontrol ir.4.3. - - Subcontrol ir.4.6. - - Subcontrol ir.4.8. - - Subcontrol ir.7.2. - - Control ir.9 - - Subcontrol ir.9.1. - - Subcontrol ir.9.2. - - Subcontrol ir.9.3. - - Subcontrol ir.9.4. - - Subcontrol ma.4.6. - - Subcontrol pe.14.2. - - Subcontrol ps.3.3. - - Subcontrol ra.5.3. - - Subcontrol ra.5.6. - - Subcontrol ra.5.8. - - Subcontrol ra.5.10. - - Subcontrol sa.4.8. - - Subcontrol sa.9.1. - - Subcontrol sa.9.4. - - Subcontrol sa.9.5. - - Subcontrol sa.10.1. - - Subcontrol sa.11.1. - - Subcontrol sa.11.2. - - Subcontrol sa.11.8. - - Control sc.6 - - Subcontrol sc.7.10. - - Subcontrol sc.7.12. - - Subcontrol sc.7.13. - - Subcontrol sc.7.20. - - Subcontrol sc.12.2. - - Subcontrol sc.12.3. - - Subcontrol sc.23.1. - - Subcontrol sc.28.1. - - Subcontrol si.2.3. - - Subcontrol si.3.7. - - Subcontrol si.4.1. - - Subcontrol si.4.11. - - Subcontrol si.4.14. - - Subcontrol si.4.16. - - Subcontrol si.4.18. - - Subcontrol si.4.19. - - Subcontrol si.4.20. - - Subcontrol si.4.22. - - Subcontrol si.4.23. - - Subcontrol si.4.24. - - Parameter (organization-defined actions): organization-defined actions - - Included in FedRAMP Moderate Baseline, Rev 4 - AC-2 (7) (c) [disables/revokes access within a organization-specified timeframe] - - - Parameter (organization-defined conditions for establishing shared/group accounts): organization-defined conditions for establishing shared/group accounts - - RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS - Included in FedRAMP Moderate Baseline, Rev 4 - AC-2 (9) [organization-defined need with justification statement that explains why such accounts are necessary] - AC-2 (9) Required if shared/group accounts are deployed - - - - Included in FedRAMP Moderate Baseline, Rev 4 - AC-2 (10) Required if shared/group accounts are deployed - - - Parameter (organization-defined security policy filters): organization-defined security policy filters - - Parameter (organization-defined information flows): organization-defined information flows - - NEED. If there is a significant high-impact risk of inadvertent or intentional data leakage with a system deployed in a shared-service environment, this control is justified to mitigate that risk. Similar justification applies when an organization needs to ensure data isolation between different types of information enclaves within the organization. ANALYSIS. Although this control is usually employed to control flows between different classified enclaves, it can also apply to non-classified scenarios (e.g., the need to isolate legal, personnel, health-related, financial, or other information or files deemed sensitive. SAMPLE THREAT VECTORS. Sensitive free-text information passes from the personnel department to the rest of the organization. Law-enforcement sensitive information is inadvertently pulled from the organization's general counsel case management system and passed outside the department to users without authorization to view that information. HIPAA-protected health information flows freely from the HR department to all employees. Privacy-Act information flows from an HR system into a publicly released report. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Adaptive, Manageable, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential, Data Controllable, Access-Controlled. - - - Parameter (organization-defined mechanisms and/or techniques): organization-defined mechanisms and/or techniques - - Parameter (organization-defined required separations by types of information): organization-defined required separations by types of information - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Parameter (organization-defined roles or classes of users): organization-defined roles or classes of users - - CSP Insider Threat mitigation; Good housekeeping and a best business practice for the protection of the CSP and customer alike. In a cloud environment, the power (and potentially harm) of the privileged users is greatly magnified because of the scale. For that reason periodic review of privileges is important.Priority for adding to FedRAMP-M: HIGH - AC-6 (7)(a)-1 at a minimum, annually AC-6 (7)(a)-2 all users with privileges - - - Parameter (organization-defined software): organization-defined software - - This control is not part of the NIST high baseline and was added for FedRAMP at the recommendation of DoD and NIST. This is a CNSSI 1253 control. - AC-6 (8) [any software except software explicitly documented] - - - Parameter (organization-defined mobile devices): organization-defined mobile devices - - Parameter (organization-defined purging/wiping requirements/techniques): organization-defined purging/wiping requirements/techniques - - Parameter (organization-defined number): organization-defined number - - NEED. If an organization’s mobile devices carry information whose loss would have a high impact, this control is warranted in order to mitigate the risk of such loss. ANALYSIS. The technologies associated with this control are well established COTS hardware and software. SAMPLE THREAT VECTORS. Mobile device is lost, falls into the hands of people without authorization to view the information contained on the device. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Usable, Adaptive, Manageable, Agile, Supported, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Confidential, Data Controllable, Access-Controlled, Mission Assured. - AC-7 (2)-1 [mobile devices as defined by organization policy] AC-7 (2)-3 [three (3)] - - - Parameter (organization-defined information resources): organization-defined information resources - - Recommended by High Baseline Tiger Team. vulnerabilities associated with not having a logout button are well-documented. - AC-12 (1) Guidance: https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29 - - - Parameter (organization-defined time period): organization-defined time period - - Included in FedRAMP Moderate Baseline, Rev 4 - AC-17 (9) [fifteen (15) minutes] - - - - Rationale for Selection: Best business practice for the protection of the CSP and customer alike " when not intended for use". This is an unanticipated vector for attack if present and active. While probably not an issue with data center servers and networking devices, wireless is becoming embedded in many components and devices such as printers, fax devices, copiers, scanners, communications devices, etc. There is the additional potential that wireless capabilities may become available in air conditioners, power centers, power controllers, lighting, alarm systems, etc. There is a potential that these capabilities could exist without organizational awareness. Selection drivedsawareness. It's better to perform the check than to make assumptions about what devices are in the IS.ECSB Supplemental Guidance as the C/CE relates to CSPs The application of this control enchancement should include all systems and devices in the CSP facility such as printers, fax devices, copiers, scanners, communications devices, air conditioners, power centers, power controllers, lighting, alarm systems, etc. Wireless networking capabilities should be disabled when they are near or networked with systems supporting customer's services.Priority for adding to FedRAMP-M: Moderate (Low L1/2) - - - - NEED. High-impact systems warrant significantly elevated protection; one of these elevated protections is provided through simulated no-notice attacks that exercise users’ ability to detect and respond correctly to attempts to steal internal information in their possession. ANALYSIS. These controls are well understood and widely installed; COTS components keep implementation time and cost low. SAMPLE THREAT VECTORS. Cybersecurity staff do not know how to monitor, respond, and manage complex enforcement systems and subsystems. Cybersecurity staff is not properly trained to understand how the controls are to operate. Staff does not understand the event alarms/logs. Staff is not able to protect from unauthorized disclosure. Staff is careless with handling data, or unwilling to follow the established security protocols, or willing to cut corners to save time. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential. - - - Parameter (organization-defined indicators of malicious code): organization-defined indicators of malicious code - - NEED. High-impact systems warrant significantly elevated protection.ANALYSIS. These controls are well understood and widely installed.THREAT VECTORS ADDRESSED. Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally when in reality, it is not. People fail to review event logs. People make unauthorized changes to event logger.RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential. - AT-3 (4) [malicious code indicators as defined by organization incident policy/capability] - - - - NEED. Due to the complexity of independent systems exchanging security-related monitoring data, and high-impact systems implemented in shared-service environments, the responsible organization needs a centralized capability that integrates these various data sources into a unified whole permitting central review and analysis of diverse log data relevant to security audits. ANALYSIS. This control permits analysts and auditors to focus on their primary duty of analyzing log data, and relieves them of the usual burden of discovery, collection, validation, aggregation, and indexing of large log datasets relevant to system security. Since these latter collection tasks have been automated under this control, less time and funding will be required to execute this core audit/analysis activity. SAMPLE THREAT VECTORS. Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally, when it is not. People fail to review event logs. People make unauthorized changes to event logger." RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored. - - - - This control is not part of the NIST high baseline and was added for FedRAMP. - AU-6 (7) [information system process; role; user] - - - - Rationale for Selection L3-6: In support of cyber security threat / incident response activities. Supports flexibility in auditing levels based on threat level. Supports CSP integration with DoD security architecture. The sensitivity of the information at levels 3-6 warrents the adjustment of auditing levels based on threat level.ECSB Supplemental Guidance as the C/CE relates to CSPs: This CE supports cyber security threat / incident response activities and flexibility in auditing levels based on threat level. This CE also supports CSP integration with DoD security architecture and the ability to respond to USCYBERCOM and DoD CNDSP alerts and directives. NOTE L1/2: The handling of alerts from US-CERT and other credible sources is sufficient to change auditing activities if this CE is tailored in via an SLA. NOTE: L3-6: The handling of alerts and directives from USCYBERCOM and DoD CNDSPs is required at these levels in addition to handling of alerts from US-CERTand other credible sources.Priority for adding to FedRAMP-M: High - - - Parameter (organization-defined information system): organization-defined information system - - Parameter (organization-defined external organization): organization-defined external organization - - Parameter (organization-defined requirements): organization-defined requirements - - Included in FedRAMP Moderate Baseline, Rev 4 - CA-2 (3)-1 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-2 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-3 [the conditions of the JAB/AO in the FedRAMP Repository] - - - Parameter (organization-defined unclassified, non-national security system): organization-defined unclassified, non-national security system - - Parameter (Assignment; organization-defined boundary protection device): Assignment; organization-defined boundary protection device - - Included in FedRAMP Moderate Baseline, Rev 4 - CA-3 (3) [boundary protections which meet the Trusted Internet Connection (TIC) requirements] - CA-3 (3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 Reference Architecture document. - - - - NEED. Organization requires independent data to validate that current security monitoring continues to target the right data, and that no gaps have opened between what is currently measured and what needs to be measured given the constantly evolving threat environment. In particular, the organization determines that security management will need trend analytics tuned to the current security climate to ensure the organization’s security officials maintain general situational awareness of larger security trends that may pose a threat to the organization’s high-impact systems fielded in shared-service environments.ANALYSIS. Implementation of this control should provide security management with a technical advantage by forcing them to maintain continual current awareness of the larger security threat-scape, rather than become lost in the lower-level details of specific security metrics.SAMPLE THREAT VECTORS ADDRESSED. Stakeholders do not have the information they need to make sound decisions due to technology capability. System fails to send alarms, logs, and other pertinent data to the event manager. Control processes involve too many layers of review, concurrence, and revision to support effective and timely conveyance of relevant information to decision-makers. Monitoring not effectively linked to control processes.RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Controlled - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined configuration change control element): organization-defined configuration change control element - - Rationale for De-Selection L1/2: The sensitivity of the information at these levels may not require a information security representative to be a member of the organization-defined configuration change control element. Rationale for Selection L3-6: This is a best business practice for the protection of the CSP and customer alike in that the security representative will be more aware of IA issues that configuration changes can introduce and he/she can more easily provide IA guidance for issues spotted. - CM-3 (4) Configuration control board (CCB) or similar (as defined in CM-3) - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Rationale for SA L1: Cryptographic mechanisms are only required at this level for priviledged user (system administrator / SA) access control and the transport of privileged commands or configuration files. Not the publicly released information served at this level. Rationale for Selection L2-6: Best practice. Supplemental guidance for this CE refers primarily to the processes surrounding the management of the cryptographic mechanisms used. These processes need to be under change management that addresses security concerns to ensure they remain secure.CE supplemental guidance. Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates.Priority for adding to FedRAMP-M: High - CM-3 (6) All security safeguards that rely on cryptography - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in FedRAMP Moderate Baseline, Rev 4 - CM-5 (5) (b) [at least quarterly] - - - Parameter (organization-defined restrictions): organization-defined restrictions - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - NEED. High-impact systems will require special measures to ensure users cannot place the overall system at risk by installing unauthorized software. This control supports that need. ANALYSIS. Implementation of these controls is well understood, and relies on capabilities provided in COTS operating systems. SAMPLE THREAT VECTORS. The system executes malicious and harmful software. Software updates could render the system unstable or cause it to function incorrectly. Software is not designed with adequate safeguards to protect PII and other sensitive information. Users could make mistakes in following policy. Users could intentionally install unapproved/unvetted software. RELEVANT SECURITY CONTROL ATTRIBUTES. Quality Assured, Substantiated Integrity, Maintainable, Testable, Configuration Managed, Change Managed, Supported, Assessed, Auditable, Authorized, Regulated, Enforcement, Controlled, Reliable, Providing Good Data Stewardship, Assured, Confidential, Access-Controlled - - - - IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | -GROUP AUTHENTICATION - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined characteristic identifying individual status): organization-defined characteristic identifying individual status - - Included in FedRAMP Moderate Baseline, Rev 4 - IA-4 (4) [contractors; foreign nationals] - - - Parameter (organization-defined requirements): organization-defined requirements - - Included in FedRAMP Moderate Baseline, Rev 4 - IA-5 (4) [complexity as identified in IA-5 (1) Control Enhancement Part (a)] - IA-5 (4) Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators. - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - NEED. In those cases where an organization’s user accounts authenticate to more than one system, and at least one of those systems is a high-impact system implemented in a shared-service environment, then this control is warranted as a baseline capability to guard against loss of high-impact, sensitive information. ANALYSIS. Organizations can use COTS tools and techniques to implement this control in many ways. Agencies should be prepared to document their plan and approach to this control technique. THREAT VECTORS ADDRESSED. A user’s account password is cracked, permitting attackers to identify all systems to which the user has access, and to gain access to the information in those systems. RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed - IA-5 (8) [different authenticators on different systems] - - - Parameter (organization-defined time period): organization-defined time period - - Rationale for Selection: Best practice for authenticated web services and best business practice for the protection of the CSP and customer alike. ECSB sees this as a significant value add toward the protection of customer accounts on SaaS or customer service / managent interfaces/portals. L1 Rationale for SA: No authenticators are required for user access to public informationl. Info sensitivity does not warrant. However this CE would be required priviledged user access to manage the system server(s) containing public information.ECSB Supplemental Guidance as the C/CE relates to CSPs: CSP must minimally implement this control enhancement on all SaaS offerings and customer service / managent interfaces. The time period can be negotiated in the SLA. NOTE: while the browser or other client cashes the authenticator, the server must enforce its expiration if the client does not.Priority for adding to FedRAMP-M: Low - - - Parameter (organization-defined information system components): organization-defined information system components - - NEED. Organization requires near real-time subsystem reconfiguration for high-impact systems, especially those deployed wholly or partially into shared-service environments. This dynamic reconfiguration is required for core infrastructure components such as routers, firewalls, messaging gateways, or access control/authentication servers, especially when these core components are under cyber-attack.ANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. Since this technology area is rapidly changing to meet new cyber-threat scenarios, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are clear, especially for high-impact systems infrastructure.SAMPLE THREAT VECTORS. System does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system.RELEVANT SECURITY CONTROL ATTRIBUTES. Survivable, Absorptive, Adaptive, Restorable - IR-4 (2) [all network, data storage, and computing devices] - - - Parameter (organization-defined classes of incidents): organization-defined classes of incidents - - Parameter (organization-defined actions to take in response to classes of incidents): organization-defined actions to take in response to classes of incidents - - NEED. Due to the direct connection between system function and critical mission/business capability, the system requires Continuity-of-Operations (COOP) controls.ANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. Since this technology area is rapidly changing to meet new cyber-threat scenarios and also changes in subsystem technology, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are fundamental, especially for high-impact systems infrastructure.SAMPLE THREAT VECTORS. The system does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system. Time does not allow for the design in error handling, self-recovery, or to capitalize on system diversity to restore a system. Also, the organization lacks the expertise to develop or implement a plan for restoring system. A malicious change may be implemented to counter the ability to restore the system.RELEVANT SECURITY CONTROL ATTRIBUTES. Survivable, Absorptive, Adaptable, Restorable - - - - NEED. High-impact systems will require special measures to ensure security incidents are correctly and effectively handled in a timely manner. This high-level control supports that need, and is therefore warranted as a baseline for high-impact systems in shared-service environments. ANALYSIS. Implementation of this general control is well understood among Departments and Agencies. However, it may require special funding and time to implement in a shared service environment, where response roles and responsibilities demand vigilant analysis and definition. SAMPLE THREAT VECTORS. Insiders gain access to information for which they have no authorization. Insiders push sensitive information to outside networks not authorized to receive it. Insiders violate agency information-security policies. Insider actions are not monitored. RELEVANT SECURITY CONTROL ATTRIBUTES. Agile, Owned, Enforcement - - - Parameter (organization-defined external organizations): organization-defined external organizations - - Parameter (organization-defined incident information): organization-defined incident information - - This control was recommended ecommended by the High Baseline Tiger Team. - IR-4 (8) [external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)] - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Parameter (organization-defined actions): organization-defined actions - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined frequency): organization-defined frequency - - Included in FedRAMP Moderate Baseline, Rev 4 - IR-9 (2) [at least annually] - - - Parameter (organization-defined procedures): organization-defined procedures - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Rationale for Selection: Best practice business practice for the protection of the CSP and customer alike. Protects against unauthorized access and compromise of the CSP infrastructure. See Supplemental GuidanceECSB Supplemental Guidance as the C/CE relates to CSPs: While AC-17(2) is similar to this CE and implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions, System configuration, maintenance and diagnostic communications can be considered sensitive information and it is in DoD. Maintaining the confidrntiality and integrity of nonlocal maintenance and diagnostic communications helps maintain the health of the system, prevents unauthorized access from sniffing and MITM atacks, etc. While beneficial this selection may not be required for nonlocal maintenance and diagnostic communications over the CSP's private network and particularly if that network is out of band. Encryption is required if such communications are over a network external to the CSP (e.g., the Internet).Priority for adding to FedRAMP-M: High - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined additional personnel screening criteria): organization-defined additional personnel screening criteria - - Included in FedRAMP Moderate Baseline, Rev 4 - PS-3 (3) (b) [personnel screening criteria – as required by specific information] - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Included in FedRAMP Moderate Baseline, Rev 4 - RA-5 (6) Guidance: include in Continuous Monitoring ISSO digest/report to JAB/AO - - - - Included in FedRAMP Moderate Baseline, Rev 4 - RA-5 (8) Requirements: This enhancement is required for all high vulnerability scan findings. Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability. - - - - NEED. Organizations commonly run vulnerability scanning tools against diverse enterprise systems and subsystems. These tools are often attuned to the specific subsystems, and often provided by different manufacturers. Because there is no single-vendor consolidation of all scanning tools, organizations need to correlate the outputs of these tools in order to triangulate on potential threats that may be related, or identical at their source. When the security impact is high a shared-service environment may increase the number of independent scanning tools, implementation of this control is warranted.ANALYSIS. Although this control is well understood by vendors, its implementation takes many forms, depending on the scanning tools adopted by a particular organization.SAMPLE THREAT VECTORS. Different scanning tools discover low-impact vulnerabilities in multiple subsystems of a system. Considered individually, none of them warrants immediate action,; yet when considered together, they constitute a significant attack pattern.RELEVANT SECURITY CONTROL ATTRIBUTES. Interoperable, Change Managed, Agile, Supported, Assessed, Monitored - RA-5 (10) Guidance: If multiple tools are not used, this control is not applicable. - - - Parameter (organization-defined level of detail): organization-defined level of detail - - Included in FedRAMP Moderate Baseline, Rev 4 - SA-4 (8) [at least the minimum requirement as defined in control CA-7] - SA-4 (8) Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired. - - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Parameter (organization-defined external service providers): organization-defined external service providers - - Included in FedRAMP Moderate Baseline, Rev 4 - SA-9 (4)-2 [all external systems where Federal information is processed or stored] - - - Parameter (organization-defined locations): organization-defined locations - - Parameter (organization-defined requirements or conditions): organization-defined requirements or conditions - - Included in FedRAMP Moderate Baseline, Rev 4 - SA-9 (5)-1 [information processing, information data, AND information services] - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Included in FedRAMP Moderate Baseline, Rev 4 - SA-11 (1) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed. - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Included in FedRAMP Moderate Baseline, Rev 4 - SA-11 (8) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed. - - - Parameter (organization-defined resources): organization-defined resources - - Parameter (organization-defined security safeguards): organization-defined security safeguards - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - NEED. High-impact systems warrant careful attention to scenarios associated with exfiltration of sensitive organizational information. Different systems and implementation will trigger different scenarios, but regardless of the specific system context, organizations are warranted in establishing this control for high-impact systems with subsystems deployed into shared-service environments.ANALYSIS. Organizations should devote careful attention to design considerations relative to this control.SAMPLE THREAT VECTORS. Authorized processes push very large volumes of data to external networks. Internal devices send address/status/security information to external networks.RELEVANT SECURITY CONTROL ATTRIBUTES: Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled - - - Parameter (organization-defined host-based boundary protection mechanisms): organization-defined host-based boundary protection mechanisms - - Parameter (organization-defined information system components): organization-defined information system components - - Included in FedRAMP Moderate Baseline, Rev 4 - SC-7(12)-1 [Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall] - - - Parameter (organization-defined information security tools, mechanisms, and support components): organization-defined information security tools, mechanisms, and support components - - Included in FedRAMP Moderate Baseline, Rev 4 - SC-7 (13) Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets. Guidance: Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. - - - Parameter (organization-defined information system components): organization-defined information system components - - NEED. High-impact systems warrant careful attention to situations where specific sources or methods become suspect. Such situations can involve specific user accounts, messages, message payloads, data, applications, or even entire subsystems. Under these circumstances, a capability for dynamic segregation is highly justified.ANALYSIS. Isolation techniques are well understood in the cyber market, and constantly evolving. Example techniques include honey pots and honey nets. Both techniques can isolate a user, an autonomous application, or an entire subsystem.SAMPLE THREAT VECTORS. Anomalous user behavior is detected Messages arrive from suspect domains. Messages arrive with suspect attachments. Applications begin to behave anomalously. Subsystems begin moving data anomalously.RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled - - - - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | -SYMMETRIC KEYS - Included in FedRAMP Moderate Baseline, Rev 4 - SC-12 (2) [NIST FIPS-compliant] - - - - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | -ASYMMETRIC KEYS - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Rationale for Selection: Rationale for Selection for SA L1: At L1 this CE is only applicable to privileged user sessions.Rationale for Selection L1-6: Best Practice; APT. This CE mitigates the threat/vulnerability inherant in authenticated sessions whereby If an adversary captures a session identifier that remains valid after the session is terminated, the adversary could use it to reinitiate the session thus gaining unauthorized access to CSP and CSP customer resources and information/data.ECSB Supplemental Guidance as the C/CE relates to CSPs: If an adversary captures a session identifier that remains valid after the session is terminated, the adversary could use it to reinitiate the session thus gaining unauthorized access to CSP and/or CSP customer resources and information/data. While unnessary for user sessions at L1, this enhancement is selected for System Administrator sessions.Priority for adding to FedRAMP-M: High - - - Parameter (organization-defined information): organization-defined information - - Parameter (organization-defined information system components): organization-defined information system components - - Included in FedRAMP Moderate Baseline, Rev 4 - SC-28 (1)-2 [all information system components storing customer data deemed sensitive] - - - Parameter (organization-defined benchmarks): organization-defined benchmarks - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined interior points within the system (e.g., subnetworks, subsystems)): organization-defined interior points within the system (e.g., subnetworks, subsystems) - - NEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of its sensitive information. This control partially meets that need.ANALYSIS. The tools and techniques for implementing this monitoring control are now well understood and embedded in COTS operating systems and software.SAMPLE THREAT VECTORS. Large outbound file transfers execute without being detected. External malware network sites are accessed from within the organization without detection. Network sessions remain connected for long periods of time without detection. Esoteric protocols are active and undetected on ports not defined by the organization.RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - Included in FedRAMP Moderate Baseline, Rev 4 - - - Parameter (organization-defined interior points within the system (e.g., subsystems, subnetworks)): organization-defined interior points within the system (e.g., subsystems, subnetworks) - - NEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of sensitive information. This control partially meets that need.ANALYSIS. The tools and techniques for implementing this monitoring control are now well understood, and embedded in COTS operating systems and software.SAMPLE THREAT VECTORS. Large outbound files are disguised to transfer without being detected. Communications with external malware network sites are embedded to avoid detection.RELEVANT SECURITY CONTROL ATTRIBUTES. Substantiated Integrity, Monitored, Assessed - - - Parameter (organization-defined additional monitoring): organization-defined additional monitoring - - Parameter (organization-defined sources): organization-defined sources - - Rationale for De-Selection L1-3: The information sensitivity at these levels does not seem to warrant implementation of this CE. The costs for instituting fine-grained monitoring per individual far may outweigh the risksRationale for selection L4-6: SP Insider Threat mitigation; The information sensitivity at these levels warrants implementation of this CE.Best business practice for the protection of the CSP and customer alike. This enhancement works in conjunction with AC-2 (13) account disablement for such individuals and IR-4 (6).ECSB Supplemental Guidance as the C/CE relates to CSPs: This enhancement works in conjunction with or opposite of AC-2 (13) which requires acount disablement within a specific time frame of discovering or identifying an individual posing a significant insider threat. In some instances the best action is not to terminate the individual's account, but rather to monitor their actions. This allows for the ability to collect evidence (for prosecution) and obtain insight into the TTPs that they may be using and others they may working with. Termination of the account is often best left as a final act.Priority for adding to FedRAMP-M: Moderate - - - Parameter (organization-defined additional monitoring): organization-defined additional monitoring - - PRIVILEGED USER - Rationale for Selection: Best business practice for the protection of the CSP and customer alike. Given the scale of a cloud, the possible harm by an malicious insider is greatly magnified over normal systems.ECSB Supplemental Guidance as the C/CE relates to CSPs: his CE is on a par with SI-4 (9), IR-4 (6) and the various other insider threat Cs/CEs. Supports the mitigation of insider threat from those that can do the most damage. While CSPs typically claim they only have privileged users in their infrastructure (other than customers), this CEadds value for privilege users that have higher privilege than others. These higher privileged users should be subject to additional monitoring.Priority for adding to FedRAMP-M: High - - - Parameter (organization-defined authorization or approval processes): organization-defined authorization or approval processes - - Parameter (organization-defined personnel or roles): organization-defined personnel or roles - - NEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should monitor network services to protect against unauthorized services capable of exfiltrating sensitive information. This control meets that monitoring need.ANALYSIS. The tools and techniques for implementing this monitoring control are well understood, and embedded in COTS operating systems and software.SAMPLE THREAT VECTORS. Systems daemons and application services running in the background, exfiltrating sensitive information to external networks.RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed - - - Parameter (organization-defined host-based monitoring mechanisms): organization-defined host-based monitoring mechanisms - - Parameter (organization-defined information system components): organization-defined information system components - - Included in FedRAMP Moderate Baseline, Rev 4 - - - - NEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should aggressively monitor for symptoms that system integrity has been compromised. This control addresses that monitoring need.ANALYSIS. The tools and techniques for implementing this monitoring control are no longer unusual, but their implementation still requires careful initial analysis of tools, standards, and sources for indicators of compromise (IOC) data. This capability is not a simple matter of installing COTS software and watching for alerts. Rather, it requires staff to maintain a keen understanding of the threat-scape in order to properly understand the alerts coming from the IOC subsystem.SAMPLE THREAT VECTORS. Temporary files appear but are not associated with any known system processes; independent security services warn of new surveillance techniques appearing globally; evidence of those new techniques appears in an organization’s event logs. Reports on the payload of a new botnet indicate that the system has been touched by the botnet.RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed - -

-
-
-

NIST SP800-53 rev 4

-
-

INCIDENT RESPONSE

-
-

- IR-9 INFORMATION SPILLAGE RESPONSE

-
-

- Parameter: - ir-9_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-9_b organization-defined actions

-

- Value: organization-defined actions

-
-

- priority: P0

-
-

Control

- - - - - - -
- -

The organization responds to information spills by:

-
- - - - - - - -
-

a.

-
-

Identifying the specific information involved in the information system contamination;

-
-
-
- - - - - - - -
-

b.

-
-

Alerting - - ir-9_a - - organization-defined personnel or roles - organization-defined personnel or roles - of the information spill using a method of communication not associated with the spill;

-
-
-
- - - - - - - -
-

c.

-
-

Isolating the contaminated information system or system component;

-
-
-
- - - - - - - -
-

d.

-
-

Eradicating the information from the contaminated information system or component;

-
-
-
- - - - - - - -
-

e.

-
-

Identifying other information systems or system components that may have been subsequently contaminated; and

-
-
-
- - - - - - - -
-

f.

-
-

Performing other - - ir-9_b - - organization-defined actions - organization-defined actions - .

-
-
-
-
-
-

Supplemental guidance

-

Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.

-
-
-

- IR-9 (1) RESPONSIBLE PERSONNEL

-
-

- Parameter: - ir-9_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

Control

- - - - - - -
- -

The organization assigns - - ir-9_c - - organization-defined personnel or roles - organization-defined personnel or roles - with responsibility for responding to information spills.

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel with responsibility for responding to information spills; and

-
-
-
- - - - - - - -
-

[2]

-
-

assigns organization-defined personnel with responsibility for responding to information spills.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing information spillage

-

- incident response plan

-

- list of personnel responsible for responding to information spillage

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IR-9 (2) TRAINING

-
-

- Parameter: - ir-9_d organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

Control

- - - - - - -
- -

The organization provides information spillage response training - - ir-9_d - - organization-defined frequency - organization-defined frequency - .

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide information spillage response training; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides information spillage response training with the organization-defined frequency.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing information spillage response training

-

- information spillage response training curriculum

-

- information spillage response training materials

-

- incident response plan

-

- information spillage response training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training responsibilities

-

- organizational personnel with information security responsibilities

-
-
- justification -

Included in FedRAMP Moderate Baseline, Rev 4

-
-
- parameters -

IR-9 (2) [at least annually]

-
-

References: None -

-
-
-

- IR-9 (3) POST-SPILL OPERATIONS

-
-

- Parameter: - ir-9_e organization-defined procedures

-

- Value: organization-defined procedures

-
-
-

Control

- - - - - - -
- -

The organization implements - - ir-9_e - - organization-defined procedures - organization-defined procedures - to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

-
-
-
-

Supplemental guidance

-

Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines procedures that ensure organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions; and

-
-
-
- - - - - - - -
-

[2]

-
-

implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident handling

-

- procedures addressing information spillage

-

- incident response plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for post-spill operations

-
-
- justification -

Included in FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

- IR-9 (4) EXPOSURE TO UNAUTHORIZED PERSONNEL

-
-

- Parameter: - ir-9_f organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-
-

Control

- - - - - - -
- -

The organization employs - - ir-9_f - - organization-defined security safeguards - organization-defined security safeguards - for personnel exposed to information not within assigned access authorizations.

-
-
-
-

Supplemental guidance

-

Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be employed for personnel exposed to information not within assigned access authorizations; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident handling

-

- procedures addressing information spillage

-

- incident response plan

-

- security safeguards regarding information spillage/exposure to unauthorized personnel

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for dealing with information exposed to unauthorized personnel

-

- automated mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations

-
-
- justification -

Included in FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

responds to information spills by identifying the specific information causing the information system contamination;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel to be alerted of the information spillage;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies a method of communication not associated with the information spill to use to alert organization-defined personnel of the spill;

-
-
-
- - - - - - - -
-

[3]

-
-

responds to information spills by alerting organization-defined personnel of the information spill using a method of communication not associated with the spill;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

responds to information spills by isolating the contaminated information system;

-
-
-
- - - - - - - -
-

(d)

-
-

responds to information spills by eradicating the information from the contaminated information system;

-
-
-
- - - - - - - -
-

(e)

-
-

responds to information spills by identifying other information systems that may have been subsequently contaminated;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines other actions to be performed in response to information spills; and

-
-
-
- - - - - - - -
-

[2]

-
-

responds to information spills by performing other organization-defined actions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing information spillage

-

- incident response plan

-

- records of information spillage alerts/notifications, list of personnel who should receive alerts of information spillage

-

- list of actions to be performed regarding information spillage

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for information spillage response

-

- automated mechanisms supporting and/or implementing information spillage response actions and related communications

-
-
- justification -

Included in FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-

SYSTEM AND COMMUNICATIONS PROTECTION

-
-

- SC-6 RESOURCE AVAILABILITY

-
-

- Parameter: - sc-6_a organization-defined resources

-

- Value: organization-defined resources

-
-
-

- Parameter: - sc-6_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P0

-
-

Control

- - - - - - -
- -

The information system protects the availability of resources by allocating - - sc-6_a - - organization-defined resources - organization-defined resources - by [Selection (one or more); priority; quota; - - sc-6_b - - organization-defined security safeguards - organization-defined security safeguards - ].

-
-
-
-

Supplemental guidance

-

Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines resources to be allocated to protect the availability of resources;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines security safeguards to be employed to protect the availability of resources;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system protects the availability of resources by allocating organization-defined resources by one or more of the following:

-
- - - - - - - -
-

[a]

-
-

priority;

-
-
-
- - - - - - - -
-

[b]

-
-

quota; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

organization-defined safeguards.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing prioritization of information system resources

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing resource allocation capability

-

- safeguards employed to protect availability of resources

-
-
- justification -

Included in FedRAMP Moderate Baseline, Rev 4

-
-

References: None -

-
-
-
-
-
-
- - diff --git a/examples/FedRAMP/pub/FedRAMP-MODERATE-crude-rendered.html b/examples/FedRAMP/pub/FedRAMP-MODERATE-crude-rendered.html new file mode 100644 index 0000000000..ebe5ca2594 --- /dev/null +++ b/examples/FedRAMP/pub/FedRAMP-MODERATE-crude-rendered.html @@ -0,0 +1,970 @@ + + + + + + NIST SP800-53 rev 4 + + + + + +
+

NIST SP800-53 rev 4

+
+

INCIDENT RESPONSE

+
+

+ IR-9 INFORMATION SPILLAGE RESPONSE

+
+

+ Parameter: + ir-9_a organization-defined personnel or roles

+

+ Value: organization-defined personnel or roles

+
+
+

+ Parameter: + ir-9_b organization-defined actions

+

+ Value: organization-defined actions

+
+

+ priority: P0

+
+

Control

+ + + + + + +
+ +

The organization responds to information spills by:

+
+ + + + + + + +
+

a.

+
+

Identifying the specific information involved in the information system contamination;

+
+
+
+ + + + + + + +
+

b.

+
+

Alerting + + ir-9_a + + organization-defined personnel or roles + organization-defined personnel or roles + of the information spill using a method of communication not associated with the spill;

+
+
+
+ + + + + + + +
+

c.

+
+

Isolating the contaminated information system or system component;

+
+
+
+ + + + + + + +
+

d.

+
+

Eradicating the information from the contaminated information system or component;

+
+
+
+ + + + + + + +
+

e.

+
+

Identifying other information systems or system components that may have been subsequently contaminated; and

+
+
+
+ + + + + + + +
+

f.

+
+

Performing other + + ir-9_b + + organization-defined actions + organization-defined actions + .

+
+
+
+
+
+

Supplemental guidance

+

Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.

+
+
+

Objectives

+ + + + + + +
+ +

Determine if the organization:

+
+ + + + + + + +
+

(a)

+
+

responds to information spills by identifying the specific information causing the information system contamination;

+
+
+
+ + + + + + + +
+

(b)

+
+
+ + + + + + + +
+

[1]

+
+

defines personnel to be alerted of the information spillage;

+
+
+
+ + + + + + + +
+

[2]

+
+

identifies a method of communication not associated with the information spill to use to alert organization-defined personnel of the spill;

+
+
+
+ + + + + + + +
+

[3]

+
+

responds to information spills by alerting organization-defined personnel of the information spill using a method of communication not associated with the spill;

+
+
+
+
+
+ + + + + + + +
+

(c)

+
+

responds to information spills by isolating the contaminated information system;

+
+
+
+ + + + + + + +
+

(d)

+
+

responds to information spills by eradicating the information from the contaminated information system;

+
+
+
+ + + + + + + +
+

(e)

+
+

responds to information spills by identifying other information systems that may have been subsequently contaminated;

+
+
+
+ + + + + + + +
+

(f)

+
+
+ + + + + + + +
+

[1]

+
+

defines other actions to be performed in response to information spills; and

+
+
+
+ + + + + + + +
+

[2]

+
+

responds to information spills by performing other organization-defined actions.

+
+
+
+
+
+
+
+

Assessment: EXAMINE

+

+ Incident response policy

+

+ procedures addressing information spillage

+

+ incident response plan

+

+ records of information spillage alerts/notifications, list of personnel who should receive alerts of information spillage

+

+ list of actions to be performed regarding information spillage

+

+ other relevant documents or records

+
+
+

Assessment: INTERVIEW

+

+ Organizational personnel with incident response responsibilities

+

+ organizational personnel with information security responsibilities

+
+
+

Assessment: TEST

+

+ Organizational processes for information spillage response

+

+ automated mechanisms supporting and/or implementing information spillage response actions and related communications

+
+
+

Control enhancements

+
+

+ IR-9 (1) RESPONSIBLE PERSONNEL

+
+

+ Parameter: + ir-9_c organization-defined personnel or roles

+

+ Value: organization-defined personnel or roles

+
+
+

Control

+ + + + + + +
+ +

The organization assigns + + ir-9_c + + organization-defined personnel or roles + organization-defined personnel or roles + with responsibility for responding to information spills.

+
+
+
+

Objectives

+ + + + + + +
+ +

Determine if the organization:

+
+ + + + + + + +
+

[1]

+
+

defines personnel with responsibility for responding to information spills; and

+
+
+
+ + + + + + + +
+

[2]

+
+

assigns organization-defined personnel with responsibility for responding to information spills.

+
+
+
+
+
+

Assessment: EXAMINE

+

+ Incident response policy

+

+ procedures addressing information spillage

+

+ incident response plan

+

+ list of personnel responsible for responding to information spillage

+

+ other relevant documents or records

+
+
+

Assessment: INTERVIEW

+

+ Organizational personnel with incident response responsibilities

+

+ organizational personnel with information security responsibilities

+
+
+
+

+ IR-9 (2) TRAINING

+
+

+ Parameter: + ir-9_d organization-defined frequency

+

+ Value: organization-defined frequency

+
+
+

Control

+ + + + + + +
+ +

The organization provides information spillage response training + + ir-9_d + + organization-defined frequency + organization-defined frequency + .

+
+
+
+

Objectives

+ + + + + + +
+ +

Determine if the organization:

+
+ + + + + + + +
+

[1]

+
+

defines the frequency to provide information spillage response training; and

+
+
+
+ + + + + + + +
+

[2]

+
+

provides information spillage response training with the organization-defined frequency.

+
+
+
+
+
+

Assessment: EXAMINE

+

+ Incident response policy

+

+ procedures addressing information spillage response training

+

+ information spillage response training curriculum

+

+ information spillage response training materials

+

+ incident response plan

+

+ information spillage response training records

+

+ other relevant documents or records

+
+
+

Assessment: INTERVIEW

+

+ Organizational personnel with incident response training responsibilities

+

+ organizational personnel with information security responsibilities

+
+
+
+

+ IR-9 (3) POST-SPILL OPERATIONS

+
+

+ Parameter: + ir-9_e organization-defined procedures

+

+ Value: organization-defined procedures

+
+
+

Control

+ + + + + + +
+ +

The organization implements + + ir-9_e + + organization-defined procedures + organization-defined procedures + to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

+
+
+
+

Supplemental guidance

+

Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business.

+
+
+

Objectives

+ + + + + + +
+ +

Determine if the organization:

+
+ + + + + + + +
+

[1]

+
+

defines procedures that ensure organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions; and

+
+
+
+ + + + + + + +
+

[2]

+
+

implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

+
+
+
+
+
+

Assessment: EXAMINE

+

+ Incident response policy

+

+ procedures addressing incident handling

+

+ procedures addressing information spillage

+

+ incident response plan

+

+ other relevant documents or records

+
+
+

Assessment: INTERVIEW

+

+ Organizational personnel with incident response responsibilities

+

+ organizational personnel with information security responsibilities

+
+
+

Assessment: TEST

+

+ Organizational processes for post-spill operations

+
+
+
+

+ IR-9 (4) EXPOSURE TO UNAUTHORIZED PERSONNEL

+
+

+ Parameter: + ir-9_f organization-defined security safeguards

+

+ Value: organization-defined security safeguards

+
+
+

Control

+ + + + + + +
+ +

The organization employs + + ir-9_f + + organization-defined security safeguards + organization-defined security safeguards + for personnel exposed to information not within assigned access authorizations.

+
+
+
+

Supplemental guidance

+

Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information.

+
+
+

Objectives

+ + + + + + +
+ +

Determine if the organization:

+
+ + + + + + + +
+

[1]

+
+

defines security safeguards to be employed for personnel exposed to information not within assigned access authorizations; and

+
+
+
+ + + + + + + +
+

[2]

+
+

employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.

+
+
+
+
+
+

Assessment: EXAMINE

+

+ Incident response policy

+

+ procedures addressing incident handling

+

+ procedures addressing information spillage

+

+ incident response plan

+

+ security safeguards regarding information spillage/exposure to unauthorized personnel

+

+ other relevant documents or records

+
+
+

Assessment: INTERVIEW

+

+ Organizational personnel with incident response responsibilities

+

+ organizational personnel with information security responsibilities

+
+
+

Assessment: TEST

+

+ Organizational processes for dealing with information exposed to unauthorized personnel

+

+ automated mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations

+
+
+
+

References: None +

+
+
+
+

SYSTEM AND COMMUNICATIONS PROTECTION

+
+

+ SC-6 RESOURCE AVAILABILITY

+
+

+ Parameter: + sc-6_a organization-defined resources

+

+ Value: organization-defined resources

+
+
+

+ Parameter: + sc-6_b organization-defined security safeguards

+

+ Value: organization-defined security safeguards

+
+

+ priority: P0

+
+

Control

+ + + + + + +
+ +

The information system protects the availability of resources by allocating + + sc-6_a + + organization-defined resources + organization-defined resources + by [Selection (one or more); priority; quota; + + sc-6_b + + organization-defined security safeguards + organization-defined security safeguards + ].

+
+
+
+

Supplemental guidance

+

Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles.

+
+
+

Objectives

+ + + + + + +
+ +

Determine if:

+
+ + + + + + + +
+

[1]

+
+

the organization defines resources to be allocated to protect the availability of resources;

+
+
+
+ + + + + + + +
+

[2]

+
+

the organization defines security safeguards to be employed to protect the availability of resources;

+
+
+
+ + + + + + + +
+

[3]

+
+

the information system protects the availability of resources by allocating organization-defined resources by one or more of the following:

+
+ + + + + + + +
+

[a]

+
+

priority;

+
+
+
+ + + + + + + +
+

[b]

+
+

quota; and/or

+
+
+
+ + + + + + + +
+

[c]

+
+

organization-defined safeguards.

+
+
+
+
+
+
+
+

Assessment: EXAMINE

+

+ System and communications protection policy

+

+ procedures addressing prioritization of information system resources

+

+ information system design documentation

+

+ information system configuration settings and associated documentation

+

+ information system audit records

+

+ other relevant documents or records

+
+
+

Assessment: INTERVIEW

+

+ System/network administrators

+

+ organizational personnel with information security responsibilities

+

+ system developer

+
+
+

Assessment: TEST

+

+ Automated mechanisms supporting and/or implementing resource allocation capability

+

+ safeguards employed to protect availability of resources

+
+

References: None +

+
+
+
+ + diff --git a/examples/FedRAMP/temp.xml b/examples/FedRAMP/temp.xml new file mode 100644 index 0000000000..e186a4aa77 --- /dev/null +++ b/examples/FedRAMP/temp.xml @@ -0,0 +1,22833 @@ + + + + NIST SP800-53 rev 4 + + ACCESS CONTROL + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCESS CONTROL POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + AC-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AC-1a. +

Develops, documents, and disseminates to :

+ + AC-1a.1. +

An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + AC-1a.2. +

Procedures to facilitate the implementation of the access control policy and associated access controls; and

+
+
+ + AC-1b. +

Reviews and updates the current:

+ + AC-1b.1. +

Access control policy ; and

+
+ + AC-1b.2. +

Access control procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + AC-1(a)(1) + + AC-1(a)(1)[1] +

develops and documents an access control policy that addresses:

+ + AC-1(a)(1)[1][a] +

purpose;

+
+ + AC-1(a)(1)[1][b] +

scope;

+
+ + AC-1(a)(1)[1][c] +

roles;

+
+ + AC-1(a)(1)[1][d] +

responsibilities;

+
+ + AC-1(a)(1)[1][e] +

management commitment;

+
+ + AC-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + AC-1(a)(1)[1][g] +

compliance;

+
+
+ + AC-1(a)(1)[2] +

defines personnel or roles to whom the access control policy are to be disseminated;

+
+ + AC-1(a)(1)[3] +

disseminates the access control policy to organization-defined personnel or roles;

+
+
+ + AC-1(a)(2) + + AC-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;

+
+ + AC-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + AC-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + AC-1(b)(1) + + AC-1(b)(1)[1] +

defines the frequency to review and update the current access control policy;

+
+ + AC-1(b)(1)[2] +

reviews and updates the current access control policy with the organization-defined frequency;

+
+
+ + AC-1(b)(2) + + AC-1(b)(2)[1] +

defines the frequency to review and update the current access control procedures; and

+
+ + AC-1(b)(2)[2] +

reviews and updates the current access control procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Access control policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with access control responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-HIGH-baseline.xml + + CONCURRENT SESSION CONTROL + + organization-defined account and/or account type + organization-defined account and/or account type + + + organization-defined number + organization-defined number + + AC-10 + P3 + HIGH + +

The information system limits the number of concurrent sessions for each to .

+
+ +

Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.

+
+ +

Determine if:

+ + AC-10[1] +

the organization defines account and/or account types for the information system;

+
+ + AC-10[2] +

the organization defines the number of concurrent sessions to be allowed for each organization-defined account and/or account type; and

+
+ + AC-10[3] +

the information system limits the number of concurrent sessions for each organization-defined account and/or account type to the organization-defined number of concurrent sessions allowed.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing concurrent session control

+

information system design documentation

+

information system configuration settings and associated documentation

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing access control policy for concurrent session control

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SESSION LOCK + + organization-defined time period + organization-defined time period + + AC-11 + P3 + MODERATE + HIGH + +

The information system:

+ + AC-11a. +

Prevents further access to the system by initiating a session lock after of inactivity or upon receiving a request from a user; and

+
+ + AC-11b. +

Retains the session lock until the user reestablishes access using established identification and authentication procedures.

+
+
+ +

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

+ +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PATTERN-HIDING DISPLAYS + AC-11 (1) + MODERATE + HIGH + +

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

+
+ +

Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

+
+ +

Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

+
+ + EXAMINE +

Access control policy

+

procedures addressing session lock

+

display screen with session lock activated

+

information system design documentation

+

information system configuration settings and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Information system session lock mechanisms

+
+
+ +

Determine if:

+ + AC-11(a) + + AC-11(a)[1] +

the organization defines the time period of user inactivity after which the information system initiates a session lock;

+
+ + AC-11(a)[2] +

the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and

+
+
+ + AC-11(b) +

the information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing session lock

+

procedures addressing identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing access control policy for session lock

+
+ + + OMB Memorandum 06-16 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SESSION TERMINATION + + organization-defined conditions or trigger events requiring session disconnect + organization-defined conditions or trigger events requiring session disconnect + + AC-12 + P2 + MODERATE + HIGH + +

The information system automatically terminates a user session after .

+
+ +

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user�s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

+ + +
+ +

Determine if:

+ + AC-12[1] +

the organization defines conditions or trigger events requiring session disconnect; and

+
+ + AC-12[2] +

the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing session termination

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of conditions or trigger events requiring session disconnect

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing user session termination

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + + organization-defined user actions + organization-defined user actions + + AC-14 + P3 + LOW + MODERATE + HIGH + +

The organization:

+ + AC-14a. +

Identifies that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

+
+ + AC-14b. +

Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

+
+
+ +

This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.

+ + +
+ +

Determine if the organization:

+ + AC-14(a) + + AC-14(a)[1] +

defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;

+
+ + AC-14(a)[2] +

identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

+
+
+ + AC-14(b) +

documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing permitted actions without identification or authentication

+

information system configuration settings and associated documentation

+

security plan

+

list of user actions that can be performed without identification or authentication

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + REMOTE ACCESS + AC-17 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AC-17a. +

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

+
+ + AC-17b. +

Authorizes remote access to the information system prior to allowing such connections.

+
+
+ +

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

+ + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED MONITORING / CONTROL + AC-17 (1) + MODERATE + HIGH + +

The information system monitors and controls remote access methods.

+
+ +

Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

+ + +
+ +

Determine if the information system monitors and controls remote access methods.

+
+ + EXAMINE +

Access control policy

+

procedures addressing remote access to the information system

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

information system monitoring records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms monitoring and controlling remote access methods

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION + AC-17 (2) + MODERATE + HIGH + +

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

+
+ +

The encryption strength of mechanism is selected based on the security categorization of the information.

+ + + +
+ +

Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

+
+ + EXAMINE +

Access control policy

+

procedures addressing remote access to the information system

+

information system design documentation

+

information system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + MANAGED ACCESS CONTROL POINTS + + organization-defined number + organization-defined number + + AC-17 (3) + MODERATE + HIGH + +

The information system routes all remote accesses through managed network access control points.

+
+ +

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

+ +
+ +

Determine if:

+ + AC-17(3)[1] +

the organization defines the number of managed network access control points through which all remote accesses are to be routed; and

+
+ + AC-17(3)[2] +

the information system routes all remote accesses through the organization-defined number of managed network access control points.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing remote access to the information system

+

information system design documentation

+

list of all managed network access control points

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms routing all remote accesses through managed network access control points

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PRIVILEGED COMMANDS / ACCESS + + organization-defined needs + organization-defined needs + + AC-17 (4) + MODERATE + HIGH + +

The organization:

+ + AC-17 (4)(a) +

Authorizes the execution of privileged commands and access to security-relevant information via remote access only for ; and

+
+ + AC-17 (4)(b) +

Documents the rationale for such access in the security plan for the information system.

+
+
+ + + + +

Determine if the organization:

+ + AC-17(4)(a) + + AC-17(4)(a)[1] +

defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;

+
+ + AC-17(4)(a)[2] +

authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and

+
+
+ + AC-17(4)(b) +

documents the rationale for such access in the information system security plan.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing remote access to the information system

+

information system configuration settings and associated documentation

+

security plan

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms implementing remote access management

+
+
+ +

Determine if the organization:

+ + AC-17(a) + + AC-17(a)[1] +

identifies the types of remote access allowed to the information system;

+
+ + AC-17(a)[2] +

establishes for each type of remote access allowed:

+ + AC-17(a)[2][a] +

usage restrictions;

+
+ + AC-17(a)[2][b] +

configuration/connection requirements;

+
+ + AC-17(a)[2][c] +

implementation guidance;

+
+
+ + AC-17(a)[3] +

documents for each type of remote access allowed:

+ + AC-17(a)[3][a] +

usage restrictions;

+
+ + AC-17(a)[3][b] +

configuration/connection requirements;

+
+ + AC-17(a)[3][c] +

implementation guidance; and

+
+
+
+ + AC-17(b) +

authorizes remote access to the information system prior to allowing such connections.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing remote access implementation and usage (including restrictions)

+

configuration management plan

+

security plan

+

information system configuration settings and associated documentation

+

remote access authorizations

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for managing remote access connections

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Remote access management capability for the information system

+
+ + + NIST Special Publication 800-46 + + + NIST Special Publication 800-77 + + + NIST Special Publication 800-113 + + + NIST Special Publication 800-114 + + + NIST Special Publication 800-121 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + WIRELESS ACCESS + AC-18 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AC-18a. +

Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

+
+ + AC-18b. +

Authorizes wireless access to the information system prior to allowing such connections.

+
+
+ +

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

+ + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTHENTICATION AND ENCRYPTION + AC-18 (1) + MODERATE + HIGH + +

The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.

+
+ + + + + +

Determine if the information system protects wireless access to the system using encryption and one or more of the following:

+ + AC-18(1)[1] +

authentication of users; and/or

+
+ + AC-18(1)[2] +

authentication of devices.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing wireless implementation and usage (including restrictions)

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing wireless access protections to the information system

+
+
+ +

Determine if the organization:

+ + AC-18(a) +

establishes for wireless access:

+ + AC-18(a)[1] +

usage restrictions;

+
+ + AC-18(a)[2] +

configuration/connection requirement;

+
+ + AC-18(a)[3] +

implementation guidance; and

+
+
+ + AC-18(b) +

authorizes wireless access to the information system prior to allowing such connections.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing wireless access implementation and usage (including restrictions)

+

configuration management plan

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

wireless access authorizations

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for managing wireless access connections

+

organizational personnel with information security responsibilities

+
+ + TEST +

Wireless access management capability for the information system

+
+ + + NIST Special Publication 800-48 + + + NIST Special Publication 800-94 + + + NIST Special Publication 800-97 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCESS CONTROL FOR MOBILE DEVICES + AC-19 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AC-19a. +

Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

+
+ + AC-19b. +

Authorizes the connection of mobile devices to organizational information systems.

+
+
+ +

A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

+ + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + FULL DEVICE / CONTAINER-BASED ENCRYPTION + + organization-defined mobile devices + organization-defined mobile devices + + AC-19 (5) + MODERATE + HIGH + +

The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on .

+
+ +

Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.

+ + + +
+ +

Determine if the organization:

+ + AC-19(5)[1] +

defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and

+
+ + AC-19(5)[2] +

employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing access control for mobile devices

+

information system design documentation

+

information system configuration settings and associated documentation

+

encryption mechanism s and associated configuration documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with access control responsibilities for mobile devices

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Encryption mechanisms protecting confidentiality and integrity of information on mobile devices

+
+
+ +

Determine if the organization:

+ + AC-19(a) +

establishes for organization-controlled mobile devices:

+ + AC-19(a)[1] +

usage restrictions;

+
+ + AC-19(a)[2] +

configuration/connection requirement;

+
+ + AC-19(a)[3] +

implementation guidance; and

+
+
+ + AC-19(b) +

authorizes the connection of mobile devices to organizational information systems.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing access control for mobile device usage (including restrictions)

+

configuration management plan

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

authorizations for mobile device connections to organizational information systems

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel using mobile devices to access organizational information systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Access control capability authorizing mobile device connections to organizational information systems

+
+ + + OMB Memorandum 06-16 + + + NIST Special Publication 800-114 + + + NIST Special Publication 800-124 + + + NIST Special Publication 800-164 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCOUNT MANAGEMENT + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + AC-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AC-2a. +

Identifies and selects the following types of information system accounts to support organizational missions/business functions: ;

+
+ + AC-2b. +

Assigns account managers for information system accounts;

+
+ + AC-2c. +

Establishes conditions for group and role membership;

+
+ + AC-2d. +

Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

+
+ + AC-2e. +

Requires approvals by for requests to create information system accounts;

+
+ + AC-2f. +

Creates, enables, modifies, disables, and removes information system accounts in accordance with ;

+
+ + AC-2g. +

Monitors the use of information system accounts;

+
+ + AC-2h. +

Notifies account managers:

+ + AC-2h.1. +

When accounts are no longer required;

+
+ + AC-2h.2. +

When users are terminated or transferred; and

+
+ + AC-2h.3. +

When individual information system usage or need-to-know changes;

+
+
+ + AC-2i. +

Authorizes access to the information system based on:

+ + AC-2i.1. +

A valid access authorization;

+
+ + AC-2i.2. +

Intended system usage; and

+
+ + AC-2i.3. +

Other attributes as required by the organization or associated missions/business functions;

+
+
+ + AC-2j. +

Reviews accounts for compliance with account management requirements ; and

+
+ + AC-2k. +

Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

+
+
+ +

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

+ + + + + + + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED SYSTEM ACCOUNT MANAGEMENT + AC-2 (1) + MODERATE + HIGH + +

The organization employs automated mechanisms to support the management of information system accounts.

+
+ +

The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage.

+
+ +

Determine if the organization employs automated mechanisms to support the management of information system accounts.

+
+ + EXAMINE +

Access control policy

+

procedures addressing account management

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing account management functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS + + organization-defined time period for each type of account + organization-defined time period for each type of account + + AC-2 (2) + MODERATE + HIGH + +

The information system automatically [Selection: removes; disables] temporary and emergency accounts after .

+
+ +

This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator.

+
+ +

Determine if:

+ + AC-2(2)[1] +

the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and

+
+ + AC-2(2)[2] +

the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing account management

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system-generated list of temporary accounts removed and/or disabled

+

information system-generated list of emergency accounts removed and/or disabled

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing account management functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + DISABLE INACTIVE ACCOUNTS + + organization-defined time period + organization-defined time period + + AC-2 (3) + MODERATE + HIGH + +

The information system automatically disables inactive accounts after .

+
+ +

Determine if:

+ + AC-2(3)[1] +

the organization defines the time period after which the information system automatically disables inactive accounts; and

+
+ + AC-2(3)[2] +

the information system automatically disables inactive accounts after the organization-defined time period.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing account management

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system-generated list of temporary accounts removed and/or disabled

+

information system-generated list of emergency accounts removed and/or disabled

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing account management functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED AUDIT ACTIONS + + organization-defined personnel or roles + organization-defined personnel or roles + + AC-2 (4) + MODERATE + HIGH + +

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies .

+
+ + + + + +

Determine if:

+ + AC-2(4)[1] +

the information system automatically audits the following account actions:

+ + AC-2(4)[1][a] +

creation;

+
+ + AC-2(4)[1][b] +

modification;

+
+ + AC-2(4)[1][c] +

enabling;

+
+ + AC-2(4)[1][d] +

disabling;

+
+ + AC-2(4)[1][e] +

removal;

+
+
+ + AC-2(4)[2] +

the organization defines personnel or roles to be notified of the following account actions:

+ + AC-2(4)[2][a] +

creation;

+
+ + AC-2(4)[2][b] +

modification;

+
+ + AC-2(4)[2][c] +

enabling;

+
+ + AC-2(4)[2][d] +

disabling;

+
+ + AC-2(4)[2][e] +

removal;

+
+
+ + AC-2(4)[3] +

the information system notifies organization-defined personnel or roles of the following account actions:

+ + AC-2(4)[3][a] +

creation;

+
+ + AC-2(4)[3][b] +

modification;

+
+ + AC-2(4)[3][c] +

enabling;

+
+ + AC-2(4)[3][d] +

disabling; and

+
+ + AC-2(4)[3][e] +

removal.

+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing account management

+

information system design documentation

+

information system configuration settings and associated documentation

+

notifications/alerts of account creation, modification, enabling, disabling, and removal actions

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms implementing account management functions

+
+
+ +

Determine if the organization:

+ + AC-2(a) + + AC-2(a)[1] +

defines information system account types to be identified and selected to support organizational missions/business functions;

+
+ + AC-2(a)[2] +

identifies and selects organization-defined information system account types to support organizational missions/business functions;

+
+
+ + AC-2(b) +

assigns account managers for information system accounts;

+
+ + AC-2(c) +

establishes conditions for group and role membership;

+
+ + AC-2(d) +

specifies for each account (as required):

+ + AC-2(d)[1] +

authorized users of the information system;

+
+ + AC-2(d)[2] +

group and role membership;

+
+ + AC-2(d)[3] +

access authorizations (i.e., privileges);

+
+ + AC-2(d)[4] +

other attributes;

+
+
+ + AC-2(e) + + AC-2(e)[1] +

defines personnel or roles required to approve requests to create information system accounts;

+
+ + AC-2(e)[2] +

requires approvals by organization-defined personnel or roles for requests to create information system accounts;

+
+
+ + AC-2(f) + + AC-2(f)[1] +

defines procedures or conditions to:

+ + AC-2(f)[1][a] +

create information system accounts;

+
+ + AC-2(f)[1][b] +

enable information system accounts;

+
+ + AC-2(f)[1][c] +

modify information system accounts;

+
+ + AC-2(f)[1][d] +

disable information system accounts;

+
+ + AC-2(f)[1][e] +

remove information system accounts;

+
+
+ + AC-2(f)[2] +

in accordance with organization-defined procedures or conditions:

+ + AC-2(f)[2][a] +

creates information system accounts;

+
+ + AC-2(f)[2][b] +

enables information system accounts;

+
+ + AC-2(f)[2][c] +

modifies information system accounts;

+
+ + AC-2(f)[2][d] +

disables information system accounts;

+
+ + AC-2(f)[2][e] +

removes information system accounts;

+
+
+
+ + AC-2(g) +

monitors the use of information system accounts;

+
+ + AC-2(h) +

notifies account managers:

+ + AC-2(h)(1) +

when accounts are no longer required;

+
+ + AC-2(h)(2) +

when users are terminated or transferred;

+
+ + AC-2(h)(3) +

when individual information system usage or need to know changes;

+
+
+ + AC-2(i) +

authorizes access to the information system based on;

+ + AC-2(i)(1) +

a valid access authorization;

+
+ + AC-2(i)(2) +

intended system usage;

+
+ + AC-2(i)(3) +

other attributes as required by the organization or associated missions/business functions;

+
+
+ + AC-2(j) + + AC-2(j)[1] +

defines the frequency to review accounts for compliance with account management requirements;

+
+ + AC-2(j)[2] +

reviews accounts for compliance with account management requirements with the organization-defined frequency; and

+
+
+ + AC-2(k) +

establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing account management

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of active system accounts along with the name of the individual associated with each account

+

list of conditions for group and role membership

+

notifications or records of recently transferred, separated, or terminated employees

+

list of recently disabled information system accounts along with the name of the individual associated with each account

+

access authorization records

+

account management compliance reviews

+

information system monitoring records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes account management on the information system

+

automated mechanisms for implementing account management

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + USE OF EXTERNAL INFORMATION SYSTEMS + AC-20 + P1 + LOW + MODERATE + HIGH + +

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

+ + AC-20a. +

Access the information system from external information systems; and

+
+ + AC-20b. +

Process, store, or transmit organization-controlled information using external information systems.

+
+
+ +

External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. +For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. +This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

+ + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + LIMITS ON AUTHORIZED USE + AC-20 (1) + MODERATE + HIGH + +

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

+ + AC-20 (1)(a) +

Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or

+
+ + AC-20 (1)(b) +

Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

+
+
+ +

This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

+ +
+ +

Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

+ + AC-20(1)(a) +

verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or

+
+ + AC-20(1)(b) +

retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing the use of external information systems

+

security plan

+

information system connection or processing agreements

+

account management documents

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms implementing limits on use of external information systems

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PORTABLE STORAGE DEVICES + AC-20 (2) + MODERATE + HIGH + +

The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.

+
+ +

Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.

+
+ +

Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.

+
+ + EXAMINE +

Access control policy

+

procedures addressing the use of external information systems

+

security plan

+

information system configuration settings and associated documentation

+

information system connection or processing agreements

+

account management documents

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms implementing restrictions on use of portable storage devices

+
+
+ +

Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

+ + AC-20(a) +

access the information system from the external information systems; and

+
+ + AC-20(b) +

process, store, or transmit organization-controlled information using external information systems.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing the use of external information systems

+

external information systems terms and conditions

+

list of types of applications accessible from external information systems

+

maximum security categorization for information processed, stored, or transmitted on external information systems

+

information system configuration settings and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms implementing terms and conditions on use of external information systems

+
+ + + FIPS Publication 199 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION SHARING + + organization-defined information sharing circumstances where user discretion is required + organization-defined information sharing circumstances where user discretion is required + + + organization-defined automated mechanisms or manual processes + organization-defined automated mechanisms or manual processes + + AC-21 + P2 + MODERATE + HIGH + +

The organization:

+ + AC-21a. +

Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for ; and

+
+ + AC-21b. +

Employs to assist users in making information sharing/collaboration decisions.

+
+
+ +

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

+ +
+ +

Determine if the organization:

+ + AC-21(a) + + AC-21(a)[1] +

defines information sharing circumstances where user discretion is required;

+
+ + AC-21(a)[2] +

facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;

+
+
+ + AC-21(b) + + AC-21(b)[1] +

defines automated mechanisms or manual processes to be employed to assist users in making information sharing/collaboration decisions; and

+
+ + AC-21(b)[2] +

employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.

+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing user-based collaboration and information sharing (including restrictions)

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of users authorized to make information sharing/collaboration decisions

+

list of information sharing circumstances requiring user discretion

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel responsible for making information sharing/collaboration decisions

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PUBLICLY ACCESSIBLE CONTENT + + organization-defined frequency + organization-defined frequency + + AC-22 + P3 + LOW + MODERATE + HIGH + +

The organization:

+ + AC-22a. +

Designates individuals authorized to post information onto a publicly accessible information system;

+
+ + AC-22b. +

Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

+
+ + AC-22c. +

Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

+
+ + AC-22d. +

Reviews the content on the publicly accessible information system for nonpublic information and removes such information, if discovered.

+
+
+ +

In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.

+ + + + + +
+ +

Determine if the organization:

+ + AC-22(a) +

designates individuals authorized to post information onto a publicly accessible information system;

+
+ + AC-22(b) +

trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

+
+ + AC-22(c) +

reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;

+
+ + AC-22(d) + + AC-22(d)[1] +

defines the frequency to review the content on the publicly accessible information system for nonpublic information;

+
+ + AC-22(d)[2] +

reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and

+
+ + AC-22(d)[3] +

removes nonpublic information from the publicly accessible information system, if discovered.

+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing publicly accessible content

+

list of users authorized to post publicly accessible content on organizational information systems

+

training materials and/or records

+

records of publicly accessible information reviews

+

records of response to nonpublic information on public websites

+

system audit logs

+

security awareness training records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms implementing management of publicly accessible content

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCESS ENFORCEMENT + AC-3 + P1 + LOW + MODERATE + HIGH + +

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

+
+ +

Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

+ + + + + + + + + + + + + + + + + + + +
+ +

Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

+
+ + EXAMINE +

Access control policy

+

procedures addressing access enforcement

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of approved authorizations (user privileges)

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with access enforcement responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing access control policy

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION FLOW ENFORCEMENT + + organization-defined information flow control policies + organization-defined information flow control policies + + AC-4 + P1 + MODERATE + HIGH + +

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on .

+
+ +

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. +Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.

+ + + + + + + + + + + +
+ +

Determine if:

+ + AC-4[1] +

the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and

+
+ + AC-4[2] +

the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.

+
+
+ + EXAMINE +

Access control policy

+

information flow control policies

+

procedures addressing information flow enforcement

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system baseline configuration

+

list of information flow authorizations

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing information flow enforcement policy

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SEPARATION OF DUTIES + + organization-defined duties of individuals + organization-defined duties of individuals + + AC-5 + P1 + MODERATE + HIGH + +

The organization:

+ + AC-5a. +

Separates ;

+
+ + AC-5b. +

Documents separation of duties of individuals; and

+
+ + AC-5c. +

Defines information system access authorizations to support separation of duties.

+
+
+ +

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

+ + + + + +
+ +

Determine if the organization:

+ + AC-5(a) + + AC-5(a)[1] +

defines duties of individuals to be separated;

+
+ + AC-5(a)[2] +

separates organization-defined duties of individuals;

+
+
+ + AC-5(b) +

documents separation of duties; and

+
+ + AC-5(c) +

defines information system access authorizations to support separation of duties.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing divisions of responsibility and separation of duties

+

information system configuration settings and associated documentation

+

list of divisions of responsibility and separation of duties

+

information system access authorizations

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing separation of duties policy

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + LEAST PRIVILEGE + AC-6 + P1 + MODERATE + HIGH + +

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

+
+ +

Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.

+ + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTHORIZE ACCESS TO SECURITY FUNCTIONS + + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + + AC-6 (1) + MODERATE + HIGH + +

The organization explicitly authorizes access to .

+
+ +

Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.

+ + + +
+ +

Determine if the organization:

+ + AC-6(1)[1] +

defines security-relevant information for which access must be explicitly authorized;

+
+ + AC-6(1)[2] +

defines security functions deployed in:

+ + AC-6(1)[2][a] +

hardware;

+
+ + AC-6(1)[2][b] +

software;

+
+ + AC-6(1)[2][c] +

firmware;

+
+
+ + AC-6(1)[3] +

explicitly authorizes access to:

+ + AC-6(1)[3][a] +

organization-defined security functions; and

+
+ + AC-6(1)[3][b] +

security-relevant information.

+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing least privilege

+

list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing least privilege functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS + + organization-defined security functions or security-relevant information + organization-defined security functions or security-relevant information + + AC-6 (2) + MODERATE + HIGH + +

The organization requires that users of information system accounts, or roles, with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

+
+ +

This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

+ +
+ +

Determine if the organization:

+ + AC-6(2)[1] +

defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and

+
+ + AC-6(2)[2] +

requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing least privilege

+

list of system-generated security functions or security-relevant information assigned to information system accounts or roles

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing least privilege functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PRIVILEGED ACCOUNTS + + organization-defined personnel or roles + organization-defined personnel or roles + + AC-6 (5) + MODERATE + HIGH + +

The organization restricts privileged accounts on the information system to .

+
+ +

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

+ +
+ +

Determine if the organization:

+ + AC-6(5)[1] +

defines personnel or roles for which privileged accounts on the information system are to be restricted; and

+
+ + AC-6(5)[2] +

restricts privileged accounts on the information system to organization-defined personnel or roles.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing least privilege

+

list of system-generated privileged accounts

+

list of system administration personnel

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing least privilege functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUDITING USE OF PRIVILEGED FUNCTIONS + AC-6 (9) + MODERATE + HIGH + +

The information system audits the execution of privileged functions.

+
+ +

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).

+ +
+ +

Determine if the information system audits the execution of privileged functions.

+
+ + EXAMINE +

Access control policy

+

procedures addressing least privilege

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of privileged functions to be audited

+

list of audited events

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms auditing the execution of least privilege functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS + AC-6 (10) + MODERATE + HIGH + +

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

+
+ +

Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

+
+ +

Determine if the information system prevents non-privileged users from executing privileged functions to include:

+ + AC-6(10)[1] +

disabling implemented security safeguards/countermeasures;

+
+ + AC-6(10)[2] +

circumventing security safeguards/countermeasures; or

+
+ + AC-6(10)[3] +

altering implemented security safeguards/countermeasures.

+
+
+ + EXAMINE +

Access control policy

+

procedures addressing least privilege

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of privileged functions and associated user account assignments

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Automated mechanisms implementing least privilege functions for non-privileged users

+
+
+ +

Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

+
+ + EXAMINE +

Access control policy

+

procedures addressing least privilege

+

list of assigned access authorizations (user privileges)

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing least privilege functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + UNSUCCESSFUL LOGON ATTEMPTS + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + AC-7 + P2 + LOW + MODERATE + HIGH + +

The information system:

+ + AC-7a. +

Enforces a limit of consecutive invalid logon attempts by a user during a ; and

+
+ + AC-7b. +

Automatically [Selection: locks the account/node for an ; locks the account/node until released by an administrator; delays next logon prompt according to ] when the maximum number of unsuccessful attempts is exceeded.

+
+
+ +

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

+ + + + +
+ +

Determine if:

+ + AC-7(a) + + AC-7(a)[1] +

the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;

+
+ + AC-7(a)[2] +

the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;

+
+ + AC-7(a)[3] +

the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;

+
+
+ + AC-7(b) + + AC-7(b)[1] +

the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;

+
+ + AC-7(b)[2] +

the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:

+ + AC-7(b)[2][a] +

locks the account/node for the organization-defined time period;

+
+ + AC-7(b)[2][b] +

locks the account/node until released by an administrator; or

+
+ + AC-7(b)[2][c] +

delays next logon prompt according to the organization-defined delay algorithm.

+
+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing unsuccessful logon attempts

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information security responsibilities

+

system developers

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing access control policy for unsuccessful logon attempts

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM USE NOTIFICATION + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + AC-8 + P1 + LOW + MODERATE + HIGH + +

The information system:

+ + AC-8a. +

Displays to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

+ + AC-8a.1. +

Users are accessing a U.S. Government information system;

+
+ + AC-8a.2. +

Information system usage may be monitored, recorded, and subject to audit;

+
+ + AC-8a.3. +

Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

+
+ + AC-8a.4. +

Use of the information system indicates consent to monitoring and recording;

+
+
+ + AC-8b. +

Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

+
+ + AC-8c. +

For publicly accessible systems:

+ + AC-8c.1. +

Displays system use information , before granting further access;

+
+ + AC-8c.2. +

Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

+
+ + AC-8c.3. +

Includes a description of the authorized uses of the system.

+
+
+
+ +

System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

+
+ +

Determine if:

+ + AC-8(a) + + AC-8(a)[1] +

the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;

+
+ + AC-8(a)[2] +

the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:

+ + AC-8(a)[2](1) +

users are accessing a U.S. Government information system;

+
+ + AC-8(a)[2](2) +

information system usage may be monitored, recorded, and subject to audit;

+
+ + AC-8(a)[2](3) +

unauthorized use of the information system is prohibited and subject to criminal and civil penalties;

+
+ + AC-8(a)[2](4) +

use of the information system indicates consent to monitoring and recording;

+
+
+
+ + AC-8(b) +

the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;

+
+ + AC-8(c) +

for publicly accessible systems:

+ + AC-8(c)(1) + + AC-8(c)(1)[1] +

the organization defines conditions for system use to be displayed by the information system before granting further access;

+
+ + AC-8(c)(1)[2] +

the information system displays organization-defined conditions before granting further access;

+
+
+ + AC-8(c)(2) +

the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

+
+ + AC-8(c)(3) +

the information system includes a description of the authorized uses of the system.

+
+
+
+ + EXAMINE +

Access control policy

+

privacy and security policies, procedures addressing system use notification

+

documented approval of information system use notification messages or banners

+

information system audit records

+

user acknowledgements of notification message or banner

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system use notification messages

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for providing legal advice

+

system developers

+
+ + TEST +

Automated mechanisms implementing system use notification

+
+
+
+ + AWARENESS AND TRAINING + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + AT-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AT-1a. +

Develops, documents, and disseminates to :

+ + AT-1a.1. +

A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + AT-1a.2. +

Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

+
+
+ + AT-1b. +

Reviews and updates the current:

+ + AT-1b.1. +

Security awareness and training policy ; and

+
+ + AT-1b.2. +

Security awareness and training procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + AT-1(a)(1) + + AT-1(a)(1)[1] +

develops and documents an security awareness and training policy that addresses:

+ + AT-1(a)(1)[1][a] +

purpose;

+
+ + AT-1(a)(1)[1][b] +

scope;

+
+ + AT-1(a)(1)[1][c] +

roles;

+
+ + AT-1(a)(1)[1][d] +

responsibilities;

+
+ + AT-1(a)(1)[1][e] +

management commitment;

+
+ + AT-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + AT-1(a)(1)[1][g] +

compliance;

+
+
+ + AT-1(a)(1)[2] +

defines personnel or roles to whom the security awareness and training policy are to be disseminated;

+
+ + AT-1(a)(1)[3] +

disseminates the security awareness and training policy to organization-defined personnel or roles;

+
+
+ + AT-1(a)(2) + + AT-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;

+
+ + AT-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + AT-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + AT-1(b)(1) + + AT-1(b)(1)[1] +

defines the frequency to review and update the current security awareness and training policy;

+
+ + AT-1(b)(1)[2] +

reviews and updates the current security awareness and training policy with the organization-defined frequency;

+
+
+ + AT-1(b)(2) + + AT-1(b)(2)[1] +

defines the frequency to review and update the current security awareness and training procedures; and

+
+ + AT-1(b)(2)[2] +

reviews and updates the current security awareness and training procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Security awareness and training policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security awareness and training responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-16 + + + NIST Special Publication 800-50 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY AWARENESS TRAINING + + organization-defined frequency + organization-defined frequency + + AT-2 + P1 + LOW + MODERATE + HIGH + +

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

+ + AT-2a. +

As part of initial training for new users;

+
+ + AT-2b. +

When required by information system changes; and

+
+ + AT-2c. +

+ thereafter.

+
+
+ +

Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INSIDER THREAT + AT-2 (2) + MODERATE + HIGH + +

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

+
+ +

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.

+ + + + +
+ +

Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

+
+ + EXAMINE +

Security awareness and training policy

+

procedures addressing security awareness training implementation

+

security awareness training curriculum

+

security awareness training materials

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel that participate in security awareness training

+

organizational personnel with responsibilities for basic security awareness training

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + AT-2(a) +

provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;

+
+ + AT-2(b) +

provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and

+
+ + AT-2(c) + + AT-2(c)[1] +

defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and

+
+ + AT-2(c)[2] +

provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Security awareness and training policy

+

procedures addressing security awareness training implementation

+

appropriate codes of federal regulations

+

security awareness training curriculum

+

security awareness training materials

+

security plan

+

training records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for security awareness training

+

organizational personnel with information security responsibilities

+

organizational personnel comprising the general information system user community

+
+ + TEST +

Automated mechanisms managing security awareness training

+
+ + + C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) + + + Executive Order 13587 + + + NIST Special Publication 800-50 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ROLE-BASED SECURITY TRAINING + + organization-defined frequency + organization-defined frequency + + AT-3 + P1 + LOW + MODERATE + HIGH + +

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

+ + AT-3a. +

Before authorizing access to the information system or performing assigned duties;

+
+ + AT-3b. +

When required by information system changes; and

+
+ + AT-3c. +

+ thereafter.

+
+
+ +

Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

+ + + + + + + +
+ +

Determine if the organization:

+ + AT-3(a) +

provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;

+
+ + AT-3(b) +

provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and

+
+ + AT-3(c) + + AT-3(c)[1] +

defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and

+
+ + AT-3(c)[2] +

provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Security awareness and training policy

+

procedures addressing security training implementation

+

codes of federal regulations

+

security training curriculum

+

security training materials

+

security plan

+

training records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for role-based security training

+

organizational personnel with assigned information system security roles and responsibilities

+
+ + TEST +

Automated mechanisms managing role-based security training

+
+ + + C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) + + + NIST Special Publication 800-16 + + + NIST Special Publication 800-50 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY TRAINING RECORDS + + organization-defined time period + organization-defined time period + + AT-4 + P3 + LOW + MODERATE + HIGH + +

The organization:

+ + AT-4a. +

Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

+
+ + AT-4b. +

Retains individual training records for .

+
+
+ +

Documentation for specialized training may be maintained by individual supervisors at the option of the organization.

+ + + +
+ +

Determine if the organization:

+ + AT-4(a) + + AT-4(a)[1] +

documents individual information system security training activities including:

+ + AT-4(a)[1][a] +

basic security awareness training;

+
+ + AT-4(a)[1][b] +

specific role-based information system security training;

+
+
+ + AT-4(a)[2] +

monitors individual information system security training activities including:

+ + AT-4(a)[2][a] +

basic security awareness training;

+
+ + AT-4(a)[2][b] +

specific role-based information system security training;

+
+
+
+ + AT-4(b) + + AT-4(b)[1] +

defines a time period to retain individual training records; and

+
+ + AT-4(b)[2] +

retains individual training records for the organization-defined time period.

+
+
+
+ + EXAMINE +

Security awareness and training policy

+

procedures addressing security training records

+

security awareness and training records

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security training record retention responsibilities

+
+ + TEST +

Automated mechanisms supporting management of security training records

+
+
+
+ + AUDIT AND ACCOUNTABILITY + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + AU-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AU-1a. +

Develops, documents, and disseminates to :

+ + AU-1a.1. +

An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + AU-1a.2. +

Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

+
+
+ + AU-1b. +

Reviews and updates the current:

+ + AU-1b.1. +

Audit and accountability policy ; and

+
+ + AU-1b.2. +

Audit and accountability procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + AU-1(a)(1) + + AU-1(a)(1)[1] +

develops and documents an audit and accountability policy that addresses:

+ + AU-1(a)(1)[1][a] +

purpose;

+
+ + AU-1(a)(1)[1][b] +

scope;

+
+ + AU-1(a)(1)[1][c] +

roles;

+
+ + AU-1(a)(1)[1][d] +

responsibilities;

+
+ + AU-1(a)(1)[1][e] +

management commitment;

+
+ + AU-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + AU-1(a)(1)[1][g] +

compliance;

+
+
+ + AU-1(a)(1)[2] +

defines personnel or roles to whom the audit and accountability policy are to be disseminated;

+
+ + AU-1(a)(1)[3] +

disseminates the audit and accountability policy to organization-defined personnel or roles;

+
+
+ + AU-1(a)(2) + + AU-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;

+
+ + AU-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + AU-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + AU-1(b)(1) + + AU-1(b)(1)[1] +

defines the frequency to review and update the current audit and accountability policy;

+
+ + AU-1(b)(1)[2] +

reviews and updates the current audit and accountability policy with the organization-defined frequency;

+
+
+ + AU-1(b)(2) + + AU-1(b)(2)[1] +

defines the frequency to review and update the current audit and accountability procedures; and

+
+ + AU-1(b)(2)[2] +

reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Audit and accountability policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUDIT RECORD RETENTION + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + AU-11 + P3 + LOW + MODERATE + HIGH + +

The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

+
+ +

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

+ + + + +
+ +

Determine if the organization:

+ + AU-11[1] +

defines a time period to retain audit records that is consistent with records retention policy;

+
+ + AU-11[2] +

retains audit records for the organization-defined time period consistent with records retention policy to:

+ + AU-11[2][a] +

provide support for after-the-fact investigations of security incidents; and

+
+ + AU-11[2][b] +

meet regulatory and organizational information retention requirements.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

audit record retention policy and procedures

+

security plan

+

organization-defined retention period for audit records

+

audit record archives

+

audit logs

+

audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit record retention responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUDIT GENERATION + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + AU-12 + P1 + LOW + MODERATE + HIGH + +

The information system:

+ + AU-12a. +

Provides audit record generation capability for the auditable events defined in AU-2 a. at ;

+
+ + AU-12b. +

Allows to select which auditable events are to be audited by specific components of the information system; and

+
+ + AU-12c. +

Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

+
+
+ +

Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.

+ + + + + +
+ +

Determine if:

+ + AU-12(a) + + AU-12(a)[1] +

the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;

+
+ + AU-12(a)[2] +

the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;

+
+
+ + AU-12(b) + + AU-12(b)[1] +

the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;

+
+ + AU-12(b)[2] +

the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and

+
+
+ + AU-12(c) +

the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3.

+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing audit record generation

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of auditable events

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit record generation responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms implementing audit record generation capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUDIT EVENTS + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + AU-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AU-2a. +

Determines that the information system is capable of auditing the following events: ;

+
+ + AU-2b. +

Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

+
+ + AU-2c. +

Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

+
+ + AU-2d. +

Determines that the following events are to be audited within the information system: .

+
+
+ +

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

+ + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + REVIEWS AND UPDATES + + organization-defined frequency + organization-defined frequency + + AU-2 (3) + MODERATE + HIGH + +

The organization reviews and updates the audited events .

+
+ +

Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.

+
+ +

Determine if the organization:

+ + AU-2(3)[1] +

defines the frequency to review and update the audited events; and

+
+ + AU-2(3)[2] +

reviews and updates the auditable events with organization-defined frequency.

+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing auditable events

+

security plan

+

list of organization-defined auditable events

+

auditable events review and update records

+

information system audit records

+

information system incident reports

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting review and update of auditable events

+
+
+ +

Determine if the organization:

+ + AU-2(a) + + AU-2(a)[1] +

defines the auditable events that the information system must be capable of auditing;

+
+ + AU-2(a)[2] +

determines that the information system is capable of auditing organization-defined auditable events;

+
+
+ + AU-2(b) +

coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

+
+ + AU-2(c) +

provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;

+
+ + AU-2(d) + + AU-2(d)[1] +

defines the subset of auditable events defined in AU-2a that are to be audited within the information system;

+
+ + AU-2(d)[2] +

determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and

+
+ + AU-2(d)[3] +

determines the frequency of (or situation requiring) auditing for each identified event.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing auditable events

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

information system auditable events

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing information system auditing

+
+ + + NIST Special Publication 800-92 + + + http://idmanagement.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONTENT OF AUDIT RECORDS + AU-3 + P1 + LOW + MODERATE + HIGH + +

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

+
+ +

Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).

+ + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ADDITIONAL AUDIT INFORMATION + + organization-defined additional, more detailed information + organization-defined additional, more detailed information + + AU-3 (1) + MODERATE + HIGH + +

The information system generates audit records containing the following additional information: .

+
+ +

Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.

+
+ +

Determine if:

+ + AU-3(1)[1] +

the organization defines additional, more detailed information to be contained in audit records that the information system generates; and

+
+ + AU-3(1)[2] +

the information system generates audit records containing the organization-defined additional, more detailed information.

+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing content of audit records

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of organization-defined auditable events

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Information system audit capability

+
+
+ +

Determine if the information system generates audit records containing information that establishes:

+ + AU-3[1] +

what type of event occurred;

+
+ + AU-3[2] +

when the event occurred;

+
+ + AU-3[3] +

where the event occurred;

+
+ + AU-3[4] +

the source of the event;

+
+ + AU-3[5] +

the outcome of the event; and

+
+ + AU-3[6] +

the identity of any individuals or subjects associated with the event.

+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing content of audit records

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of organization-defined auditable events

+

information system audit records

+

information system incident reports

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms implementing information system auditing of auditable events

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUDIT STORAGE CAPACITY + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + AU-4 + P1 + LOW + MODERATE + HIGH + +

The organization allocates audit record storage capacity in accordance with .

+
+ +

Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.

+ + + + + + +
+ +

Determine if the organization:

+ + AU-4[1] +

defines audit record storage requirements; and

+
+ + AU-4[2] +

allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements.

+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing audit storage capacity

+

information system design documentation

+

information system configuration settings and associated documentation

+

audit record storage requirements

+

audit record storage capability for information system components

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Audit record storage capacity and related configuration settings

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + RESPONSE TO AUDIT PROCESSING FAILURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + AU-5 + P1 + LOW + MODERATE + HIGH + +

The information system:

+ + AU-5a. +

Alerts in the event of an audit processing failure; and

+
+ + AU-5b. +

Takes the following additional actions: .

+
+
+ +

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

+ + +
+ +

Determine if:

+ + AU-5(a) + + AU-5(a)[1] +

the organization defines the personnel or roles to be alerted in the event of an audit processing failure;

+
+ + AU-5(a)[2] +

the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;

+
+
+ + AU-5(b) + + AU-5(b)[1] +

the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and

+
+ + AU-5(b)[2] +

the information system takes the additional organization-defined actions in the event of an audit processing failure.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing response to audit processing failures

+

information system design documentation

+

security plan

+

information system configuration settings and associated documentation

+

list of personnel to be notified in case of an audit processing failure

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms implementing information system response to audit processing failures

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUDIT REVIEW, ANALYSIS, AND REPORTING + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + AU-6 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + AU-6a. +

Reviews and analyzes information system audit records for indications of ; and

+
+ + AU-6b. +

Reports findings to .

+
+
+ +

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PROCESS INTEGRATION + AU-6 (1) + MODERATE + HIGH + +

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

+
+ +

Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.

+ + +
+ +

Determine if the organization:

+ + AU-6(1)[1] +

employs automated mechanisms to integrate:

+ + AU-6(1)[1][a] +

audit review;

+
+ + AU-6(1)[1][b] +

analysis;

+
+ + AU-6(1)[1][c] +

reporting processes;

+
+
+ + AU-6(1)[2] +

uses integrated audit review, analysis and reporting processes to support organizational processes for:

+ + AU-6(1)[2][a] +

investigation of suspicious activities; and

+
+ + AU-6(1)[2][b] +

response to suspicious activities.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing audit review, analysis, and reporting

+

procedures addressing investigation and response to suspicious activities

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms integrating audit review, analysis, and reporting processes

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + CORRELATE AUDIT REPOSITORIES + AU-6 (3) + MODERATE + HIGH + +

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

+
+ +

Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness.

+ + +
+ +

Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing audit review, analysis, and reporting

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records across different repositories

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting analysis and correlation of audit records

+
+
+ +

Determine if the organization:

+ + AU-6(a) + + AU-6(a)[1] +

defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;

+
+ + AU-6(a)[2] +

defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;

+
+ + AU-6(a)[3] +

reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;

+
+
+ + AU-6(b) + + AU-6(b)[1] +

defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and

+
+ + AU-6(b)[2] +

reports findings to organization-defined personnel or roles.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing audit review, analysis, and reporting

+

reports of audit findings

+

records of actions taken in response to reviews/analyses of audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit review, analysis, and reporting responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUDIT REDUCTION AND REPORT GENERATION + AU-7 + P2 + MODERATE + HIGH + +

The information system provides an audit reduction and report generation capability that:

+ + AU-7a. +

Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

+
+ + AU-7b. +

Does not alter the original content or time ordering of audit records.

+
+
+ +

Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.

+ +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATIC PROCESSING + + organization-defined audit fields within audit records + organization-defined audit fields within audit records + + AU-7 (1) + MODERATE + HIGH + +

The information system provides the capability to process audit records for events of interest based on .

+
+ +

Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.

+ + +
+ +

Determine if:

+ + AU-7(1)[1] +

the organization defines audit fields within audit records in order to process audit records for events of interest; and

+
+ + AU-7(1)[2] +

the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records.

+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing audit reduction and report generation

+

information system design documentation

+

information system configuration settings and associated documentation

+

audit reduction, review, analysis, and reporting tools

+

audit record criteria (fields) establishing events of interest

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit reduction and report generation responsibilities

+

organizational personnel with information security responsibilities

+

system developers

+
+ + TEST +

Audit reduction and report generation capability

+
+
+ +

Determine if the information system provides an audit reduction and report generation capability that supports:

+ + AU-7(a) + + AU-7(a)[1] +

on-demand audit review;

+
+ + AU-7(a)[2] +

analysis;

+
+ + AU-7(a)[3] +

reporting requirements;

+
+ + AU-7(a)[4] +

after-the-fact investigations of security incidents; and

+
+
+ + AU-7(b) +

does not alter the original content or time ordering of audit records.

+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing audit reduction and report generation

+

information system design documentation

+

information system configuration settings and associated documentation

+

audit reduction, review, analysis, and reporting tools

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit reduction and report generation responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Audit reduction and report generation capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + TIME STAMPS + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + AU-8 + P1 + LOW + MODERATE + HIGH + +

The information system:

+ + AU-8a. +

Uses internal system clocks to generate time stamps for audit records; and

+
+ + AU-8b. +

Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets .

+
+
+ +

Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

+ + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE + + organization-defined frequency + organization-defined frequency + + + organization-defined authoritative time source + organization-defined authoritative time source + + + organization-defined time period + organization-defined time period + + AU-8 (1) + MODERATE + HIGH + +

The information system:

+ + AU-8 (1)(a) +

Compares the internal information system clocks with ; and

+
+ + AU-8 (1)(b) +

Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than .

+
+
+ +

This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

+
+ +

Determine if:

+ + AU-8(1)(a) + + AU-8(1)(a)[1] +

the organization defines the authoritative time source to which internal information system clocks are to be compared;

+
+ + AU-8(1)(a)[2] +

the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and

+
+ + AU-8(1)(a)[3] +

the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and

+
+
+ + AU-8(1)(b) + + AU-8(1)(b)[1] +

the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and

+
+ + AU-8(1)(b)[2] +

the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing time stamp generation

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms implementing internal information system clock synchronization

+
+
+ +

Determine if:

+ + AU-8(a) +

the information system uses internal system clocks to generate time stamps for audit records;

+
+ + AU-8(b) + + AU-8(b)[1] +

the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);

+
+ + AU-8(b)[2] +

the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and

+
+ + AU-8(b)[3] +

the organization records time stamps for audit records that meet the organization-defined granularity of time measurement.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

procedures addressing time stamp generation

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms implementing time stamp generation

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PROTECTION OF AUDIT INFORMATION + AU-9 + P1 + LOW + MODERATE + HIGH + +

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

+
+ +

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

+ + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ACCESS BY SUBSET OF PRIVILEGED USERS + + organization-defined subset of privileged users + organization-defined subset of privileged users + + AU-9 (4) + MODERATE + HIGH + +

The organization authorizes access to management of audit functionality to only .

+
+ +

Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.

+ +
+ +

Determine if the organization:

+ + AU-9(4)[1] +

defines a subset of privileged users to be authorized access to management of audit functionality; and

+
+ + AU-9(4)[2] +

authorizes access to management of audit functionality to only the organization-defined subset of privileged users.

+
+
+ + EXAMINE +

Audit and accountability policy

+

access control policy and procedures

+

procedures addressing protection of audit information

+

information system design documentation

+

information system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality

+

access authorizations

+

access control list

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms managing access to audit functionality

+
+
+ +

Determine if:

+ + AU-9[1] +

the information system protects audit information from unauthorized:

+ + AU-9[1][a] +

access;

+
+ + AU-9[1][b] +

modification;

+
+ + AU-9[1][c] +

deletion;

+
+
+ + AU-9[2] +

the information system protects audit tools from unauthorized:

+ + AU-9[2][a] +

access;

+
+ + AU-9[2][b] +

modification; and

+
+ + AU-9[2][c] +

deletion.

+
+
+
+ + EXAMINE +

Audit and accountability policy

+

access control policy and procedures

+

procedures addressing protection of audit information

+

information system design documentation

+

information system configuration settings and associated documentation, information system audit records

+

audit tools

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with audit and accountability responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms implementing audit information protection

+
+
+
+ + SECURITY ASSESSMENT AND AUTHORIZATION + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + CA-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CA-1a. +

Develops, documents, and disseminates to :

+ + CA-1a.1. +

A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + CA-1a.2. +

Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

+
+
+ + CA-1b. +

Reviews and updates the current:

+ + CA-1b.1. +

Security assessment and authorization policy ; and

+
+ + CA-1b.2. +

Security assessment and authorization procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + CA-1(a)(1) + + CA-1(a)(1)[1] +

develops and documents a security assessment and authorization policy that addresses:

+ + CA-1(a)(1)[1][a] +

purpose;

+
+ + CA-1(a)(1)[1][b] +

scope;

+
+ + CA-1(a)(1)[1][c] +

roles;

+
+ + CA-1(a)(1)[1][d] +

responsibilities;

+
+ + CA-1(a)(1)[1][e] +

management commitment;

+
+ + CA-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + CA-1(a)(1)[1][g] +

compliance;

+
+
+ + CA-1(a)(1)[2] +

defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;

+
+ + CA-1(a)(1)[3] +

disseminates the security assessment and authorization policy to organization-defined personnel or roles;

+
+
+ + CA-1(a)(2) + + CA-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;

+
+ + CA-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + CA-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + CA-1(b)(1) + + CA-1(b)(1)[1] +

defines the frequency to review and update the current security assessment and authorization policy;

+
+ + CA-1(b)(1)[2] +

reviews and updates the current security assessment and authorization policy with the organization-defined frequency;

+
+
+ + CA-1(b)(2) + + CA-1(b)(2)[1] +

defines the frequency to review and update the current security assessment and authorization procedures; and

+
+ + CA-1(b)(2)[2] +

reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Security assessment and authorization policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security assessment and authorization responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-37 + + + NIST Special Publication 800-53A + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY ASSESSMENTS + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + CA-2 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + CA-2a. +

Develops a security assessment plan that describes the scope of the assessment including:

+ + CA-2a.1. +

Security controls and control enhancements under assessment;

+
+ + CA-2a.2. +

Assessment procedures to be used to determine security control effectiveness; and

+
+ + CA-2a.3. +

Assessment environment, assessment team, and assessment roles and responsibilities;

+
+
+ + CA-2b. +

Assesses the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

+
+ + CA-2c. +

Produces a security assessment report that documents the results of the assessment; and

+
+ + CA-2d. +

Provides the results of the security control assessment to .

+
+
+ +

Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. +To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

+ + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INDEPENDENT ASSESSORS + + organization-defined level of independence + organization-defined level of independence + + CA-2 (1) + MODERATE + HIGH + +

The organization employs assessors or assessment teams with to conduct security control assessments.

+
+ +

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments.

+
+ +

Determine if the organization:

+ + CA-2(1)[1] +

defines the level of independence to be employed to conduct security control assessments; and

+
+ + CA-2(1)[2] +

employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments.

+
+
+ + EXAMINE +

Security assessment and authorization policy

+

procedures addressing security assessments

+

security authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security assessment responsibilities

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + CA-2(a) +

develops a security assessment plan that describes the scope of the assessment including:

+ + CA-2(a)(1) +

security controls and control enhancements under assessment;

+
+ + CA-2(a)(2) +

assessment procedures to be used to determine security control effectiveness;

+
+ + CA-2(a)(3) + + CA-2(a)(3)[1] +

assessment environment;

+
+ + CA-2(a)(3)[2] +

assessment team;

+
+ + CA-2(a)(3)[3] +

assessment roles and responsibilities;

+
+
+
+ + CA-2(b) + + CA-2(b)[1] +

defines the frequency to assess the security controls in the information system and its environment of operation;

+
+ + CA-2(b)[2] +

assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

+
+
+ + CA-2(c) +

produces a security assessment report that documents the results of the assessment;

+
+ + CA-2(d) + + CA-2(d)[1] +

defines individuals or roles to whom the results of the security control assessment are to be provided; and

+
+ + CA-2(d)[2] +

provides the results of the security control assessment to organization-defined individuals or roles.

+
+
+
+ + EXAMINE +

Security assessment and authorization policy

+

procedures addressing security assessment planning

+

procedures addressing security assessments

+

security assessment plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security assessment responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting

+
+ + + Executive Order 13587 + + + FIPS Publication 199 + + + NIST Special Publication 800-37 + + + NIST Special Publication 800-39 + + + NIST Special Publication 800-53A + + + NIST Special Publication 800-115 + + + NIST Special Publication 800-137 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM INTERCONNECTIONS + + organization-defined frequency + organization-defined frequency + + CA-3 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CA-3a. +

Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

+
+ + CA-3b. +

Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and

+
+ + CA-3c. +

Reviews and updates Interconnection Security Agreements .

+
+
+ +

This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.

+ + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS + + organization-defined information systems + organization-defined information systems + + CA-3 (5) + MODERATE + HIGH + +

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing to connect to external information systems.

+
+ +

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

+ +
+ +

Determine if the organization:

+ + CA-3(5)[1] +

defines information systems to be allowed to connect to external information systems;

+
+ + CA-3(5)[2] +

employs one of the following policies for allowing organization-defined information systems to connect to external information systems:

+ + CA-3(5)[2][a] +

allow-all policy;

+
+ + CA-3(5)[2][b] +

deny-by-exception policy;

+
+ + CA-3(5)[2][c] +

deny-all policy; or

+
+ + CA-3(5)[2][d] +

permit-by-exception policy.

+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing information system connections

+

system and communications protection policy

+

information system interconnection agreements

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

security assessment report

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for managing connections to external information systems

+

network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms implementing restrictions on external system connections

+
+
+ +

Determine if the organization:

+ + CA-3(a) +

authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

+
+ + CA-3(b) +

documents, for each interconnection:

+ + CA-3(b)[1] +

the interface characteristics;

+
+ + CA-3(b)[2] +

the security requirements;

+
+ + CA-3(b)[3] +

the nature of the information communicated;

+
+
+ + CA-3(c) + + CA-3(c)[1] +

defines the frequency to review and update Interconnection Security Agreements; and

+
+ + CA-3(c)[2] +

reviews and updates Interconnection Security Agreements with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing information system connections

+

system and communications protection policy

+

information system Interconnection Security Agreements

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements

+

organizational personnel with information security responsibilities

+

personnel managing the system(s) to which the Interconnection Security Agreement applies

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-47 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PLAN OF ACTION AND MILESTONES + + organization-defined frequency + organization-defined frequency + + CA-5 + P3 + LOW + MODERATE + HIGH + +

The organization:

+ + CA-5a. +

Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

+
+ + CA-5b. +

Updates existing plan of action and milestones based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

+
+
+ +

Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.

+ + + + +
+ +

Determine if the organization:

+ + CA-5(a) +

develops a plan of action and milestones for the information system to:

+ + CA-5(a)[1] +

document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;

+
+ + CA-5(a)[2] +

reduce or eliminate known vulnerabilities in the system;

+
+
+ + CA-5(b) + + CA-5(b)[1] +

defines the frequency to update the existing plan of action and milestones;

+
+ + CA-5(b)[2] +

updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:

+ + CA-5(b)[2][a] +

security controls assessments;

+
+ + CA-5(b)[2][b] +

security impact analyses; and

+
+ + CA-5(b)[2][c] +

continuous monitoring activities.

+
+
+
+
+ + EXAMINE +

Security assessment and authorization policy

+

procedures addressing plan of action and milestones

+

security plan

+

security assessment plan

+

security assessment report

+

security assessment evidence

+

plan of action and milestones

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with plan of action and milestones development and implementation responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms for developing, implementing, and maintaining plan of action and milestones

+
+ + + OMB Memorandum 02-01 + + + NIST Special Publication 800-37 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY AUTHORIZATION + + organization-defined frequency + organization-defined frequency + + CA-6 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + CA-6a. +

Assigns a senior-level executive or manager as the authorizing official for the information system;

+
+ + CA-6b. +

Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

+
+ + CA-6c. +

Updates the security authorization .

+
+
+ +

Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

+ + + + +
+ +

Determine if the organization:

+ + CA-6(a) +

assigns a senior-level executive or manager as the authorizing official for the information system;

+
+ + CA-6(b) +

ensures that the authorizing official authorizes the information system for processing before commencing operations;

+
+ + CA-6(c) + + CA-6(c)[1] +

defines the frequency to update the security authorization; and

+
+ + CA-6(c)[2] +

updates the security authorization with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Security assessment and authorization policy

+

procedures addressing security authorization

+

security authorization package (including security plan

+

security assessment report

+

plan of action and milestones

+

authorization statement)

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security authorization responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms that facilitate security authorizations and updates

+
+ + + OMB Circular A-130 + + + OMB Memorandum 11-33 + + + NIST Special Publication 800-37 + + + NIST Special Publication 800-137 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONTINUOUS MONITORING + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + CA-7 + P2 + LOW + MODERATE + HIGH + +

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

+ + CA-7a. +

Establishment of to be monitored;

+
+ + CA-7b. +

Establishment of for monitoring and for assessments supporting such monitoring;

+
+ + CA-7c. +

Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

+
+ + CA-7d. +

Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

+
+ + CA-7e. +

Correlation and analysis of security-related information generated by assessments and monitoring;

+
+ + CA-7f. +

Response actions to address results of the analysis of security-related information; and

+
+ + CA-7g. +

Reporting the security status of organization and the information system to + .

+
+
+ +

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.

+ + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INDEPENDENT ASSESSMENT + + organization-defined level of independence + organization-defined level of independence + + CA-7 (1) + MODERATE + HIGH + +

The organization employs assessors or assessment teams with to monitor the security controls in the information system on an ongoing basis.

+
+ +

Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services.

+
+ +

Determine if the organization:

+ + CA-7(1)[1] +

defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and

+
+ + CA-7(1)[2] +

employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis.

+
+
+ + EXAMINE +

Security assessment and authorization policy

+

procedures addressing continuous monitoring of information system security controls

+

security plan

+

security assessment report

+

plan of action and milestones

+

information system monitoring records

+

security impact analyses

+

status reports

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + CA-7(a) + + CA-7(a)[1] +

develops a continuous monitoring strategy that defines metrics to be monitored;

+
+ + CA-7(a)[2] +

develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;

+
+ + CA-7(a)[3] +

implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

+
+
+ + CA-7(b) + + CA-7(b)[1] +

develops a continuous monitoring strategy that defines frequencies for monitoring;

+
+ + CA-7(b)[2] +

defines frequencies for assessments supporting monitoring;

+
+ + CA-7(b)[3] +

develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;

+
+ + CA-7(b)[4] +

implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;

+
+
+ + CA-7(c) + + CA-7(c)[1] +

develops a continuous monitoring strategy that includes ongoing security control assessments;

+
+ + CA-7(c)[2] +

implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

+
+
+ + CA-7(d) + + CA-7(d)[1] +

develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;

+
+ + CA-7(d)[2] +

implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

+
+
+ + CA-7(e) + + CA-7(e)[1] +

develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;

+
+ + CA-7(e)[2] +

implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;

+
+
+ + CA-7(f) + + CA-7(f)[1] +

develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;

+
+ + CA-7(f)[2] +

implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;

+
+
+ + CA-7(g) + + CA-7(g)[1] +

develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;

+
+ + CA-7(g)[2] +

develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;

+
+ + CA-7(g)[3] +

develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and

+
+ + CA-7(g)[4] +

implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.

+
+
+
+ + EXAMINE +

Security assessment and authorization policy

+

procedures addressing continuous monitoring of information system security controls

+

procedures addressing configuration management

+

security plan

+

security assessment report

+

plan of action and milestones

+

information system monitoring records

+

configuration management records, security impact analyses

+

status reports

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with continuous monitoring responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Mechanisms implementing continuous monitoring

+
+ + + OMB Memorandum 11-33 + + + NIST Special Publication 800-37 + + + NIST Special Publication 800-39 + + + NIST Special Publication 800-53A + + + NIST Special Publication 800-115 + + + NIST Special Publication 800-137 + + + US-CERT Technical Cyber Security Alerts + + + DoD Information Assurance Vulnerability Alerts + + +
+ + ../SP800-53/SP800-53-HIGH-baseline.xml + + PENETRATION TESTING + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems or system components + organization-defined information systems or system components + + CA-8 + P2 + HIGH + +

The organization conducts penetration testing on .

+
+ +

Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.

+ +
+ +

Determine if the organization:

+ + CA-8[1] +

defines information systems or system components on which penetration testing is to be conducted;

+
+ + CA-8[2] +

defines the frequency to conduct penetration testing on organization-defined information systems or system components; and

+
+ + CA-8[3] +

conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency.

+
+
+ + EXAMINE +

Security assessment and authorization policy

+

procedures addressing penetration testing

+

security plan

+

security assessment plan

+

penetration test report

+

security assessment report

+

security assessment evidence

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security assessment responsibilities

+

organizational personnel with information security responsibilities, system/network administrators

+
+ + TEST +

Automated mechanisms supporting penetration testing

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INTERNAL SYSTEM CONNECTIONS + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + CA-9 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + CA-9a. +

Authorizes internal connections of to the information system; and

+
+ + CA-9b. +

Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

+
+
+ +

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

+ + + + + + + + + + + +
+ +

Determine if the organization:

+ + CA-9(a) + + CA-9(a)[1] +

defines information system components or classes of components to be authorized as internal connections to the information system;

+
+ + CA-9(a)[2] +

authorizes internal connections of organization-defined information system components or classes of components to the information system;

+
+
+ + CA-9(b) +

documents, for each internal connection:

+ + CA-9(b)[1] +

the interface characteristics;

+
+ + CA-9(b)[2] +

the security requirements; and

+
+ + CA-9(b)[3] +

the nature of the information communicated.

+
+
+
+ + EXAMINE +

Access control policy

+

procedures addressing information system connections

+

system and communications protection policy

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of components or classes of components authorized as internal system connections

+

security assessment report

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections

+

organizational personnel with information security responsibilities

+
+
+
+ + CONFIGURATION MANAGEMENT + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + CM-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CM-1a. +

Develops, documents, and disseminates to :

+ + CM-1a.1. +

A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + CM-1a.2. +

Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

+
+
+ + CM-1b. +

Reviews and updates the current:

+ + CM-1b.1. +

Configuration management policy ; and

+
+ + CM-1b.2. +

Configuration management procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + CM-1(a)(1) + + CM-1(a)(1)[1] +

develops and documents a configuration management policy that addresses:

+ + CM-1(a)(1)[1][a] +

purpose;

+
+ + CM-1(a)(1)[1][b] +

scope;

+
+ + CM-1(a)(1)[1][c] +

roles;

+
+ + CM-1(a)(1)[1][d] +

responsibilities;

+
+ + CM-1(a)(1)[1][e] +

management commitment;

+
+ + CM-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + CM-1(a)(1)[1][g] +

compliance;

+
+
+ + CM-1(a)(1)[2] +

defines personnel or roles to whom the configuration management policy is to be disseminated;

+
+ + CM-1(a)(1)[3] +

disseminates the configuration management policy to organization-defined personnel or roles;

+
+
+ + CM-1(a)(2) + + CM-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;

+
+ + CM-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + CM-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + CM-1(b)(1) + + CM-1(b)(1)[1] +

defines the frequency to review and update the current configuration management policy;

+
+ + CM-1(b)(1)[2] +

reviews and updates the current configuration management policy with the organization-defined frequency;

+
+
+ + CM-1(b)(2) + + CM-1(b)(2)[1] +

defines the frequency to review and update the current configuration management procedures; and

+
+ + CM-1(b)(2)[2] +

reviews and updates the current configuration management procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Configuration management policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SOFTWARE USAGE RESTRICTIONS + CM-10 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + CM-10a. +

Uses software and associated documentation in accordance with contract agreements and copyright laws;

+
+ + CM-10b. +

Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

+
+ + CM-10c. +

Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+
+
+ +

Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.

+ + + +
+ +

Determine if the organization:

+ + CM-10(a) +

uses software and associated documentation in accordance with contract agreements and copyright laws;

+
+ + CM-10(b) +

tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

+
+ + CM-10(c) +

controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing software usage restrictions

+

configuration management plan

+

security plan

+

software contract agreements and copyright laws

+

site license documentation

+

list of software usage restrictions

+

software license tracking reports

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information security responsibilities

+

system/network administrators

+

organizational personnel operating, using, and/or maintaining the information system

+

organizational personnel with software license management responsibilities

+
+ + TEST +

Organizational process for tracking the use of software protected by quantity licenses

+

organization process for controlling/documenting the use of peer-to-peer file sharing technology

+

automated mechanisms implementing software license tracking

+

automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + USER-INSTALLED SOFTWARE + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + CM-11 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CM-11a. +

Establishes governing the installation of software by users;

+
+ + CM-11b. +

Enforces software installation policies through ; and

+
+ + CM-11c. +

Monitors policy compliance at .

+
+
+ +

If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved �app stores.� Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.

+ + + + + + + +
+ +

Determine if the organization:

+ + CM-11(a) + + CM-11(a)[1] +

defines policies to govern the installation of software by users;

+
+ + CM-11(a)[2] +

establishes organization-defined policies governing the installation of software by users;

+
+
+ + CM-11(b) + + CM-11(b)[1] +

defines methods to enforce software installation policies;

+
+ + CM-11(b)[2] +

enforces software installation policies through organization-defined methods;

+
+
+ + CM-11(c) + + CM-11(c)[1] +

defines frequency to monitor policy compliance; and

+
+ + CM-11(c)[2] +

monitors policy compliance at organization-defined frequency.

+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing user installed software

+

configuration management plan

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of rules governing user installed software

+

information system monitoring records

+

information system audit records

+

other relevant documents or records

+

continuous monitoring strategy

+
+ + INTERVIEW +

Organizational personnel with responsibilities for governing user-installed software

+

organizational personnel operating, using, and/or maintaining the information system

+

organizational personnel monitoring compliance with user-installed software policy

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes governing user-installed software on the information system

+

automated mechanisms enforcing rules/methods for governing the installation of software by users

+

automated mechanisms monitoring policy compliance

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + BASELINE CONFIGURATION + CM-2 + P1 + LOW + MODERATE + HIGH + +

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

+
+ +

This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.

+ + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + REVIEWS AND UPDATES + + organization-defined frequency + organization-defined frequency + + + Assignment organization-defined circumstances + Assignment organization-defined circumstances + + CM-2 (1) + MODERATE + HIGH + +

The organization reviews and updates the baseline configuration of the information system:

+ + CM-2 (1)(a) +

+ ;

+
+ + CM-2 (1)(b) +

When required due to ; and

+
+ + CM-2 (1)(c) +

As an integral part of information system component installations and upgrades.

+
+
+ + + + +

Determine if the organization:

+ + CM-2(1)(a) + + CM-2(1)(a)[1] +

defines the frequency to review and update the baseline configuration of the information system;

+
+ + CM-2(1)(a)[2] +

reviews and updates the baseline configuration of the information system with the organization-defined frequency;

+
+
+ + CM-2(1)(b) + + CM-2(1)(b)[1] +

defines circumstances that require the baseline configuration of the information system to be reviewed and updated;

+
+ + CM-2(1)(b)[2] +

reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and

+
+
+ + CM-2(1)(c) +

reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.

+
+
+ + EXAMINE +

Configuration management policy

+

configuration management plan

+

procedures addressing the baseline configuration of the information system

+

procedures addressing information system component installations and upgrades

+

information system architecture and configuration documentation

+

information system configuration settings and associated documentation

+

records of information system baseline configuration reviews and updates

+

information system component installations/upgrades and associated records

+

change control records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for managing baseline configurations

+

automated mechanisms supporting review and update of the baseline configuration

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + RETENTION OF PREVIOUS CONFIGURATIONS + + organization-defined previous versions of baseline configurations of the information system + organization-defined previous versions of baseline configurations of the information system + + CM-2 (3) + MODERATE + HIGH + +

The organization retains to support rollback.

+
+ +

Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records.

+
+ +

Determine if the organization:

+ + CM-2(3)[1] +

defines previous versions of baseline configurations of the information system to be retained to support rollback; and

+
+ + CM-2(3)[2] +

retains organization-defined previous versions of baseline configurations of the information system to support rollback.

+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing the baseline configuration of the information system

+

configuration management plan

+

information system architecture and configuration documentation

+

information system configuration settings and associated documentation

+

copies of previous baseline configuration versions

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for managing baseline configurations

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS + + organization-defined information systems, system components, or devices + organization-defined information systems, system components, or devices + + + organization-defined configurations + organization-defined configurations + + + organization-defined security safeguards + organization-defined security safeguards + + CM-2 (7) + MODERATE + HIGH + +

The organization:

+ + CM-2 (7)(a) +

Issues with to individuals traveling to locations that the organization deems to be of significant risk; and

+
+ + CM-2 (7)(b) +

Applies to the devices when the individuals return.

+
+
+ +

When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.

+
+ +

Determine if the organization:

+ + CM-2(7)(a) + + CM-2(7)(a)[1] +

defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;

+
+ + CM-2(7)(a)[2] +

defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;

+
+ + CM-2(7)(a)[3] +

issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;

+
+
+ + CM-2(7)(b) + + CM-2(7)(b)[1] +

defines security safeguards to be applied to the devices when the individuals return; and

+
+ + CM-2(7)(b)[2] +

applies organization-defined safeguards to the devices when the individuals return.

+
+
+
+ + EXAMINE +

Configuration management policy

+

configuration management plan

+

procedures addressing the baseline configuration of the information system

+

procedures addressing information system component installations and upgrades

+

information system architecture and configuration documentation

+

information system configuration settings and associated documentation

+

records of information system baseline configuration reviews and updates

+

information system component installations/upgrades and associated records

+

change control records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for managing baseline configurations

+
+
+ +

Determine if the organization:

+ + CM-2[1] +

develops and documents a current baseline configuration of the information system; and

+
+ + CM-2[2] +

maintains, under configuration control, a current baseline configuration of the information system.

+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing the baseline configuration of the information system

+

configuration management plan

+

enterprise architecture documentation

+

information system design documentation

+

information system architecture and configuration documentation

+

information system configuration settings and associated documentation

+

change control records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for managing baseline configurations

+

automated mechanisms supporting configuration control of the baseline configuration

+
+ + + NIST Special Publication 800-128 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONFIGURATION CHANGE CONTROL + + organization-defined time period + organization-defined time period + + + organization-defined configuration change control element (e.g., committee, board) + organization-defined configuration change control element (e.g., committee, board) + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration change conditions + organization-defined configuration change conditions + + CM-3 + P1 + MODERATE + HIGH + +

The organization:

+ + CM-3a. +

Determines the types of changes to the information system that are configuration-controlled;

+
+ + CM-3b. +

Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

+
+ + CM-3c. +

Documents configuration change decisions associated with the information system;

+
+ + CM-3d. +

Implements approved configuration-controlled changes to the information system;

+
+ + CM-3e. +

Retains records of configuration-controlled changes to the information system for ;

+
+ + CM-3f. +

Audits and reviews activities associated with configuration-controlled changes to the information system; and

+
+ + CM-3g. +

Coordinates and provides oversight for configuration change control activities through that convenes [Selection (one or more): ; ].

+
+
+ +

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

+ + + + + + + + + +
+ +

Determine if the organization:

+ + CM-3(a) +

determines the type of changes to the information system that must be configuration-controlled;

+
+ + CM-3(b) +

reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

+
+ + CM-3(c) +

documents configuration change decisions associated with the information system;

+
+ + CM-3(d) +

implements approved configuration-controlled changes to the information system;

+
+ + CM-3(e) + + CM-3(e)[1] +

defines a time period to retain records of configuration-controlled changes to the information system;

+
+ + CM-3(e)[2] +

retains records of configuration-controlled changes to the information system for the organization-defined time period;

+
+
+ + CM-3(f) +

audits and reviews activities associated with configuration-controlled changes to the information system;

+
+ + CM-3(g) + + CM-3(g)[1] +

defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;

+
+ + CM-3(g)[2] +

defines the frequency with which the configuration change control element must convene; and/or

+
+ + CM-3(g)[3] +

defines configuration change conditions that prompt the configuration change control element to convene; and

+
+ + CM-3(g)[4] +

coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions.

+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing information system configuration change control

+

configuration management plan

+

information system architecture and configuration documentation

+

security plan

+

change control records

+

information system audit records

+

change control audit and review reports

+

agenda /minutes from configuration change control oversight meetings

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with configuration change control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

members of change control board or similar

+
+ + TEST +

Organizational processes for configuration change control

+

automated mechanisms that implement configuration change control

+
+ + + NIST Special Publication 800-128 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY IMPACT ANALYSIS + CM-4 + P2 + LOW + MODERATE + HIGH + +

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

+
+ +

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

+ + + + + + + + +
+ +

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

+
+ + EXAMINE +

Configuration management policy

+

procedures addressing security impact analysis for changes to the information system

+

configuration management plan

+

security impact analysis documentation

+

analysis tools and associated outputs

+

change control records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for conducting security impact analysis

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for security impact analysis

+
+ + + NIST Special Publication 800-128 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCESS RESTRICTIONS FOR CHANGE + CM-5 + P1 + MODERATE + HIGH + +

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

+
+ +

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

+ + + +
+ +

Determine if the organization:

+ + CM-5[1] +

defines physical access restrictions associated with changes to the information system;

+
+ + CM-5[2] +

documents physical access restrictions associated with changes to the information system;

+
+ + CM-5[3] +

approves physical access restrictions associated with changes to the information system;

+
+ + CM-5[4] +

enforces physical access restrictions associated with changes to the information system;

+
+ + CM-5[5] +

defines logical access restrictions associated with changes to the information system;

+
+ + CM-5[6] +

documents logical access restrictions associated with changes to the information system;

+
+ + CM-5[7] +

approves logical access restrictions associated with changes to the information system; and

+
+ + CM-5[8] +

enforces logical access restrictions associated with changes to the information system.

+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing access restrictions for changes to the information system

+

configuration management plan

+

information system design documentation

+

information system architecture and configuration documentation

+

information system configuration settings and associated documentation

+

logical access approvals

+

physical access approvals

+

access credentials

+

change control records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with logical access control responsibilities

+

organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for managing access restrictions to change

+

automated mechanisms supporting/implementing/enforcing access restrictions associated with changes to the information system

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONFIGURATION SETTINGS + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + CM-6 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CM-6a. +

Establishes and documents configuration settings for information technology products employed within the information system using that reflect the most restrictive mode consistent with operational requirements;

+
+ + CM-6b. +

Implements the configuration settings;

+
+ + CM-6c. +

Identifies, documents, and approves any deviations from established configuration settings for based on ; and

+
+ + CM-6d. +

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

+
+
+ +

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. +Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

+ + + + + +
+ +

Determine if the organization:

+ + CM-6(a) + + CM-6(a)[1] +

defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;

+
+ + CM-6(a)[2] +

ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;

+
+ + CM-6(a)[3] +

establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;

+
+
+ + CM-6(b) +

implements the configuration settings established/documented in CM-6(a);;

+
+ + CM-6(c) + + CM-6(c)[1] +

defines information system components for which any deviations from established configuration settings must be:

+ + CM-6(c)[1][a] +

identified;

+
+ + CM-6(c)[1][b] +

documented;

+
+ + CM-6(c)[1][c] +

approved;

+
+
+ + CM-6(c)[2] +

defines operational requirements to support:

+ + CM-6(c)[2][a] +

the identification of any deviations from established configuration settings;

+
+ + CM-6(c)[2][b] +

the documentation of any deviations from established configuration settings;

+
+ + CM-6(c)[2][c] +

the approval of any deviations from established configuration settings;

+
+
+ + CM-6(c)[3] +

identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

+
+ + CM-6(c)[4] +

documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

+
+ + CM-6(c)[5] +

approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

+
+
+ + CM-6(d) + + CM-6(d)[1] +

monitors changes to the configuration settings in accordance with organizational policies and procedures; and

+
+ + CM-6(d)[2] +

controls changes to the configuration settings in accordance with organizational policies and procedures.

+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing configuration settings for the information system

+

configuration management plan

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

security configuration checklists

+

evidence supporting approved deviations from established configuration settings

+

change control records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for managing configuration settings

+

automated mechanisms that implement, monitor, and/or control information system configuration settings

+

automated mechanisms that identify and/or document deviations from established configuration settings

+
+ + + OMB Memorandum 07-11 + + + OMB Memorandum 07-18 + + + OMB Memorandum 08-22 + + + NIST Special Publication 800-70 + + + NIST Special Publication 800-128 + + + http://nvd.nist.gov + + + http://checklists.nist.gov + + + http://www.nsa.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + LEAST FUNCTIONALITY + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + CM-7 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CM-7a. +

Configures the information system to provide only essential capabilities; and

+
+ + CM-7b. +

Prohibits or restricts the use of the following functions, ports, protocols, and/or services: .

+
+
+ +

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

+ + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PERIODIC REVIEW + + organization-defined frequency + organization-defined frequency + + + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + + CM-7 (1) + MODERATE + HIGH + +

The organization:

+ + CM-7 (1)(a) +

Reviews the information system to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

+
+ + CM-7 (1)(b) +

Disables .

+
+
+ +

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

+ + + +
+ +

Determine if the organization:

+ + CM-7(1)(a) + + CM-7(1)(a)[1] +

defines the frequency to review the information system to identify unnecessary and/or nonsecure:

+ + CM-7(1)(a)[1][a] +

functions;

+
+ + CM-7(1)(a)[1][b] +

ports;

+
+ + CM-7(1)(a)[1][c] +

protocols; and/or

+
+ + CM-7(1)(a)[1][d] +

services;

+
+
+ + CM-7(1)(a)[2] +

reviews the information system with the organization-defined frequency to identify unnecessary and/or nonsecure:

+ + CM-7(1)(a)[2][a] +

functions;

+
+ + CM-7(1)(a)[2][b] +

ports;

+
+ + CM-7(1)(a)[2][c] +

protocols; and/or

+
+ + CM-7(1)(a)[2][d] +

services;

+
+
+
+ + CM-7(1)(b) + + CM-7(1)(b)[1] +

defines, within the information system, unnecessary and/or nonsecure:

+ + CM-7(1)(b)[1][a] +

functions;

+
+ + CM-7(1)(b)[1][b] +

ports;

+
+ + CM-7(1)(b)[1][c] +

protocols; and/or

+
+ + CM-7(1)(b)[1][d] +

services;

+
+
+ + CM-7(1)(b)[2] +

disables organization-defined unnecessary and/or nonsecure:

+ + CM-7(1)(b)[2][a] +

functions;

+
+ + CM-7(1)(b)[2][b] +

ports;

+
+ + CM-7(1)(b)[2][c] +

protocols; and/or

+
+ + CM-7(1)(b)[2][d] +

services.

+
+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing least functionality in the information system

+

configuration management plan

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

security configuration checklists

+

documented reviews of functions, ports, protocols, and/or services

+

change control records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for reviewing/disabling nonsecure functions, ports, protocols, and/or services

+

automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PREVENT PROGRAM EXECUTION + + organization-defined policies regarding software program usage and restrictions + organization-defined policies regarding software program usage and restrictions + + CM-7 (2) + MODERATE + HIGH + +

The information system prevents program execution in accordance with [Selection (one or more): ; rules authorizing the terms and conditions of software program usage].

+
+ + + + + +

Determine if:

+ + CM-7(2)[1] +

the organization defines policies regarding software program usage and restrictions;

+
+ + CM-7(2)[2] +

the information system prevents program execution in accordance with one or more of the following:

+ + CM-7(2)[2][a] +

organization-defined policies regarding program usage and restrictions; and/or

+
+ + CM-7(2)[2][b] +

rules authorizing the terms and conditions of software program usage.

+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing least functionality in the information system

+

configuration management plan

+

security plan

+

information system design documentation

+

specifications for preventing software program execution

+

information system configuration settings and associated documentation

+

change control records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Organizational processes preventing program execution on the information system

+

organizational processes for software program usage and restrictions

+

automated mechanisms preventing program execution on the information system

+

automated mechanisms supporting and/or implementing software program usage and restrictions

+
+
+ +

Determine if the organization:

+ + CM-7(a) +

configures the information system to provide only essential capabilities;

+
+ + CM-7(b) + + CM-7(b)[1] +

defines prohibited or restricted:

+ + CM-7(b)[1][a] +

functions;

+
+ + CM-7(b)[1][b] +

ports;

+
+ + CM-7(b)[1][c] +

protocols; and/or

+
+ + CM-7(b)[1][d] +

services;

+
+
+ + CM-7(b)[2] +

prohibits or restricts the use of organization-defined:

+ + CM-7(b)[2][a] +

functions;

+
+ + CM-7(b)[2][b] +

ports;

+
+ + CM-7(b)[2][c] +

protocols; and/or

+
+ + CM-7(b)[2][d] +

services.

+
+
+
+
+ + EXAMINE +

Configuration management policy

+

configuration management plan

+

procedures addressing least functionality in the information system

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

security configuration checklists

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security configuration management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes prohibiting or restricting functions, ports, protocols, and/or services

+

automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services

+
+ + + DoD Instruction 8551.01 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION SYSTEM COMPONENT INVENTORY + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + CM-8 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CM-8a. +

Develops and documents an inventory of information system components that:

+ + CM-8a.1. +

Accurately reflects the current information system;

+
+ + CM-8a.2. +

Includes all components within the authorization boundary of the information system;

+
+ + CM-8a.3. +

Is at the level of granularity deemed necessary for tracking and reporting; and

+
+ + CM-8a.4. +

Includes ; and

+
+
+ + CM-8b. +

Reviews and updates the information system component inventory .

+
+
+ +

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + UPDATES DURING INSTALLATIONS / REMOVALS + CM-8 (1) + MODERATE + HIGH + +

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

+
+ +

Determine if the organization updates the inventory of information system components as an integral part of:

+ + CM-8(1)[1] +

component installations;

+
+ + CM-8(1)[2] +

component removals; and

+
+ + CM-8(1)[3] +

information system updates.

+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing information system component inventory

+

configuration management plan

+

security plan

+

information system inventory records

+

inventory reviews and update records

+

component installation records

+

component removal records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for updating the information system component inventory

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for updating inventory of information system components

+

automated mechanisms implementing updating of the information system component inventory

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED UNAUTHORIZED COMPONENT DETECTION + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + CM-8 (3) + MODERATE + HIGH + +

The organization:

+ + CM-8 (3)(a) +

Employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system; and

+
+ + CM-8 (3)(b) +

Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies ].

+
+
+ +

This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.

+ + + + + + + + +
+ +

Determine if the organization:

+ + CM-8(3)(a) + + CM-8(3)(a)[1] +

defines the frequency to employ automated mechanisms to detect the presence of unauthorized:

+ + CM-8(3)(a)[1][a] +

hardware components within the information system;

+
+ + CM-8(3)(a)[1][b] +

software components within the information system;

+
+ + CM-8(3)(a)[1][c] +

firmware components within the information system;

+
+
+ + CM-8(3)(a)[2] +

employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:

+ + CM-8(3)(a)[2][a] +

hardware components within the information system;

+
+ + CM-8(3)(a)[2][b] +

software components within the information system;

+
+ + CM-8(3)(a)[2][c] +

firmware components within the information system;

+
+
+
+ + CM-8(3)(b) + + CM-8(3)(b)[1] +

defines personnel or roles to be notified when unauthorized components are detected;

+
+ + CM-8(3)(b)[2] +

takes one or more of the following actions when unauthorized components are detected:

+ + CM-8(3)(b)[2][a] +

disables network access by such components;

+
+ + CM-8(3)(b)[2][b] +

isolates the components; and/or

+
+ + CM-8(3)(b)[2][c] +

notifies organization-defined personnel or roles.

+
+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing information system component inventory

+

configuration management plan

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system inventory records

+

alerts/notifications of unauthorized components within the information system

+

information system monitoring records

+

change control records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Organizational processes for detection of unauthorized information system components

+

automated mechanisms implementing the detection of unauthorized information system components

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + NO DUPLICATE ACCOUNTING OF COMPONENTS + CM-8 (5) + MODERATE + HIGH + +

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

+
+ +

This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems.

+
+ +

Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories.

+
+ + EXAMINE +

Configuration management policy

+

procedures addressing information system component inventory

+

configuration management plan

+

security plan

+

information system inventory records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system inventory responsibilities

+

organizational personnel with responsibilities for defining information system components within the authorization boundary of the system

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for maintaining the inventory of information system components

+

automated mechanisms implementing the information system component inventory

+
+
+ +

Determine if the organization:

+ + CM-8(a) + + CM-8(a)(1) +

develops and documents an inventory of information system components that accurately reflects the current information system;

+
+ + CM-8(a)(2) +

develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;

+
+ + CM-8(a)(3) +

develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;

+
+ + CM-8(a)(4) + + CM-8(a)(4)[1] +

defines the information deemed necessary to achieve effective information system component accountability;

+
+ + CM-8(a)(4)[2] +

develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;

+
+
+
+ + CM-8(b) + + CM-8(b)[1] +

defines the frequency to review and update the information system component inventory; and

+
+ + CM-8(b)[2] +

reviews and updates the information system component inventory with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing information system component inventory

+

configuration management plan

+

security plan

+

information system inventory records

+

inventory reviews and update records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for information system component inventory

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for developing and documenting an inventory of information system components

+

automated mechanisms supporting and/or implementing the information system component inventory

+
+ + + NIST Special Publication 800-128 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONFIGURATION MANAGEMENT PLAN + CM-9 + P1 + MODERATE + HIGH + +

The organization develops, documents, and implements a configuration management plan for the information system that:

+ + CM-9a. +

Addresses roles, responsibilities, and configuration management processes and procedures;

+
+ + CM-9b. +

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

+
+ + CM-9c. +

Defines the configuration items for the information system and places the configuration items under configuration management; and

+
+ + CM-9d. +

Protects the configuration management plan from unauthorized disclosure and modification.

+
+
+ +

Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.

+ + + + + + +
+ +

Determine if the organization develops, documents, and implements a configuration management plan for the information system that:

+ + CM-9(a) + + CM-9(a)[1] +

addresses roles;

+
+ + CM-9(a)[2] +

addresses responsibilities;

+
+ + CM-9(a)[3] +

addresses configuration management processes and procedures;

+
+
+ + CM-9(b) +

establishes a process for:

+ + CM-9(b)[1] +

identifying configuration items throughout the SDLC;

+
+ + CM-9(b)[2] +

managing the configuration of the configuration items;

+
+
+ + CM-9(c) + + CM-9(c)[1] +

defines the configuration items for the information system;

+
+ + CM-9(c)[2] +

places the configuration items under configuration management;

+
+
+ + CM-9(d) +

protects the configuration management plan from unauthorized:

+ + CM-9(d)[1] +

disclosure; and

+
+ + CM-9(d)[2] +

modification.

+
+
+
+ + EXAMINE +

Configuration management policy

+

procedures addressing configuration management planning

+

configuration management plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for developing the configuration management plan

+

organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan

+

organizational personnel with responsibilities for protecting the configuration management plan

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for developing and documenting the configuration management plan

+

organizational processes for identifying and managing configuration items

+

organizational processes for protecting the configuration management plan

+

automated mechanisms implementing the configuration management plan

+

automated mechanisms for managing configuration items

+

automated mechanisms for protecting the configuration management plan

+
+ + + NIST Special Publication 800-128 + + +
+
+ + CONTINGENCY PLANNING + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONTINGENCY PLANNING POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + CP-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CP-1a. +

Develops, documents, and disseminates to :

+ + CP-1a.1. +

A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + CP-1a.2. +

Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

+
+
+ + CP-1b. +

Reviews and updates the current:

+ + CP-1b.1. +

Contingency planning policy ; and

+
+ + CP-1b.2. +

Contingency planning procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if:

+ + CP-1(a)(1) + + CP-1(a)(1)[1] +

the organization develops and documents a contingency planning policy that addresses:

+ + CP-1(a)(1)[1][a] +

purpose;

+
+ + CP-1(a)(1)[1][b] +

scope;

+
+ + CP-1(a)(1)[1][c] +

roles;

+
+ + CP-1(a)(1)[1][d] +

responsibilities;

+
+ + CP-1(a)(1)[1][e] +

management commitment;

+
+ + CP-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + CP-1(a)(1)[1][g] +

compliance;

+
+
+ + CP-1(a)(1)[2] +

the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;

+
+ + CP-1(a)(1)[3] +

the organization disseminates the contingency planning policy to organization-defined personnel or roles;

+
+
+ + CP-1(a)(2) + + CP-1(a)(2)[1] +

the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;

+
+ + CP-1(a)(2)[2] +

the organization defines personnel or roles to whom the procedures are to be disseminated;

+
+ + CP-1(a)(2)[3] +

the organization disseminates the procedures to organization-defined personnel or roles;

+
+
+ + CP-1(b)(1) + + CP-1(b)(1)[1] +

the organization defines the frequency to review and update the current contingency planning policy;

+
+ + CP-1(b)(1)[2] +

the organization reviews and updates the current contingency planning with the organization-defined frequency;

+
+
+ + CP-1(b)(2) + + CP-1(b)(2)[1] +

the organization defines the frequency to review and update the current contingency planning procedures; and

+
+ + CP-1(b)(2)[2] +

the organization reviews and updates the current contingency planning procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Contingency planning policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency planning responsibilities

+

organizational personnel with information security responsibilities

+
+ + + Federal Continuity Directive 1 + + + NIST Special Publication 800-12 + + + NIST Special Publication 800-34 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION SYSTEM RECOVERY AND RECONSTITUTION + CP-10 + P1 + LOW + MODERATE + HIGH + +

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

+
+ +

Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.

+ + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + TRANSACTION RECOVERY + CP-10 (2) + MODERATE + HIGH + +

The information system implements transaction recovery for systems that are transaction-based.

+
+ +

Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling.

+
+ +

Determine if the information system implements transaction recovery for systems that are transaction-based.

+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing information system recovery and reconstitution

+

contingency plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

contingency plan test documentation

+

contingency plan test results

+

information system transaction recovery records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for transaction recovery

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing transaction recovery capability

+
+
+ +

Determine if the organization provides for:

+ + CP-10[1] +

the recovery of the information system to a known state after:

+ + CP-10[1][a] +

a disruption;

+
+ + CP-10[1][b] +

a compromise; or

+
+ + CP-10[1][c] +

a failure;

+
+
+ + CP-10[2] +

the reconstitution of the information system to a known state after:

+ + CP-10[2][a] +

a disruption;

+
+ + CP-10[2][b] +

a compromise; or

+
+ + CP-10[2][c] +

a failure.

+
+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing information system backup

+

contingency plan

+

information system backup test results

+

contingency plan test results

+

contingency plan test documentation

+

redundant secondary system for information system backups

+

location(s) of redundant secondary backup system(s)

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes implementing information system recovery and reconstitution operations

+

automated mechanisms supporting and/or implementing information system recovery and reconstitution operations

+
+ + + Federal Continuity Directive 1 + + + NIST Special Publication 800-34 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONTINGENCY PLAN + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + CP-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CP-2a. +

Develops a contingency plan for the information system that:

+ + CP-2a.1. +

Identifies essential missions and business functions and associated contingency requirements;

+
+ + CP-2a.2. +

Provides recovery objectives, restoration priorities, and metrics;

+
+ + CP-2a.3. +

Addresses contingency roles, responsibilities, assigned individuals with contact information;

+
+ + CP-2a.4. +

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

+
+ + CP-2a.5. +

Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

+
+ + CP-2a.6. +

Is reviewed and approved by ;

+
+
+ + CP-2b. +

Distributes copies of the contingency plan to ;

+
+ + CP-2c. +

Coordinates contingency planning activities with incident handling activities;

+
+ + CP-2d. +

Reviews the contingency plan for the information system ;

+
+ + CP-2e. +

Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

+
+ + CP-2f. +

Communicates contingency plan changes to ; and

+
+ + CP-2g. +

Protects the contingency plan from unauthorized disclosure and modification.

+
+
+ +

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

+ + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + COORDINATE WITH RELATED PLANS + CP-2 (1) + MODERATE + HIGH + +

The organization coordinates contingency plan development with organizational elements responsible for related plans.

+
+ +

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans.

+
+ +

Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans.

+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing contingency operations for the information system

+

contingency plan

+

business contingency plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

cyber incident response plan

+

insider threat implementation plans

+

occupant emergency plans

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security responsibilities

+

personnel with responsibility for related plans

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS + + organization-defined time period + organization-defined time period + + CP-2 (3) + MODERATE + HIGH + +

The organization plans for the resumption of essential missions and business functions within of contingency plan activation.

+
+ +

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

+ +
+ +

Determine if the organization:

+ + CP-2(3)[1] +

defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and

+
+ + CP-2(3)[2] +

plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing contingency operations for the information system

+

contingency plan

+

security plan

+

business impact assessment

+

other related plans

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for resumption of missions and business functions

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + IDENTIFY CRITICAL ASSETS + CP-2 (8) + MODERATE + HIGH + +

The organization identifies critical information system assets supporting essential missions and business functions.

+
+ +

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.

+ + +
+ +

Determine if the organization identifies critical information system assets supporting essential missions and business functions.

+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing contingency operations for the information system

+

contingency plan

+

business impact assessment

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + CP-2(a) +

develops and documents a contingency plan for the information system that:

+ + CP-2(a)(1) +

identifies essential missions and business functions and associated contingency requirements;

+
+ + CP-2(a)(2) + + CP-2(a)(2)[1] +

provides recovery objectives;

+
+ + CP-2(a)(2)[2] +

provides restoration priorities;

+
+ + CP-2(a)(2)[3] +

provides metrics;

+
+
+ + CP-2(a)(3) + + CP-2(a)(3)[1] +

addresses contingency roles;

+
+ + CP-2(a)(3)[2] +

addresses contingency responsibilities;

+
+ + CP-2(a)(3)[3] +

addresses assigned individuals with contact information;

+
+
+ + CP-2(a)(4) +

addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

+
+ + CP-2(a)(5) +

addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;

+
+ + CP-2(a)(6) + + CP-2(a)(6)[1] +

defines personnel or roles to review and approve the contingency plan for the information system;

+
+ + CP-2(a)(6)[2] +

is reviewed and approved by organization-defined personnel or roles;

+
+
+
+ + CP-2(b) + + CP-2(b)[1] +

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;

+
+ + CP-2(b)[2] +

distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;

+
+
+ + CP-2(c) +

coordinates contingency planning activities with incident handling activities;

+
+ + CP-2(d) + + CP-2(d)[1] +

defines a frequency to review the contingency plan for the information system;

+
+ + CP-2(d)[2] +

reviews the contingency plan with the organization-defined frequency;

+
+
+ + CP-2(e) +

updates the contingency plan to address:

+ + CP-2(e)[1] +

changes to the organization, information system, or environment of operation;

+
+ + CP-2(e)[2] +

problems encountered during plan implementation, execution, and testing;

+
+
+ + CP-2(f) + + CP-2(f)[1] +

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;

+
+ + CP-2(f)[2] +

communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and

+
+
+ + CP-2(g) +

protects the contingency plan from unauthorized disclosure and modification.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing contingency operations for the information system

+

contingency plan

+

security plan

+

evidence of contingency plan reviews and updates

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency planning and plan implementation responsibilities

+

organizational personnel with incident handling responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for contingency plan development, review, update, and protection

+

automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan

+
+ + + Federal Continuity Directive 1 + + + NIST Special Publication 800-34 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONTINGENCY TRAINING + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + CP-3 + P2 + LOW + MODERATE + HIGH + +

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

+ + CP-3a. +

Within of assuming a contingency role or responsibility;

+
+ + CP-3b. +

When required by information system changes; and

+
+ + CP-3c. +

+ thereafter.

+
+
+ +

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan.

+ + + + +
+ +

Determine if the organization:

+ + CP-3(a) + + CP-3(a)[1] +

defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;

+
+ + CP-3(a)[2] +

provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;

+
+
+ + CP-3(b) +

provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;

+
+ + CP-3(c) + + CP-3(c)[1] +

defines the frequency for contingency training thereafter; and

+
+ + CP-3(c)[2] +

provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter.

+
+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing contingency training

+

contingency plan

+

contingency training curriculum

+

contingency training material

+

security plan

+

contingency training records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency planning, plan implementation, and training responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for contingency training

+
+ + + Federal Continuity Directive 1 + + + NIST Special Publication 800-16 + + + NIST Special Publication 800-50 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONTINGENCY PLAN TESTING + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + CP-4 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + CP-4a. +

Tests the contingency plan for the information system using to determine the effectiveness of the plan and the organizational readiness to execute the plan;

+
+ + CP-4b. +

Reviews the contingency plan test results; and

+
+ + CP-4c. +

Initiates corrective actions, if needed.

+
+
+ +

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + COORDINATE WITH RELATED PLANS + CP-4 (1) + MODERATE + HIGH + +

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

+
+ +

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.

+ + +
+ +

Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans.

+
+ + EXAMINE +

Contingency planning policy

+

incident response policy

+

procedures addressing contingency plan testing

+

contingency plan testing documentation

+

contingency plan

+

business continuity plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

cyber incident response plans

+

occupant emergency plans

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan testing responsibilities

+

organizational personnel

+

personnel with responsibilities for related plans

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + CP-4(a) + + CP-4(a)[1] +

defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;

+
+ + CP-4(a)[2] +

defines a frequency to test the contingency plan for the information system;

+
+ + CP-4(a)[3] +

tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;

+
+
+ + CP-4(b) +

reviews the contingency plan test results; and

+
+ + CP-4(c) +

initiates corrective actions, if needed.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing contingency plan testing

+

contingency plan

+

security plan

+

contingency plan test documentation

+

contingency plan test results

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for contingency plan testing

+

automated mechanisms supporting the contingency plan and/or contingency plan testing

+
+ + + Federal Continuity Directive 1 + + + FIPS Publication 199 + + + NIST Special Publication 800-34 + + + NIST Special Publication 800-84 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ALTERNATE STORAGE SITE + CP-6 + P1 + MODERATE + HIGH + +

The organization:

+ + CP-6a. +

Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

+
+ + CP-6b. +

Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

+
+
+ +

Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

+ + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + SEPARATION FROM PRIMARY SITE + CP-6 (1) + MODERATE + HIGH + +

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

+
+ +

Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

+ +
+ +

Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site

+

alternate storage site agreements

+

primary storage site agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ACCESSIBILITY + CP-6 (3) + MODERATE + HIGH + +

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

+
+ +

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

+ +
+ +

Determine if the organization:

+ + CP-6(3)[1] +

identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and

+
+ + CP-6(3)[2] +

outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site

+

list of potential accessibility problems to alternate storage site

+

mitigation actions for accessibility problems to alternate storage site

+

organizational risk assessments

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + CP-6[1] +

establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

+
+ + CP-6[2] +

ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate storage sites

+

contingency plan

+

alternate storage site agreements

+

primary storage site agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan alternate storage site responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for storing and retrieving information system backup information at the alternate storage site

+

automated mechanisms supporting and/or implementing storage and retrieval of information system backup information at the alternate storage site

+
+ + + NIST Special Publication 800-34 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ALTERNATE PROCESSING SITE + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period consistent with recovery time and recovery point objectives + organization-defined time period consistent with recovery time and recovery point objectives + + CP-7 + P1 + MODERATE + HIGH + +

The organization:

+ + CP-7a. +

Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of for essential missions/business functions within when the primary processing capabilities are unavailable;

+
+ + CP-7b. +

Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

+
+ + CP-7c. +

Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

+
+
+ +

Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

+ + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + SEPARATION FROM PRIMARY SITE + CP-7 (1) + MODERATE + HIGH + +

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

+
+ +

Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

+ +
+ +

Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats.

+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site

+

alternate processing site agreements

+

primary processing site agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ACCESSIBILITY + CP-7 (2) + MODERATE + HIGH + +

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

+
+ +

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.

+ +
+ +

Determine if the organization:

+ + CP-7(2)[1] +

identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and

+
+ + CP-7(2)[2] +

outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site

+

alternate processing site agreements

+

primary processing site agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PRIORITY OF SERVICE + CP-7 (3) + MODERATE + HIGH + +

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

+
+ +

Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site.

+
+ +

Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan).

+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site agreements

+

service-level agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan alternate processing site responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+
+ +

Determine if the organization:

+ + CP-7(a) + + CP-7(a)[1] +

defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;

+
+ + CP-7(a)[2] +

defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer/resumption of organization-defined information system operations for essential missions/business functions;

+
+ + CP-7(a)[3] +

establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;

+
+
+ + CP-7(b) + + CP-7(b)[1] +

ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or

+
+ + CP-7(b)[2] +

ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

+
+
+ + CP-7(c) +

ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate processing sites

+

contingency plan

+

alternate processing site agreements

+

primary processing site agreements

+

spare equipment and supplies inventory at alternate processing site

+

equipment and supply contracts

+

service-level agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for recovery at the alternate site

+

automated mechanisms supporting and/or implementing recovery at the alternate processing site

+
+ + + NIST Special Publication 800-34 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + TELECOMMUNICATIONS SERVICES + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period + organization-defined time period + + CP-8 + P1 + MODERATE + HIGH + +

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of for essential missions and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+
+ +

This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PRIORITY OF SERVICE PROVISIONS + CP-8 (1) + MODERATE + HIGH + +

The organization:

+ + CP-8 (1)(a) +

Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and

+
+ + CP-8 (1)(b) +

Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

+
+
+ +

Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.

+
+ +

Determine if the organization:

+ + CP-8(1)[1] +

develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and

+
+ + CP-8(1)[2] +

requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

Telecommunications Service Priority documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+ + TEST +

Automated mechanisms supporting telecommunications

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + SINGLE POINTS OF FAILURE + CP-8 (2) + MODERATE + HIGH + +

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

+
+ +

Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing primary and alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with information system recovery responsibilities

+

primary and alternate telecommunications service providers

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + CP-8[1] +

defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;

+
+ + CP-8[2] +

defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and

+
+ + CP-8[3] +

establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing alternate telecommunications services

+

contingency plan

+

primary and alternate telecommunications service agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with contingency plan telecommunications responsibilities

+

organizational personnel with information system recovery responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibility for acquisitions/contractual agreements

+
+ + TEST +

Automated mechanisms supporting telecommunications

+
+ + + NIST Special Publication 800-34 + + + National Communications Systems Directive 3-10 + + + http://www.dhs.gov/telecommunications-service-priority-tsp + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION SYSTEM BACKUP + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + CP-9 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + CP-9a. +

Conducts backups of user-level information contained in the information system ;

+
+ + CP-9b. +

Conducts backups of system-level information contained in the information system ;

+
+ + CP-9c. +

Conducts backups of information system documentation including security-related documentation ; and

+
+ + CP-9d. +

Protects the confidentiality, integrity, and availability of backup information at storage locations.

+
+
+ +

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

+ + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + TESTING FOR RELIABILITY / INTEGRITY + + organization-defined frequency + organization-defined frequency + + CP-9 (1) + MODERATE + HIGH + +

The organization tests backup information to verify media reliability and information integrity.

+
+ + + + +

Determine if the organization:

+ + CP-9(1)[1] +

defines the frequency to test backup information to verify media reliability and information integrity; and

+
+ + CP-9(1)[2] +

tests backup information with the organization-defined frequency to verify media reliability and information integrity.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing information system backup

+

contingency plan

+

information system backup test results

+

contingency plan test documentation

+

contingency plan test results

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system backup responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for conducting information system backups

+

automated mechanisms supporting and/or implementing information system backups

+
+
+ +

Determine if the organization:

+ + CP-9(a) + + CP-9(a)[1] +

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;

+
+ + CP-9(a)[2] +

conducts backups of user-level information contained in the information system with the organization-defined frequency;

+
+
+ + CP-9(b) + + CP-9(b)[1] +

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;

+
+ + CP-9(b)[2] +

conducts backups of system-level information contained in the information system with the organization-defined frequency;

+
+
+ + CP-9(c) + + CP-9(c)[1] +

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;

+
+ + CP-9(c)[2] +

conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and

+
+
+ + CP-9(d) +

protects the confidentiality, integrity, and availability of backup information at storage locations.

+
+
+ + EXAMINE +

Contingency planning policy

+

procedures addressing information system backup

+

contingency plan

+

backup storage location(s)

+

information system backup logs or records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system backup responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for conducting information system backups

+

automated mechanisms supporting and/or implementing information system backups

+
+ + + NIST Special Publication 800-34 + + +
+
+ + IDENTIFICATION AND AUTHENTICATION + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + IA-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + IA-1a. +

Develops, documents, and disseminates to :

+ + IA-1a.1. +

An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + IA-1a.2. +

Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

+
+
+ + IA-1b. +

Reviews and updates the current:

+ + IA-1b.1. +

Identification and authentication policy ; and

+
+ + IA-1b.2. +

Identification and authentication procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + IA-1(a)(1) + + IA-1(a)(1)[1] +

develops and documents an identification and authentication policy that addresses:

+ + IA-1(a)(1)[1][a] +

purpose;

+
+ + IA-1(a)(1)[1][b] +

scope;

+
+ + IA-1(a)(1)[1][c] +

roles;

+
+ + IA-1(a)(1)[1][d] +

responsibilities;

+
+ + IA-1(a)(1)[1][e] +

management commitment;

+
+ + IA-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + IA-1(a)(1)[1][g] +

compliance;

+
+
+ + IA-1(a)(1)[2] +

defines personnel or roles to whom the identification and authentication policy is to be disseminated; and

+
+ + IA-1(a)(1)[3] +

disseminates the identification and authentication policy to organization-defined personnel or roles;

+
+
+ + IA-1(a)(2) + + IA-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;

+
+ + IA-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + IA-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + IA-1(b)(1) + + IA-1(b)(1)[1] +

defines the frequency to review and update the current identification and authentication policy;

+
+ + IA-1(b)(1)[2] +

reviews and updates the current identification and authentication policy with the organization-defined frequency; and

+
+
+ + IA-1(b)(2) + + IA-1(b)(2)[1] +

defines the frequency to review and update the current identification and authentication procedures; and

+
+ + IA-1(b)(2)[2] +

reviews and updates the current identification and authentication procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Identification and authentication policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with identification and authentication responsibilities

+

organizational personnel with information security responsibilities

+
+ + + FIPS Publication 201 + + + NIST Special Publication 800-12 + + + NIST Special Publication 800-63 + + + NIST Special Publication 800-73 + + + NIST Special Publication 800-76 + + + NIST Special Publication 800-78 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) + IA-2 + P1 + LOW + MODERATE + HIGH + +

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

+
+ +

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. +Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

+ + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + NETWORK ACCESS TO PRIVILEGED ACCOUNTS + IA-2 (1) + LOW + MODERATE + HIGH + +

The information system implements multifactor authentication for network access to privileged accounts.

+
+ + + + +

Determine if the information system implements multifactor authentication for network access to privileged accounts.

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of information system accounts

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing multifactor authentication capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS + IA-2 (2) + MODERATE + HIGH + +

The information system implements multifactor authentication for network access to non-privileged accounts.

+
+ +

Determine if the information system implements multifactor authentication for network access to non-privileged accounts.

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of information system accounts

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing multifactor authentication capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + LOCAL ACCESS TO PRIVILEGED ACCOUNTS + IA-2 (3) + MODERATE + HIGH + +

The information system implements multifactor authentication for local access to privileged accounts.

+
+ + + + +

Determine if the information system implements multifactor authentication for local access to privileged accounts.

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of information system accounts

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing multifactor authentication capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT + IA-2 (8) + MODERATE + HIGH + +

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

+
+ +

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

+
+ +

Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of privileged information system accounts

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing identification and authentication capability

+

automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + REMOTE ACCESS - SEPARATE DEVICE + + organization-defined strength of mechanism requirements + organization-defined strength of mechanism requirements + + IA-2 (11) + MODERATE + HIGH + +

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

+
+ +

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

+ +
+ +

Determine if:

+ + IA-2(11)[1] +

the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

+
+ + IA-2(11)[2] +

the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

+
+ + IA-2(11)[3] +

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;

+
+ + IA-2(11)[4] +

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;

+
+ + IA-2(11)[5] +

the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and

+
+ + IA-2(11)[6] +

the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.

+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of privileged and non-privileged information system accounts

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing identification and authentication capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ACCEPTANCE OF PIV CREDENTIALS + IA-2 (12) + LOW + MODERATE + HIGH + +

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

+
+ +

This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

+ + + +
+ +

Determine if the information system:

+ + IA-2(12)[1] +

accepts Personal Identity Verification (PIV) credentials; and

+
+ + IA-2(12)[2] +

electronically verifies Personal Identity Verification (PIV) credentials.

+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials

+
+
+ +

Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of information system accounts

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+

system developers

+
+ + TEST +

Organizational processes for uniquely identifying and authenticating users

+

automated mechanisms supporting and/or implementing identification and authentication capability

+
+ + + HSPD-12 + + + OMB Memorandum 04-04 + + + OMB Memorandum 06-16 + + + OMB Memorandum 11-11 + + + FIPS Publication 201 + + + NIST Special Publication 800-63 + + + NIST Special Publication 800-73 + + + NIST Special Publication 800-76 + + + NIST Special Publication 800-78 + + + FICAM Roadmap and Implementation Guidance + + + http://idmanagement.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + DEVICE IDENTIFICATION AND AUTHENTICATION + + organization-defined specific and/or types of devices + organization-defined specific and/or types of devices + + IA-3 + P1 + MODERATE + HIGH + +

The information system uniquely identifies and authenticates before establishing a [Selection (one or more): local; remote; network] connection.

+
+ +

Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.

+ + + + + + +
+ +

Determine if:

+ + IA-3[1] +

the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:

+ + IA-3[1][a] +

a local connection;

+
+ + IA-3[1][b] +

a remote connection; and/or

+
+ + IA-3[1][c] +

a network connection; and

+
+
+ + IA-3[2] +

the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:

+ + IA-3[2][a] +

a local connection;

+
+ + IA-3[2][b] +

a remote connection; and/or

+
+ + IA-3[2][c] +

a network connection.

+
+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing device identification and authentication

+

information system design documentation

+

list of devices requiring unique identification and authentication

+

device connection reports

+

information system configuration settings and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with operational responsibilities for device identification and authentication

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing device identification and authentication capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + IDENTIFIER MANAGEMENT + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + IA-4 + P1 + LOW + MODERATE + HIGH + +

The organization manages information system identifiers by:

+ + IA-4a. +

Receiving authorization from to assign an individual, group, role, or device identifier;

+
+ + IA-4b. +

Selecting an identifier that identifies an individual, group, role, or device;

+
+ + IA-4c. +

Assigning the identifier to the intended individual, group, role, or device;

+
+ + IA-4d. +

Preventing reuse of identifiers for ; and

+
+ + IA-4e. +

Disabling the identifier after .

+
+
+ +

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

+ + + + + + +
+ +

Determine if the organization manages information system identifiers by:

+ + IA-4(a) + + IA-4(a)[1] +

defining personnel or roles from whom authorization must be received to assign:

+ + IA-4(a)[1][a] +

an individual identifier;

+
+ + IA-4(a)[1][b] +

a group identifier;

+
+ + IA-4(a)[1][c] +

a role identifier; and/or

+
+ + IA-4(a)[1][d] +

a device identifier;

+
+
+ + IA-4(a)[2] +

receiving authorization from organization-defined personnel or roles to assign:

+ + IA-4(a)[2][a] +

an individual identifier;

+
+ + IA-4(a)[2][b] +

a group identifier;

+
+ + IA-4(a)[2][c] +

a role identifier; and/or

+
+ + IA-4(a)[2][d] +

a device identifier;

+
+
+
+ + IA-4(b) +

selecting an identifier that identifies:

+ + IA-4(b)[1] +

an individual;

+
+ + IA-4(b)[2] +

a group;

+
+ + IA-4(b)[3] +

a role; and/or

+
+ + IA-4(b)[4] +

a device;

+
+
+ + IA-4(c) +

assigning the identifier to the intended:

+ + IA-4(c)[1] +

individual;

+
+ + IA-4(c)[2] +

group;

+
+ + IA-4(c)[3] +

role; and/or

+
+ + IA-4(c)[4] +

device;

+
+
+ + IA-4(d) + + IA-4(d)[1] +

defining a time period for preventing reuse of identifiers;

+
+ + IA-4(d)[2] +

preventing reuse of identifiers for the organization-defined time period;

+
+
+ + IA-4(e) + + IA-4(e)[1] +

defining a time period of inactivity to disable the identifier; and

+
+ + IA-4(e)[2] +

disabling the identifier after the organization-defined time period of inactivity.

+
+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing identifier management

+

procedures addressing account management

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of information system accounts

+

list of identifiers generated from physical access control devices

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with identifier management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing identifier management

+
+ + + FIPS Publication 201 + + + NIST Special Publication 800-73 + + + NIST Special Publication 800-76 + + + NIST Special Publication 800-78 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUTHENTICATOR MANAGEMENT + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + IA-5 + P1 + LOW + MODERATE + HIGH + +

The organization manages information system authenticators by:

+ + IA-5a. +

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

+
+ + IA-5b. +

Establishing initial authenticator content for authenticators defined by the organization;

+
+ + IA-5c. +

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

+
+ + IA-5d. +

Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

+
+ + IA-5e. +

Changing default content of authenticators prior to information system installation;

+
+ + IA-5f. +

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

+
+ + IA-5g. +

Changing/refreshing authenticators ;

+
+ + IA-5h. +

Protecting authenticator content from unauthorized disclosure and modification;

+
+ + IA-5i. +

Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

+
+ + IA-5j. +

Changing authenticators for group/role accounts when membership to those accounts changes.

+
+
+ +

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

+ + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PASSWORD-BASED AUTHENTICATION + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + IA-5 (1) + LOW + MODERATE + HIGH + +

The information system, for password-based authentication:

+ + IA-5 (1)(a) +

Enforces minimum password complexity of ;

+
+ + IA-5 (1)(b) +

Enforces at least the following number of changed characters when new passwords are created: ;

+
+ + IA-5 (1)(c) +

Stores and transmits only cryptographically-protected passwords;

+
+ + IA-5 (1)(d) +

Enforces password minimum and maximum lifetime restrictions of ;

+
+ + IA-5 (1)(e) +

Prohibits password reuse for generations; and

+
+ + IA-5 (1)(f) +

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

+
+
+ +

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

+ +
+ +

Determine if, for password-based authentication:

+ + IA-5(1)(a) + + IA-5(1)(a)[1] +

the organization defines requirements for case sensitivity;

+
+ + IA-5(1)(a)[2] +

the organization defines requirements for number of characters;

+
+ + IA-5(1)(a)[3] +

the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;

+
+ + IA-5(1)(a)[4] +

the organization defines minimum requirements for each type of character;

+
+ + IA-5(1)(a)[5] +

the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;

+
+
+ + IA-5(1)(b) + + IA-5(1)(b)[1] +

the organization defines a minimum number of changed characters to be enforced when new passwords are created;

+
+ + IA-5(1)(b)[2] +

the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;

+
+
+ + IA-5(1)(c) +

the information system stores and transmits only encrypted representations of passwords;

+
+ + IA-5(1)(d) + + IA-5(1)(d)[1] +

the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;

+
+ + IA-5(1)(d)[2] +

the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;

+
+ + IA-5(1)(d)[3] +

the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;

+
+ + IA-5(1)(d)[4] +

the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;

+
+
+ + IA-5(1)(e) + + IA-5(1)(e)[1] +

the organization defines the number of password generations to be prohibited from password reuse;

+
+ + IA-5(1)(e)[2] +

the information system prohibits password reuse for the organization-defined number of generations; and

+
+
+ + IA-5(1)(f) +

the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

+
+
+ + EXAMINE +

Identification and authentication policy

+

password policy

+

procedures addressing authenticator management

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

password configurations and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing password-based authenticator management capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PKI-BASED AUTHENTICATION + IA-5 (2) + MODERATE + HIGH + +

The information system, for PKI-based authentication:

+ + IA-5 (2)(a) +

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

+
+ + IA-5 (2)(b) +

Enforces authorized access to the corresponding private key;

+
+ + IA-5 (2)(c) +

Maps the authenticated identity to the account of the individual or group; and

+
+ + IA-5 (2)(d) +

Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

+
+
+ +

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

+ +
+ +

Determine if the information system, for PKI-based authentication:

+ + IA-5(2)(a) + + IA-5(2)(a)[1] +

validates certifications by constructing a certification path to an accepted trust anchor;

+
+ + IA-5(2)(a)[2] +

validates certifications by verifying a certification path to an accepted trust anchor;

+
+ + IA-5(2)(a)[3] +

includes checking certificate status information when constructing and verifying the certification path;

+
+
+ + IA-5(2)(b) +

enforces authorized access to the corresponding private key;

+
+ + IA-5(2)(c) +

maps the authenticated identity to the account of the individual or group; and

+
+ + IA-5(2)(d) +

implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing authenticator management

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

PKI certification validation records

+

PKI certification revocation lists

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with PKI-based, authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION + + organization-defined types of and/or specific authenticators + organization-defined types of and/or specific authenticators + + + organization-defined registration authority + organization-defined registration authority + + + organization-defined personnel or roles + organization-defined personnel or roles + + IA-5 (3) + MODERATE + HIGH + +

The organization requires that the registration process to receive be conducted [Selection: in person; by a trusted third party] before with authorization by .

+
+ +

Determine if the organization:

+ + IA-5(3)[1] +

defines types of and/or specific authenticators to be received in person or by a trusted third party;

+
+ + IA-5(3)[2] +

defines the registration authority with oversight of the registration process for receipt of organization-defined types of and/or specific authenticators;

+
+ + IA-5(3)[3] +

defines personnel or roles responsible for authorizing organization-defined registration authority;

+
+ + IA-5(3)[4] +

defines if the registration process is to be conducted:

+ + IA-5(3)[4][a] +

in person; or

+
+ + IA-5(3)[4][b] +

by a trusted third party; and

+
+
+ + IA-5(3)[5] +

requires that the registration process to receive organization-defined types of and/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles.

+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing authenticator management

+

registration process for receiving information system authenticators

+

list of authenticators requiring in-person registration

+

list of authenticators requiring trusted third party registration

+

authenticator registration documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with authenticator management responsibilities

+

registration authority

+

organizational personnel with information security responsibilities

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + HARDWARE TOKEN-BASED AUTHENTICATION + + organization-defined token quality requirements + organization-defined token quality requirements + + IA-5 (11) + LOW + MODERATE + HIGH + +

The information system, for hardware token-based authentication, employs mechanisms that satisfy .

+
+ +

Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

+
+ +

Determine if, for hardware token-based authentication:

+ + IA-5(11)[1] +

the organization defines token quality requirements to be satisfied; and

+
+ + IA-5(11)[2] +

the information system employs mechanisms that satisfy organization-defined token quality requirements.

+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing authenticator management

+

security plan

+

information system design documentation

+

automated mechanisms employing hardware token-based authentication for the information system

+

list of token quality requirements

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability

+
+
+ +

Determine if the organization manages information system authenticators by:

+ + IA-5(a) +

verifying, as part of the initial authenticator distribution, the identity of:

+ + IA-5(a)[1] +

the individual receiving the authenticator;

+
+ + IA-5(a)[2] +

the group receiving the authenticator;

+
+ + IA-5(a)[3] +

the role receiving the authenticator; and/or

+
+ + IA-5(a)[4] +

the device receiving the authenticator;

+
+
+ + IA-5(b) +

establishing initial authenticator content for authenticators defined by the organization;

+
+ + IA-5(c) +

ensuring that authenticators have sufficient strength of mechanism for their intended use;

+
+ + IA-5(d) + + IA-5(d)[1] +

establishing and implementing administrative procedures for initial authenticator distribution;

+
+ + IA-5(d)[2] +

establishing and implementing administrative procedures for lost/compromised or damaged authenticators;

+
+ + IA-5(d)[3] +

establishing and implementing administrative procedures for revoking authenticators;

+
+
+ + IA-5(e) +

changing default content of authenticators prior to information system installation;

+
+ + IA-5(f) + + IA-5(f)[1] +

establishing minimum lifetime restrictions for authenticators;

+
+ + IA-5(f)[2] +

establishing maximum lifetime restrictions for authenticators;

+
+ + IA-5(f)[3] +

establishing reuse conditions for authenticators;

+
+
+ + IA-5(g) + + IA-5(g)[1] +

defining a time period (by authenticator type) for changing/refreshing authenticators;

+
+ + IA-5(g)[2] +

changing/refreshing authenticators with the organization-defined time period by authenticator type;

+
+
+ + IA-5(h) +

protecting authenticator content from unauthorized:

+ + IA-5(h)[1] +

disclosure;

+
+ + IA-5(h)[2] +

modification;

+
+
+ + IA-5(i) + + IA-5(i)[1] +

requiring individuals to take specific security safeguards to protect authenticators;

+
+ + IA-5(i)[2] +

having devices implement specific security safeguards to protect authenticators; and

+
+
+ + IA-5(j) +

changing authenticators for group/role accounts when membership to those accounts changes.

+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing authenticator management

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of information system authenticator types

+

change control records associated with managing information system authenticators

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with authenticator management responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Automated mechanisms supporting and/or implementing authenticator management capability

+
+ + + OMB Memorandum 04-04 + + + OMB Memorandum 11-11 + + + FIPS Publication 201 + + + NIST Special Publication 800-73 + + + NIST Special Publication 800-63 + + + NIST Special Publication 800-76 + + + NIST Special Publication 800-78 + + + FICAM Roadmap and Implementation Guidance + + + http://idmanagement.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + AUTHENTICATOR FEEDBACK + IA-6 + P2 + LOW + MODERATE + HIGH + +

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

+
+ +

The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.

+ +
+ +

Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing authenticator feedback

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CRYPTOGRAPHIC MODULE AUTHENTICATION + IA-7 + P1 + LOW + MODERATE + HIGH + +

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

+
+ +

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

+ + +
+ +

Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing cryptographic module authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for cryptographic module authentication

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+
+ + TEST +

Automated mechanisms supporting and/or implementing cryptographic module authentication

+
+ + + FIPS Publication 140 + + + http://csrc.nist.gov/groups/STM/cmvp/index.html + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) + IA-8 + P1 + LOW + MODERATE + HIGH + +

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

+
+ +

Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

+ + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES + IA-8 (1) + LOW + MODERATE + HIGH + +

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

+
+ +

This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

+ + + +
+ +

Determine if the information system:

+ + IA-8(1)[1] +

accepts Personal Identity Verification (PIV) credentials from other agencies; and

+
+ + IA-8(1)[2] +

electronically verifies Personal Identity Verification (PIV) credentials from other agencies.

+
+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

PIV verification records

+

evidence of PIV credentials

+

PIV credential authorizations

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing identification and authentication capability

+

automated mechanisms that accept and verify PIV credentials

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ACCEPTANCE OF THIRD-PARTY CREDENTIALS + IA-8 (2) + LOW + MODERATE + HIGH + +

The information system accepts only FICAM-approved third-party credentials.

+
+ +

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

+ +
+ +

Determine if the information system accepts only FICAM-approved third-party credentials.

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization

+

third-party credential verification records

+

evidence of FICAM-approved third-party credentials

+

third-party credential authorizations

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing identification and authentication capability

+

automated mechanisms that accept FICAM-approved credentials

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + USE OF FICAM-APPROVED PRODUCTS + + organization-defined information systems + organization-defined information systems + + IA-8 (3) + LOW + MODERATE + HIGH + +

The organization employs only FICAM-approved information system components in to accept third-party credentials.

+
+ +

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

+ +
+ +

Determine if the organization:

+ + IA-8(3)[1] +

defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and

+
+ + IA-8(3)[2] +

employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

+
+
+ + EXAMINE +

Identification and authentication policy

+

system and services acquisition policy

+

procedures addressing user identification and authentication

+

procedures addressing the integration of security requirements into the acquisition process

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

third-party credential validations

+

third-party credential authorizations

+

third-party credential records

+

list of FICAM-approved information system components procured and implemented by organization

+

acquisition documentation

+

acquisition contracts for information system procurements or services

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+

organizational personnel with information system security, acquisition, and contracting responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing identification and authentication capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + USE OF FICAM-ISSUED PROFILES + IA-8 (4) + LOW + MODERATE + HIGH + +

The information system conforms to FICAM-issued profiles.

+
+ +

This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

+ +
+ +

Determine if the information system conforms to FICAM-issued profiles.

+
+ + EXAMINE +

Identification and authentication policy

+

system and services acquisition policy

+

procedures addressing user identification and authentication

+

procedures addressing the integration of security requirements into the acquisition process

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of FICAM-issued profiles and associated, approved protocols

+

acquisition documentation

+

acquisition contracts for information system procurements or services

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developers

+

organizational personnel with account management responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing identification and authentication capability

+

automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles

+
+
+ +

Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

+
+ + EXAMINE +

Identification and authentication policy

+

procedures addressing user identification and authentication

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

list of information system accounts

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system operations responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

organizational personnel with account management responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing identification and authentication capability

+
+ + + OMB Memorandum 04-04 + + + OMB Memorandum 11-11 + + + OMB Memorandum 10-06-2011 + + + FICAM Roadmap and Implementation Guidance + + + FIPS Publication 201 + + + NIST Special Publication 800-63 + + + NIST Special Publication 800-116 + + + National Strategy for Trusted Identities in Cyberspace + + + http://idmanagement.gov + + +
+
+ + INCIDENT RESPONSE + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT RESPONSE POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + IR-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + IR-1a. +

Develops, documents, and disseminates to :

+ + IR-1a.1. +

An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + IR-1a.2. +

Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

+
+
+ + IR-1b. +

Reviews and updates the current:

+ + IR-1b.1. +

Incident response policy ; and

+
+ + IR-1b.2. +

Incident response procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + IR-1(a)(1) + + IR-1(a)(1)[1] +

develops and documents an incident response policy that addresses:

+ + IR-1(a)(1)[1][a] +

purpose;

+
+ + IR-1(a)(1)[1][b] +

scope;

+
+ + IR-1(a)(1)[1][c] +

roles;

+
+ + IR-1(a)(1)[1][d] +

responsibilities;

+
+ + IR-1(a)(1)[1][e] +

management commitment;

+
+ + IR-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + IR-1(a)(1)[1][g] +

compliance;

+
+
+ + IR-1(a)(1)[2] +

defines personnel or roles to whom the incident response policy is to be disseminated;

+
+ + IR-1(a)(1)[3] +

disseminates the incident response policy to organization-defined personnel or roles;

+
+
+ + IR-1(a)(2) + + IR-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;

+
+ + IR-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + IR-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + IR-1(b)(1) + + IR-1(b)(1)[1] +

defines the frequency to review and update the current incident response policy;

+
+ + IR-1(b)(1)[2] +

reviews and updates the current incident response policy with the organization-defined frequency;

+
+
+ + IR-1(b)(2) + + IR-1(b)(2)[1] +

defines the frequency to review and update the current incident response procedures; and

+
+ + IR-1(b)(2)[2] +

reviews and updates the current incident response procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Incident response policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-61 + + + NIST Special Publication 800-83 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT RESPONSE TRAINING + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + IR-2 + P2 + LOW + MODERATE + HIGH + +

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

+ + IR-2a. +

Within of assuming an incident response role or responsibility;

+
+ + IR-2b. +

When required by information system changes; and

+
+ + IR-2c. +

+ thereafter.

+
+
+ +

Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.

+ + + +
+ +

Determine if the organization:

+ + IR-2(a) + + IR-2(a)[1] +

defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;

+
+ + IR-2(a)[2] +

provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;

+
+
+ + IR-2(b) +

provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;

+
+ + IR-2(c) + + IR-2(c)[1] +

defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and

+
+ + IR-2(c)[2] +

after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training.

+
+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident response training

+

incident response training curriculum

+

incident response training materials

+

security plan

+

incident response plan

+

incident response training records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response training and operational responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-16 + + + NIST Special Publication 800-50 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT RESPONSE TESTING + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + IR-3 + P2 + MODERATE + HIGH + +

The organization tests the incident response capability for the information system using to determine the incident response effectiveness and documents the results.

+
+ +

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

+ + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + COORDINATION WITH RELATED PLANS + IR-3 (2) + MODERATE + HIGH + +

The organization coordinates incident response testing with organizational elements responsible for related plans.

+
+ +

Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.

+
+ +

Determine if the organization coordinates incident response testing with organizational elements responsible for related plans.

+
+ + EXAMINE +

Incident response policy

+

contingency planning policy

+

procedures addressing incident response testing

+

incident response testing documentation

+

incident response plan

+

business continuity plans

+

contingency plans

+

disaster recovery plans

+

continuity of operations plans

+

crisis communications plans

+

critical infrastructure plans

+

occupant emergency plans

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response testing responsibilities

+

organizational personnel with responsibilities for testing organizational plans related to incident response testing

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + IR-3[1] +

defines incident response tests to test the incident response capability for the information system;

+
+ + IR-3[2] +

defines the frequency to test the incident response capability for the information system; and

+
+ + IR-3[3] +

tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results.

+
+
+ + EXAMINE +

Incident response policy

+

contingency planning policy

+

procedures addressing incident response testing

+

procedures addressing contingency plan testing

+

incident response testing material

+

incident response test results

+

incident response test plan

+

incident response plan

+

contingency plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response testing responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-84 + + + NIST Special Publication 800-115 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT HANDLING + IR-4 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + IR-4a. +

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

+
+ + IR-4b. +

Coordinates incident handling activities with contingency planning activities; and

+
+ + IR-4c. +

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

+
+
+ +

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

+ + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED INCIDENT HANDLING PROCESSES + IR-4 (1) + MODERATE + HIGH + +

The organization employs automated mechanisms to support the incident handling process.

+
+ +

Automated mechanisms supporting incident handling processes include, for example, online incident management systems.

+
+ +

Determine if the organization employs automated mechanisms to support the incident handling process.

+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident handling

+

automated mechanisms supporting incident handling

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

incident response plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident handling responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms that support and/or implement the incident handling process

+
+
+ +

Determine if the organization:

+ + IR-4(a) +

implements an incident handling capability for security incidents that includes:

+ + IR-4(a)[1] +

preparation;

+
+ + IR-4(a)[2] +

detection and analysis;

+
+ + IR-4(a)[3] +

containment;

+
+ + IR-4(a)[4] +

eradication;

+
+ + IR-4(a)[5] +

recovery;

+
+
+ + IR-4(b) +

coordinates incident handling activities with contingency planning activities;

+
+ + IR-4(c) + + IR-4(c)[1] +

incorporates lessons learned from ongoing incident handling activities into:

+ + IR-4(c)[1][a] +

incident response procedures;

+
+ + IR-4(c)[1][b] +

training;

+
+ + IR-4(c)[1][c] +

testing/exercises;

+
+
+ + IR-4(c)[2] +

implements the resulting changes accordingly to:

+ + IR-4(c)[2][a] +

incident response procedures;

+
+ + IR-4(c)[2][b] +

training; and

+
+ + IR-4(c)[2][c] +

testing/exercises.

+
+
+
+
+ + EXAMINE +

Incident response policy

+

contingency planning policy

+

procedures addressing incident handling

+

incident response plan

+

contingency plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident handling responsibilities

+

organizational personnel with contingency planning responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Incident handling capability for the organization

+
+ + + Executive Order 13587 + + + NIST Special Publication 800-61 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT MONITORING + IR-5 + P1 + LOW + MODERATE + HIGH + +

The organization tracks and documents information system security incidents.

+
+ +

Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

+ + + + + + + + +
+ +

Determine if the organization:

+ + IR-5[1] +

tracks information system security incidents; and

+
+ + IR-5[2] +

documents information system security incidents.

+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident monitoring

+

incident response records and documentation

+

incident response plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident monitoring responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Incident monitoring capability for the organization

+

automated mechanisms supporting and/or implementing tracking and documenting of system security incidents

+
+ + + NIST Special Publication 800-61 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT REPORTING + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + IR-6 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + IR-6a. +

Requires personnel to report suspected security incidents to the organizational incident response capability within ; and

+
+ + IR-6b. +

Reports security incident information to .

+
+
+ +

The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED REPORTING + IR-6 (1) + MODERATE + HIGH + +

The organization employs automated mechanisms to assist in the reporting of security incidents.

+
+ + + + +

Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.

+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident reporting

+

automated mechanisms supporting incident reporting

+

information system design documentation

+

information system configuration settings and associated documentation

+

incident response plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for incident reporting

+

automated mechanisms supporting and/or implementing reporting of security incidents

+
+
+ +

Determine if the organization:

+ + IR-6(a) + + IR-6(a)[1] +

defines the time period within which personnel report suspected security incidents to the organizational incident response capability;

+
+ + IR-6(a)[2] +

requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;

+
+
+ + IR-6(b) + + IR-6(b)[1] +

defines authorities to whom security incident information is to be reported; and

+
+ + IR-6(b)[2] +

reports security incident information to organization-defined authorities.

+
+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident reporting

+

incident reporting records and documentation

+

incident response plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident reporting responsibilities

+

organizational personnel with information security responsibilities

+

personnel who have/should have reported incidents

+

personnel (authorities) to whom incident information is to be reported

+
+ + TEST +

Organizational processes for incident reporting

+

automated mechanisms supporting and/or implementing incident reporting

+
+ + + NIST Special Publication 800-61 + + + http://www.us-cert.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT RESPONSE ASSISTANCE + IR-7 + P2 + LOW + MODERATE + HIGH + +

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

+
+ +

Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.

+ + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT + IR-7 (1) + MODERATE + HIGH + +

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

+
+ +

Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

+
+ +

Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.

+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident response assistance

+

automated mechanisms supporting incident response support and assistance

+

information system design documentation

+

information system configuration settings and associated documentation

+

incident response plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response support and assistance responsibilities

+

organizational personnel with access to incident response support and assistance capability

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for incident response assistance

+

automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

+
+
+ +

Determine if the organization provides an incident response support resource:

+ + IR-7[1] +

that is integral to the organizational incident response capability; and

+
+ + IR-7[2] +

that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident response assistance

+

incident response plan

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response assistance and support responsibilities

+

organizational personnel with access to incident response support and assistance capability

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for incident response assistance

+

automated mechanisms supporting and/or implementing incident response assistance

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INCIDENT RESPONSE PLAN + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + IR-8 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + IR-8a. +

Develops an incident response plan that:

+ + IR-8a.1. +

Provides the organization with a roadmap for implementing its incident response capability;

+
+ + IR-8a.2. +

Describes the structure and organization of the incident response capability;

+
+ + IR-8a.3. +

Provides a high-level approach for how the incident response capability fits into the overall organization;

+
+ + IR-8a.4. +

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

+
+ + IR-8a.5. +

Defines reportable incidents;

+
+ + IR-8a.6. +

Provides metrics for measuring the incident response capability within the organization;

+
+ + IR-8a.7. +

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

+
+ + IR-8a.8. +

Is reviewed and approved by ;

+
+
+ + IR-8b. +

Distributes copies of the incident response plan to ;

+
+ + IR-8c. +

Reviews the incident response plan ;

+
+ + IR-8d. +

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

+
+ + IR-8e. +

Communicates incident response plan changes to ; and

+
+ + IR-8f. +

Protects the incident response plan from unauthorized disclosure and modification.

+
+
+ +

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

+ + + +
+ +

Determine if the organization:

+ + IR-8(a) +

develops an incident response plan that:

+ + IR-8(a)(1) +

provides the organization with a roadmap for implementing its incident response capability;

+
+ + IR-8(a)(2) +

describes the structure and organization of the incident response capability;

+
+ + IR-8(a)(3) +

provides a high-level approach for how the incident response capability fits into the overall organization;

+
+ + IR-8(a)(4) +

meets the unique requirements of the organization, which relate to:

+ + IR-8(a)(4)[1] +

mission;

+
+ + IR-8(a)(4)[2] +

size;

+
+ + IR-8(a)(4)[3] +

structure;

+
+ + IR-8(a)(4)[4] +

functions;

+
+
+ + IR-8(a)(5) +

defines reportable incidents;

+
+ + IR-8(a)(6) +

provides metrics for measuring the incident response capability within the organization;

+
+ + IR-8(a)(7) +

defines the resources and management support needed to effectively maintain and mature an incident response capability;

+
+ + IR-8(a)(8) + + IR-8(a)(8)[1] +

defines personnel or roles to review and approve the incident response plan;

+
+ + IR-8(a)(8)[2] +

is reviewed and approved by organization-defined personnel or roles;

+
+
+
+ + IR-8(b) + + IR-8(b)[1] + + IR-8(b)[1][a] +

defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;

+
+ + IR-8(b)[1][b] +

defines organizational elements to whom copies of the incident response plan are to be distributed;

+
+
+ + IR-8(b)[2] +

distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

+
+
+ + IR-8(c) + + IR-8(c)[1] +

defines the frequency to review the incident response plan;

+
+ + IR-8(c)[2] +

reviews the incident response plan with the organization-defined frequency;

+
+
+ + IR-8(d) +

updates the incident response plan to address system/organizational changes or problems encountered during plan:

+ + IR-8(d)[1] +

implementation;

+
+ + IR-8(d)[2] +

execution; or

+
+ + IR-8(d)[3] +

testing;

+
+
+ + IR-8(e) + + IR-8(e)[1] + + IR-8(e)[1][a] +

defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;

+
+ + IR-8(e)[1][b] +

defines organizational elements to whom incident response plan changes are to be communicated;

+
+
+ + IR-8(e)[2] +

communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

+
+
+ + IR-8(f) +

protects the incident response plan from unauthorized disclosure and modification.

+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident response planning

+

incident response plan

+

records of incident response plan reviews and approvals

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response planning responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational incident response plan and related organizational processes

+
+ + + NIST Special Publication 800-61 + + +
+ + INFORMATION SPILLAGE RESPONSE + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions + organization-defined actions + + IR-9 + P0 + +

The organization responds to information spills by:

+ + IR-9a. +

Identifying the specific information involved in the information system contamination;

+
+ + IR-9b. +

Alerting of the information spill using a method of communication not associated with the spill;

+
+ + IR-9c. +

Isolating the contaminated information system or system component;

+
+ + IR-9d. +

Eradicating the information from the contaminated information system or component;

+
+ + IR-9e. +

Identifying other information systems or system components that may have been subsequently contaminated; and

+
+ + IR-9f. +

Performing other .

+
+
+ +

Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.

+
+ + RESPONSIBLE PERSONNEL + + organization-defined personnel or roles + organization-defined personnel or roles + + IR-9 (1) + +

The organization assigns with responsibility for responding to information spills.

+
+ +

Determine if the organization:

+ + IR-9(1)[1] +

defines personnel with responsibility for responding to information spills; and

+
+ + IR-9(1)[2] +

assigns organization-defined personnel with responsibility for responding to information spills.

+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing information spillage

+

incident response plan

+

list of personnel responsible for responding to information spillage

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + TRAINING + + organization-defined frequency + organization-defined frequency + + IR-9 (2) + +

The organization provides information spillage response training .

+
+ +

Determine if the organization:

+ + IR-9(2)[1] +

defines the frequency to provide information spillage response training; and

+
+ + IR-9(2)[2] +

provides information spillage response training with the organization-defined frequency.

+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing information spillage response training

+

information spillage response training curriculum

+

information spillage response training materials

+

incident response plan

+

information spillage response training records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response training responsibilities

+

organizational personnel with information security responsibilities

+
+
+ + POST-SPILL OPERATIONS + + organization-defined procedures + organization-defined procedures + + IR-9 (3) + +

The organization implements to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

+
+ +

Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business.

+
+ +

Determine if the organization:

+ + IR-9(3)[1] +

defines procedures that ensure organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions; and

+
+ + IR-9(3)[2] +

implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident handling

+

procedures addressing information spillage

+

incident response plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for post-spill operations

+
+
+ + EXPOSURE TO UNAUTHORIZED PERSONNEL + + organization-defined security safeguards + organization-defined security safeguards + + IR-9 (4) + +

The organization employs for personnel exposed to information not within assigned access authorizations.

+
+ +

Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information.

+
+ +

Determine if the organization:

+ + IR-9(4)[1] +

defines security safeguards to be employed for personnel exposed to information not within assigned access authorizations; and

+
+ + IR-9(4)[2] +

employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.

+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing incident handling

+

procedures addressing information spillage

+

incident response plan

+

security safeguards regarding information spillage/exposure to unauthorized personnel

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for dealing with information exposed to unauthorized personnel

+

automated mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations

+
+
+ +

Determine if the organization:

+ + IR-9(a) +

responds to information spills by identifying the specific information causing the information system contamination;

+
+ + IR-9(b) + + IR-9(b)[1] +

defines personnel to be alerted of the information spillage;

+
+ + IR-9(b)[2] +

identifies a method of communication not associated with the information spill to use to alert organization-defined personnel of the spill;

+
+ + IR-9(b)[3] +

responds to information spills by alerting organization-defined personnel of the information spill using a method of communication not associated with the spill;

+
+
+ + IR-9(c) +

responds to information spills by isolating the contaminated information system;

+
+ + IR-9(d) +

responds to information spills by eradicating the information from the contaminated information system;

+
+ + IR-9(e) +

responds to information spills by identifying other information systems that may have been subsequently contaminated;

+
+ + IR-9(f) + + IR-9(f)[1] +

defines other actions to be performed in response to information spills; and

+
+ + IR-9(f)[2] +

responds to information spills by performing other organization-defined actions.

+
+
+
+ + EXAMINE +

Incident response policy

+

procedures addressing information spillage

+

incident response plan

+

records of information spillage alerts/notifications, list of personnel who should receive alerts of information spillage

+

list of actions to be performed regarding information spillage

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for information spillage response

+

automated mechanisms supporting and/or implementing information spillage response actions and related communications

+
+
+
+ + MAINTENANCE + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM MAINTENANCE POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + MA-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + MA-1a. +

Develops, documents, and disseminates to :

+ + MA-1a.1. +

A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + MA-1a.2. +

Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

+
+
+ + MA-1b. +

Reviews and updates the current:

+ + MA-1b.1. +

System maintenance policy ; and

+
+ + MA-1b.2. +

System maintenance procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + MA-1(a)(1) + + MA-1(a)(1)[1] +

develops and documents a system maintenance policy that addresses:

+ + MA-1(a)(1)[1][a] +

purpose;

+
+ + MA-1(a)(1)[1][b] +

scope;

+
+ + MA-1(a)(1)[1][c] +

roles;

+
+ + MA-1(a)(1)[1][d] +

responsibilities;

+
+ + MA-1(a)(1)[1][e] +

management commitment;

+
+ + MA-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + MA-1(a)(1)[1][g] +

compliance;

+
+
+ + MA-1(a)(1)[2] +

defines personnel or roles to whom the system maintenance policy is to be disseminated;

+
+ + MA-1(a)(1)[3] +

disseminates the system maintenance policy to organization-defined personnel or roles;

+
+
+ + MA-1(a)(2) + + MA-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;

+
+ + MA-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + MA-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + MA-1(b)(1) + + MA-1(b)(1)[1] +

defines the frequency to review and update the current system maintenance policy;

+
+ + MA-1(b)(1)[2] +

reviews and updates the current system maintenance policy with the organization-defined frequency;

+
+
+ + MA-1(b)(2) + + MA-1(b)(2)[1] +

defines the frequency to review and update the current system maintenance procedures; and

+
+ + MA-1(b)(2)[2] +

reviews and updates the current system maintenance procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Maintenance policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CONTROLLED MAINTENANCE + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + MA-2 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + MA-2a. +

Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

+
+ + MA-2b. +

Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

+
+ + MA-2c. +

Requires that explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

+
+ + MA-2d. +

Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

+
+ + MA-2e. +

Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and

+
+ + MA-2f. +

Includes in organizational maintenance records.

+
+
+ +

This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.

+ + + + + + + +
+ +

Determine if the organization:

+ + MA-2(a) + + MA-2(a)[1] +

schedules maintenance and repairs on information system components in accordance with:

+ + MA-2(a)[1][a] +

manufacturer or vendor specifications; and/or

+
+ + MA-2(a)[1][b] +

organizational requirements;

+
+
+ + MA-2(a)[2] +

performs maintenance and repairs on information system components in accordance with:

+ + MA-2(a)[2][a] +

manufacturer or vendor specifications; and/or

+
+ + MA-2(a)[2][b] +

organizational requirements;

+
+
+ + MA-2(a)[3] +

documents maintenance and repairs on information system components in accordance with:

+ + MA-2(a)[3][a] +

manufacturer or vendor specifications; and/or

+
+ + MA-2(a)[3][b] +

organizational requirements;

+
+
+ + MA-2(a)[4] +

reviews records of maintenance and repairs on information system components in accordance with:

+ + MA-2(a)[4][a] +

manufacturer or vendor specifications; and/or

+
+ + MA-2(a)[4][b] +

organizational requirements;

+
+
+
+ + MA-2(b) + + MA-2(b)[1] +

approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

+
+ + MA-2(b)[2] +

monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

+
+
+ + MA-2(c) + + MA-2(c)[1] +

defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

+
+ + MA-2(c)[2] +

requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

+
+
+ + MA-2(d) +

sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

+
+ + MA-2(e) +

checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;

+
+ + MA-2(f) + + MA-2(f)[1] +

defines maintenance-related information to be included in organizational maintenance records; and

+
+ + MA-2(f)[2] +

includes organization-defined maintenance-related information in organizational maintenance records.

+
+
+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing controlled information system maintenance

+

maintenance records

+

manufacturer/vendor maintenance specifications

+

equipment sanitization records

+

media sanitization records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel responsible for media sanitization

+

system/network administrators

+
+ + TEST +

Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system

+

organizational processes for sanitizing information system components

+

automated mechanisms supporting and/or implementing controlled maintenance

+

automated mechanisms implementing sanitization of information system components

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MAINTENANCE TOOLS + MA-3 + P3 + MODERATE + HIGH + +

The organization approves, controls, and monitors information system maintenance tools.

+
+ +

This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing �ping,� �ls,� �ipconfig,� or the hardware and software implementing the monitoring port of an Ethernet switch.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INSPECT TOOLS + MA-3 (1) + MODERATE + HIGH + +

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

+
+ +

If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

+ +
+ +

Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing information system maintenance tools

+

information system maintenance tools and associated documentation

+

maintenance tool inspection records

+

maintenance records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for inspecting maintenance tools

+

automated mechanisms supporting and/or implementing inspection of maintenance tools

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INSPECT MEDIA + MA-3 (2) + MODERATE + HIGH + +

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

+
+ +

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

+ +
+ +

Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing information system maintenance tools

+

information system maintenance tools and associated documentation

+

maintenance records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational process for inspecting media for malicious code

+

automated mechanisms supporting and/or implementing inspection of media used for maintenance

+
+
+ +

Determine if the organization:

+ + MA-3[1] +

approves information system maintenance tools;

+
+ + MA-3[2] +

controls information system maintenance tools; and

+
+ + MA-3[3] +

monitors information system maintenance tools.

+
+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing information system maintenance tools

+

information system maintenance tools and associated documentation

+

maintenance records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for approving, controlling, and monitoring maintenance tools

+

automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools

+
+ + + NIST Special Publication 800-88 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + NONLOCAL MAINTENANCE + MA-4 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + MA-4a. +

Approves and monitors nonlocal maintenance and diagnostic activities;

+
+ + MA-4b. +

Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

+
+ + MA-4c. +

Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

+
+ + MA-4d. +

Maintains records for nonlocal maintenance and diagnostic activities; and

+
+ + MA-4e. +

Terminates session and network connections when nonlocal maintenance is completed.

+
+
+ +

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

+ + + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + DOCUMENT NONLOCAL MAINTENANCE + MA-4 (2) + MODERATE + HIGH + +

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

+
+ +

Determine if the organization documents in the security plan for the information system:

+ + MA-4(2)[1] +

the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and

+
+ + MA-4(2)[2] +

the procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

+
+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing non-local information system maintenance

+

security plan

+

maintenance records

+

diagnostic records

+

audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + MA-4(a) + + MA-4(a)[1] +

approves nonlocal maintenance and diagnostic activities;

+
+ + MA-4(a)[2] +

monitors nonlocal maintenance and diagnostic activities;

+
+
+ + MA-4(b) +

allows the use of nonlocal maintenance and diagnostic tools only:

+ + MA-4(b)[1] +

as consistent with organizational policy;

+
+ + MA-4(b)[2] +

as documented in the security plan for the information system;

+
+
+ + MA-4(c) +

employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

+
+ + MA-4(d) +

maintains records for nonlocal maintenance and diagnostic activities;

+
+ + MA-4(e) + + MA-4(e)[1] +

terminates sessions when nonlocal maintenance or diagnostics is completed; and

+
+ + MA-4(e)[2] +

terminates network connections when nonlocal maintenance or diagnostics is completed.

+
+
+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing nonlocal information system maintenance

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

maintenance records

+

diagnostic records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for managing nonlocal maintenance

+

automated mechanisms implementing, supporting, and/or managing nonlocal maintenance

+

automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

+

automated mechanisms for terminating nonlocal maintenance sessions and network connections

+
+ + + FIPS Publication 140-2 + + + FIPS Publication 197 + + + FIPS Publication 201 + + + NIST Special Publication 800-63 + + + NIST Special Publication 800-88 + + + CNSS Policy 15 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MAINTENANCE PERSONNEL + MA-5 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + MA-5a. +

Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

+
+ + MA-5b. +

Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

+
+ + MA-5c. +

Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+
+
+ +

This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

+ + + + + + + +
+ +

Determine if the organization:

+ + MA-5(a) + + MA-5(a)[1] +

establishes a process for maintenance personnel authorization;

+
+ + MA-5(a)[2] +

maintains a list of authorized maintenance organizations or personnel;

+
+
+ + MA-5(b) +

ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

+
+ + MA-5(c) +

designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+
+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing maintenance personnel

+

service provider contracts

+

service-level agreements

+

list of authorized personnel

+

maintenance records

+

access control records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for authorizing and managing maintenance personnel

+

automated mechanisms supporting and/or implementing authorization of maintenance personnel

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + TIMELY MAINTENANCE + + organization-defined information system components + organization-defined information system components + + + organization-defined time period + organization-defined time period + + MA-6 + P2 + MODERATE + HIGH + +

The organization obtains maintenance support and/or spare parts for within of failure.

+
+ +

Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.

+ + + + + +
+ +

Determine if the organization:

+ + MA-6[1] +

defines information system components for which maintenance support and/or spare parts are to be obtained;

+
+ + MA-6[2] +

defines the time period within which maintenance support and/or spare parts are to be obtained after a failure;

+
+ + MA-6[3] + + MA-6[3][a] +

obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and/or

+
+ + MA-6[3][b] +

obtains spare parts for organization-defined information system components within the organization-defined time period of failure.

+
+
+
+ + EXAMINE +

Information system maintenance policy

+

procedures addressing information system maintenance

+

service provider contracts

+

service-level agreements

+

inventory and availability of spare parts

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system maintenance responsibilities

+

organizational personnel with acquisition responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for ensuring timely maintenance

+
+
+
+ + MEDIA PROTECTION + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEDIA PROTECTION POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + MP-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + MP-1a. +

Develops, documents, and disseminates to :

+ + MP-1a.1. +

A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + MP-1a.2. +

Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

+
+
+ + MP-1b. +

Reviews and updates the current:

+ + MP-1b.1. +

Media protection policy ; and

+
+ + MP-1b.2. +

Media protection procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + MP-1(a)(1) + + MP-1(a)(1)[1] +

develops and documents a media protection policy that addresses:

+ + MP-1(a)(1)[1][a] +

purpose;

+
+ + MP-1(a)(1)[1][b] +

scope;

+
+ + MP-1(a)(1)[1][c] +

roles;

+
+ + MP-1(a)(1)[1][d] +

responsibilities;

+
+ + MP-1(a)(1)[1][e] +

management commitment;

+
+ + MP-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + MP-1(a)(1)[1][g] +

compliance;

+
+
+ + MP-1(a)(1)[2] +

defines personnel or roles to whom the media protection policy is to be disseminated;

+
+ + MP-1(a)(1)[3] +

disseminates the media protection policy to organization-defined personnel or roles;

+
+
+ + MP-1(a)(2) + + MP-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;

+
+ + MP-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + MP-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + MP-1(b)(1) + + MP-1(b)(1)[1] +

defines the frequency to review and update the current media protection policy;

+
+ + MP-1(b)(1)[2] +

reviews and updates the current media protection policy with the organization-defined frequency;

+
+
+ + MP-1(b)(2) + + MP-1(b)(2)[1] +

defines the frequency to review and update the current media protection procedures; and

+
+ + MP-1(b)(2)[2] +

reviews and updates the current media protection procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Media protection policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with media protection responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEDIA ACCESS + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + MP-2 + P1 + LOW + MODERATE + HIGH + +

The organization restricts access to to .

+
+ +

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.

+ + + + + + +
+ +

Determine if the organization:

+ + MP-2[1] +

defines types of digital and/or non-digital media requiring restricted access;

+
+ + MP-2[2] +

defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and

+
+ + MP-2[3] +

restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.

+
+
+ + EXAMINE +

Information system media protection policy

+

procedures addressing media access restrictions

+

access control policy and procedures

+

physical and environmental protection policy and procedures

+

media storage facilities

+

access control records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system media protection responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for restricting information media

+

automated mechanisms supporting and/or implementing media access restrictions

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-111 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEDIA MARKING + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined controlled areas + organization-defined controlled areas + + MP-3 + P2 + MODERATE + HIGH + +

The organization:

+ + MP-3a. +

Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

+
+ + MP-3b. +

Exempts from marking as long as the media remain within .

+
+
+ +

The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

+ + + +
+ +

Determine if the organization:

+ + MP-3(a) +

marks information system media indicating the:

+ + MP-3(a)[1] +

distribution limitations of the information;

+
+ + MP-3(a)[2] +

handling caveats of the information;

+
+ + MP-3(a)[3] +

applicable security markings (if any) of the information;

+
+
+ + MP-3(b) + + MP-3(b)[1] +

defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;

+
+ + MP-3(b)[2] +

defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and

+
+ + MP-3(b)[3] +

exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.

+
+
+
+ + EXAMINE +

Information system media protection policy

+

procedures addressing media marking

+

physical and environmental protection policy and procedures

+

security plan

+

list of information system media marking security attributes

+

designated controlled areas

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system media protection and marking responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for marking information media

+

automated mechanisms supporting and/or implementing media marking

+
+ + + FIPS Publication 199 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEDIA STORAGE + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined controlled areas + organization-defined controlled areas + + MP-4 + P1 + MODERATE + HIGH + +

The organization:

+ + MP-4a. +

Physically controls and securely stores within ; and

+
+ + MP-4b. +

Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

+
+
+ +

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.

+ + + + + +
+ +

Determine if the organization:

+ + MP-4(a) + + MP-4(a)[1] +

defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas;

+
+ + MP-4(a)[2] +

defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media;

+
+ + MP-4(a)[3] +

physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas;

+
+ + MP-4(a)[4] +

securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas; and

+
+
+ + MP-4(b) +

protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

+
+
+ + EXAMINE +

Information system media protection policy

+

procedures addressing media storage

+

physical and environmental protection policy and procedures

+

access control policy and procedures

+

security plan

+

information system media

+

designated controlled areas

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system media protection and storage responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for storing information media

+

automated mechanisms supporting and/or implementing secure media storage/media protection

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-56 + + + NIST Special Publication 800-57 + + + NIST Special Publication 800-111 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEDIA TRANSPORT + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined security safeguards + organization-defined security safeguards + + MP-5 + P1 + MODERATE + HIGH + +

The organization:

+ + MP-5a. +

Protects and controls during transport outside of controlled areas using ;

+
+ + MP-5b. +

Maintains accountability for information system media during transport outside of controlled areas;

+
+ + MP-5c. +

Documents activities associated with the transport of information system media; and

+
+ + MP-5d. +

Restricts the activities associated with the transport of information system media to authorized personnel.

+
+
+ +

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. +Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.

+ + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + CRYPTOGRAPHIC PROTECTION + MP-5 (4) + MODERATE + HIGH + +

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

+
+ +

This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).

+ +
+ +

Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

+
+ + EXAMINE +

Information system media protection policy

+

procedures addressing media transport

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system media transport records

+

audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system media transport responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas

+
+
+ +

Determine if the organization:

+ + MP-5(a) + + MP-5(a)[1] +

defines types of information system media to be protected and controlled during transport outside of controlled areas;

+
+ + MP-5(a)[2] +

defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;

+
+ + MP-5(a)[3] +

protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;

+
+
+ + MP-5(b) +

maintains accountability for information system media during transport outside of controlled areas;

+
+ + MP-5(c) +

documents activities associated with the transport of information system media; and

+
+ + MP-5(d) +

restricts the activities associated with transport of information system media to authorized personnel.

+
+
+ + EXAMINE +

Information system media protection policy

+

procedures addressing media storage

+

physical and environmental protection policy and procedures

+

access control policy and procedures

+

security plan

+

information system media

+

designated controlled areas

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system media protection and storage responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for storing information media

+

automated mechanisms supporting and/or implementing media storage/media protection

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-60 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEDIA SANITIZATION + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + MP-6 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + MP-6a. +

Sanitizes prior to disposal, release out of organizational control, or release for reuse using in accordance with applicable federal and organizational standards and policies; and

+
+ + MP-6b. +

Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

+
+
+ +

This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

+ + + + +
+ +

Determine if the organization:

+ + MP-6(a) + + MP-6(a)[1] +

defines information system media to be sanitized prior to:

+ + MP-6(a)[1][a] +

disposal;

+
+ + MP-6(a)[1][b] +

release out of organizational control; or

+
+ + MP-6(a)[1][c] +

release for reuse;

+
+
+ + MP-6(a)[2] +

defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:

+ + MP-6(a)[2][a] +

disposal;

+
+ + MP-6(a)[2][b] +

release out of organizational control; or

+
+ + MP-6(a)[2][c] +

release for reuse;

+
+
+ + MP-6(a)[3] +

sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and

+
+
+ + MP-6(b) +

employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.

+
+
+ + EXAMINE +

Information system media protection policy

+

procedures addressing media sanitization and disposal

+

applicable federal standards and policies addressing media sanitization

+

media sanitization records

+

audit records

+

information system design documentation

+

information system configuration settings and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with media sanitization responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for media sanitization

+

automated mechanisms supporting and/or implementing media sanitization

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-60 + + + NIST Special Publication 800-88 + + + http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEDIA USE + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + MP-7 + P1 + LOW + MODERATE + HIGH + +

The organization [Selection: restricts; prohibits] the use of on using .

+
+ +

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

+ + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PROHIBIT USE WITHOUT OWNER + MP-7 (1) + MODERATE + HIGH + +

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

+
+ +

Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).

+ +
+ +

Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

+
+ + EXAMINE +

Information system media protection policy

+

system use policy

+

procedures addressing media usage restrictions

+

security plan

+

rules of behavior

+

information system design documentation

+

information system configuration settings and associated documentation

+

audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system media use responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for media use

+

automated mechanisms prohibiting use of media on information systems or system components

+
+
+ +

Determine if the organization:

+ + MP-7[1] +

defines types of information system media to be:

+ + MP-7[1][a] +

restricted on information systems or system components; or

+
+ + MP-7[1][b] +

prohibited from use on information systems or system components;

+
+
+ + MP-7[2] +

defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:

+ + MP-7[2][a] +

restricted; or

+
+ + MP-7[2][b] +

prohibited;

+
+
+ + MP-7[3] +

defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and

+
+ + MP-7[4] +

restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.

+
+
+ + EXAMINE +

Information system media protection policy

+

system use policy

+

procedures addressing media usage restrictions

+

security plan

+

rules of behavior

+

information system design documentation

+

information system configuration settings and associated documentation

+

audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information system media use responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for media use

+

automated mechanisms restricting or prohibiting use of information system media on information systems or system components

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-111 + + +
+
+ + PHYSICAL AND ENVIRONMENTAL PROTECTION + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + PE-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PE-1a. +

Develops, documents, and disseminates to :

+ + PE-1a.1. +

A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + PE-1a.2. +

Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

+
+
+ + PE-1b. +

Reviews and updates the current:

+ + PE-1b.1. +

Physical and environmental protection policy ; and

+
+ + PE-1b.2. +

Physical and environmental protection procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + PE-1(a)(1) + + PE-1(a)(1)[1] +

develops and documents a physical and environmental protection policy that addresses:

+ + PE-1(a)(1)[1][a] +

purpose;

+
+ + PE-1(a)(1)[1][b] +

scope;

+
+ + PE-1(a)(1)[1][c] +

roles;

+
+ + PE-1(a)(1)[1][d] +

responsibilities;

+
+ + PE-1(a)(1)[1][e] +

management commitment;

+
+ + PE-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + PE-1(a)(1)[1][g] +

compliance;

+
+
+ + PE-1(a)(1)[2] +

defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;

+
+ + PE-1(a)(1)[3] +

disseminates the physical and environmental protection policy to organization-defined personnel or roles;

+
+
+ + PE-1(a)(2) + + PE-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;

+
+ + PE-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + PE-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + PE-1(b)(1) + + PE-1(b)(1)[1] +

defines the frequency to review and update the current physical and environmental protection policy;

+
+ + PE-1(b)(1)[2] +

reviews and updates the current physical and environmental protection policy with the organization-defined frequency;

+
+
+ + PE-1(b)(2) + + PE-1(b)(2)[1] +

defines the frequency to review and update the current physical and environmental protection procedures; and

+
+ + PE-1(b)(2)[2] +

reviews and updates the current physical and environmental protection procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Physical and environmental protection policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with physical and environmental protection responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + EMERGENCY SHUTOFF + + organization-defined location by information system or system component + organization-defined location by information system or system component + + PE-10 + P1 + MODERATE + HIGH + +

The organization:

+ + PE-10a. +

Provides the capability of shutting off power to the information system or individual system components in emergency situations;

+
+ + PE-10b. +

Places emergency shutoff switches or devices in to facilitate safe and easy access for personnel; and

+
+ + PE-10c. +

Protects emergency power shutoff capability from unauthorized activation.

+
+
+ +

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

+ +
+ +

Determine if the organization:

+ + PE-10(a) +

provides the capability of shutting off power to the information system or individual system components in emergency situations;

+
+ + PE-10(b) + + PE-10(b)[1] +

defines the location of emergency shutoff switches or devices by information system or system component;

+
+ + PE-10(b)[2] +

places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and

+
+
+ + PE-10(c) +

protects emergency power shutoff capability from unauthorized activation.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing power source emergency shutoff

+

security plan

+

emergency shutoff controls or switches

+

locations housing emergency shutoff switches and devices

+

security safeguards protecting emergency power shutoff capability from unauthorized activation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing emergency power shutoff

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + EMERGENCY POWER + PE-11 + P1 + MODERATE + HIGH + +

The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.

+
+ + + + + + +

Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:

+ + PE-11[1] +

an orderly shutdown of the information system; and/or

+
+ + PE-11[2] +

transition of the information system to long-term alternate power.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing emergency power

+

uninterruptible power supply

+

uninterruptible power supply documentation

+

uninterruptible power supply test records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for emergency power and/or planning

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing uninterruptible power supply

+

the uninterruptable power supply

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + EMERGENCY LIGHTING + PE-12 + P1 + LOW + MODERATE + HIGH + +

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

+
+ +

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

+ + +
+ +

Determine if the organization employs and maintains automatic emergency lighting for the information system that:

+ + PE-12[1] +

activates in the event of a power outage or disruption; and

+
+ + PE-12[2] +

covers emergency exits and evacuation routes within the facility.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing emergency lighting

+

emergency lighting documentation

+

emergency lighting test records

+

emergency exits and evacuation routes

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for emergency lighting and/or planning

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing emergency lighting capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + FIRE PROTECTION + PE-13 + P1 + LOW + MODERATE + HIGH + +

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

+
+ +

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATIC FIRE SUPPRESSION + PE-13 (3) + MODERATE + HIGH + +

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

+
+ +

Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems documentation

+

facility housing the information system

+

alarm service-level agreements

+

test records of fire suppression and detection devices/systems

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing fire suppression devices/systems

+

activation of fire suppression devices/systems (simulated)

+
+
+ +

Determine if the organization:

+ + PE-13[1] +

employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and

+
+ + PE-13[2] +

maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing fire protection

+

fire suppression and detection devices/systems

+

fire suppression and detection devices/systems documentation

+

test records of fire suppression and detection devices/systems

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for fire detection and suppression devices/systems

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + TEMPERATURE AND HUMIDITY CONTROLS + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + PE-14 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PE-14a. +

Maintains temperature and humidity levels within the facility where the information system resides at ; and

+
+ + PE-14b. +

Monitors temperature and humidity levels .

+
+
+ +

This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.

+ +
+ +

Determine if the organization:

+ + PE-14(a) + + PE-14(a)[1] +

defines acceptable temperature levels to be maintained within the facility where the information system resides;

+
+ + PE-14(a)[2] +

defines acceptable humidity levels to be maintained within the facility where the information system resides;

+
+ + PE-14(a)[3] +

maintains temperature levels within the facility where the information system resides at the organization-defined levels;

+
+ + PE-14(a)[4] +

maintains humidity levels within the facility where the information system resides at the organization-defined levels;

+
+
+ + PE-14(b) + + PE-14(b)[1] +

defines the frequency to monitor temperature levels;

+
+ + PE-14(b)[2] +

defines the frequency to monitor humidity levels;

+
+ + PE-14(b)[3] +

monitors temperature levels with the organization-defined frequency; and

+
+ + PE-14(b)[4] +

monitors humidity levels with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing temperature and humidity control

+

security plan

+

temperature and humidity controls

+

facility housing the information system

+

temperature and humidity controls documentation

+

temperature and humidity records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for information system environmental controls

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + WATER DAMAGE PROTECTION + PE-15 + P1 + LOW + MODERATE + HIGH + +

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

+
+ +

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

+ +
+ +

Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:

+ + PE-15[1] +

accessible;

+
+ + PE-15[2] +

working properly; and

+
+ + PE-15[3] +

known to key personnel.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing water damage protection

+

facility housing the information system

+

master shutoff valves

+

list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

+

master shutoff valve documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for information system environmental controls

+

organizational personnel with information security responsibilities

+
+ + TEST +

Master water-shutoff valves

+

organizational process for activating master water-shutoff

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + DELIVERY AND REMOVAL + + organization-defined types of information system components + organization-defined types of information system components + + PE-16 + P2 + LOW + MODERATE + HIGH + +

The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

+
+ +

Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.

+ + + + + +
+ +

Determine if the organization:

+ + PE-16[1] +

defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;

+
+ + PE-16[2] +

authorizes organization-defined information system components entering the facility;

+
+ + PE-16[3] +

monitors organization-defined information system components entering the facility;

+
+ + PE-16[4] +

controls organization-defined information system components entering the facility;

+
+ + PE-16[5] +

authorizes organization-defined information system components exiting the facility;

+
+ + PE-16[6] +

monitors organization-defined information system components exiting the facility;

+
+ + PE-16[7] +

controls organization-defined information system components exiting the facility;

+
+ + PE-16[8] +

maintains records of information system components entering the facility; and

+
+ + PE-16[9] +

maintains records of information system components exiting the facility.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing delivery and removal of information system components from the facility

+

security plan

+

facility housing the information system

+

records of items entering and exiting the facility

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibilities for controlling information system components entering and exiting the facility

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility

+

automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ALTERNATE WORK SITE + + organization-defined security controls + organization-defined security controls + + PE-17 + P2 + MODERATE + HIGH + +

The organization:

+ + PE-17a. +

Employs at alternate work sites;

+
+ + PE-17b. +

Assesses as feasible, the effectiveness of security controls at alternate work sites; and

+
+ + PE-17c. +

Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

+
+
+ +

Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.

+ + +
+ +

Determine if the organization:

+ + PE-17(a) + + PE-17(a)[1] +

defines security controls to be employed at alternate work sites;

+
+ + PE-17(a)[2] +

employs organization-defined security controls at alternate work sites;

+
+
+ + PE-17(b) +

assesses, as feasible, the effectiveness of security controls at alternate work sites; and

+
+ + PE-17(c) +

provides a means for employees to communicate with information security personnel in case of security incidents or problems.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing alternate work sites for organizational personnel

+

security plan

+

list of security controls required for alternate work sites

+

assessments of security controls at alternate work sites

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel approving use of alternate work sites

+

organizational personnel using alternate work sites

+

organizational personnel assessing controls at alternate work sites

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for security at alternate work sites

+

automated mechanisms supporting alternate work sites

+

security controls employed at alternate work sites

+

means of communications between personnel at alternate work sites and security personnel

+
+ + + NIST Special Publication 800-46 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PHYSICAL ACCESS AUTHORIZATIONS + + organization-defined frequency + organization-defined frequency + + PE-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PE-2a. +

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

+
+ + PE-2b. +

Issues authorization credentials for facility access;

+
+ + PE-2c. +

Reviews the access list detailing authorized facility access by individuals ; and

+
+ + PE-2d. +

Removes individuals from the facility access list when access is no longer required.

+
+
+ +

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

+ + + +
+ +

Determine if the organization:

+ + PE-2(a) + + PE-2(a)[1] +

develops a list of individuals with authorized access to the facility where the information system resides;

+
+ + PE-2(a)[2] +

approves a list of individuals with authorized access to the facility where the information system resides;

+
+ + PE-2(a)[3] +

maintains a list of individuals with authorized access to the facility where the information system resides;

+
+
+ + PE-2(b) +

issues authorization credentials for facility access;

+
+ + PE-2(c) + + PE-2(c)[1] +

defines the frequency to review the access list detailing authorized facility access by individuals;

+
+ + PE-2(c)[2] +

reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and

+
+
+ + PE-2(d) +

removes individuals from the facility access list when access is no longer required.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing physical access authorizations

+

security plan

+

authorized personnel access list

+

authorization credentials

+

physical access list reviews

+

physical access termination records and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with physical access authorization responsibilities

+

organizational personnel with physical access to information system facility

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for physical access authorizations

+

automated mechanisms supporting and/or implementing physical access authorizations

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PHYSICAL ACCESS CONTROL + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + PE-3 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PE-3a. +

Enforces physical access authorizations at by;

+ + PE-3a.1. +

Verifying individual access authorizations before granting access to the facility; and

+
+ + PE-3a.2. +

Controlling ingress/egress to the facility using [Selection (one or more): ; guards];

+
+
+ + PE-3b. +

Maintains physical access audit logs for ;

+
+ + PE-3c. +

Provides to control access to areas within the facility officially designated as publicly accessible;

+
+ + PE-3d. +

Escorts visitors and monitors visitor activity ;

+
+ + PE-3e. +

Secures keys, combinations, and other physical access devices;

+
+ + PE-3f. +

Inventories every ; and

+
+ + PE-3g. +

Changes combinations and keys and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

+
+
+ +

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

+ + + + + + + + + +
+ +

Determine if the organization:

+ + PE-3(a) + + PE-3(a)[1] +

defines entry/exit points to the facility where the information system resides;

+
+ + PE-3(a)[2] +

enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:

+ + PE-3(a)[2](1) +

verifying individual access authorizations before granting access to the facility;

+
+ + PE-3(a)[2](2) + + PE-3(a)[2](2)[a] +

defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;

+
+ + PE-3(a)[2](2)[b] +

using one or more of the following ways to control ingress/egress to the facility:

+ + PE-3(a)[2](2)[b][1] +

organization-defined physical access control systems/devices; and/or

+
+ + PE-3(a)[2](2)[b][2] +

guards;

+
+
+
+
+
+ + PE-3(b) + + PE-3(b)[1] +

defines entry/exit points for which physical access audit logs are to be maintained;

+
+ + PE-3(b)[2] +

maintains physical access audit logs for organization-defined entry/exit points;

+
+
+ + PE-3(c) + + PE-3(c)[1] +

defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;

+
+ + PE-3(c)[2] +

provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;

+
+
+ + PE-3(d) + + PE-3(d)[1] +

defines circumstances requiring visitor:

+ + PE-3(d)[1][a] +

escorts;

+
+ + PE-3(d)[1][b] +

monitoring;

+
+
+ + PE-3(d)[2] +

in accordance with organization-defined circumstances requiring visitor escorts and monitoring:

+ + PE-3(d)[2][a] +

escorts visitors;

+
+ + PE-3(d)[2][b] +

monitors visitor activities;

+
+
+
+ + PE-3(e) + + PE-3(e)[1] +

secures keys;

+
+ + PE-3(e)[2] +

secures combinations;

+
+ + PE-3(e)[3] +

secures other physical access devices;

+
+
+ + PE-3(f) + + PE-3(f)[1] +

defines physical access devices to be inventoried;

+
+ + PE-3(f)[2] +

defines the frequency to inventory organization-defined physical access devices;

+
+ + PE-3(f)[3] +

inventories the organization-defined physical access devices with the organization-defined frequency;

+
+
+ + PE-3(g) + + PE-3(g)[1] +

defines the frequency to change combinations and keys; and

+
+ + PE-3(g)[2] +

changes combinations and keys with the organization-defined frequency and/or when:

+ + PE-3(g)[2][a] +

keys are lost;

+
+ + PE-3(g)[2][b] +

combinations are compromised;

+
+ + PE-3(g)[2][c] +

individuals are transferred or terminated.

+
+
+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing physical access control

+

security plan

+

physical access control logs or records

+

inventory records of physical access control devices

+

information system entry and exit points

+

records of key and lock combination changes

+

storage locations for physical access control devices

+

physical access control devices

+

list of security safeguards controlling access to designated publicly accessible areas within facility

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for physical access control

+

automated mechanisms supporting and/or implementing physical access control

+

physical access control devices

+
+ + + FIPS Publication 201 + + + NIST Special Publication 800-73 + + + NIST Special Publication 800-76 + + + NIST Special Publication 800-78 + + + NIST Special Publication 800-116 + + + ICD 704 + + + ICD 705 + + + DoD Instruction 5200.39 + + + Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS) + + + http://idmanagement.gov + + + http://fips201ep.cio.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCESS CONTROL FOR TRANSMISSION MEDIUM + + organization-defined information system distribution and transmission lines + organization-defined information system distribution and transmission lines + + + organization-defined security safeguards + organization-defined security safeguards + + PE-4 + P1 + MODERATE + HIGH + +

The organization controls physical access to within organizational facilities using .

+
+ +

Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.

+ + + + + + + +
+ +

Determine if the organization:

+ + PE-4[1] +

defines information system distribution and transmission lines requiring physical access controls;

+
+ + PE-4[2] +

defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and

+
+ + PE-4[3] +

controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing access control for transmission medium

+

information system design documentation

+

facility communications and wiring diagrams

+

list of physical security safeguards applied to information system distribution and transmission lines

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for access control to distribution and transmission lines

+

automated mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines

+
+ + + NSTISSI No. 7003 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCESS CONTROL FOR OUTPUT DEVICES + PE-5 + P2 + MODERATE + HIGH + +

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

+
+ +

Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.

+ + + + +
+ +

Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing access control for display medium

+

facility layout of information system components

+

actual displays from information system components

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with physical access control responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for access control to output devices

+

automated mechanisms supporting and/or implementing access control to output devices

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MONITORING PHYSICAL ACCESS + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + PE-6 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PE-6a. +

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

+
+ + PE-6b. +

Reviews physical access logs and upon occurrence of ; and

+
+ + PE-6c. +

Coordinates results of reviews and investigations with the organizational incident response capability.

+
+
+ +

Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INTRUSION ALARMS / SURVEILLANCE EQUIPMENT + PE-6 (1) + MODERATE + HIGH + +

The organization monitors physical intrusion alarms and surveillance equipment.

+
+ +

Determine if the organization monitors physical intrusion alarms and surveillance equipment.

+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

security plan

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for monitoring physical intrusion alarms and surveillance equipment

+

automated mechanisms supporting and/or implementing physical access monitoring

+

automated mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment

+
+
+ +

Determine if the organization:

+ + PE-6(a) +

monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

+
+ + PE-6(b) + + PE-6(b)[1] +

defines the frequency to review physical access logs;

+
+ + PE-6(b)[2] +

defines events or potential indication of events requiring physical access logs to be reviewed;

+
+ + PE-6(b)[3] +

reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and

+
+
+ + PE-6(c) +

coordinates results of reviews and investigations with the organizational incident response capability.

+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing physical access monitoring

+

security plan

+

physical access logs or records

+

physical access monitoring records

+

physical access log reviews

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with physical access monitoring responsibilities

+

organizational personnel with incident response responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for monitoring physical access

+

automated mechanisms supporting and/or implementing physical access monitoring

+

automated mechanisms supporting and/or implementing reviewing of physical access logs

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + VISITOR ACCESS RECORDS + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + PE-8 + P3 + LOW + MODERATE + HIGH + +

The organization:

+ + PE-8a. +

Maintains visitor access records to the facility where the information system resides for ; and

+
+ + PE-8b. +

Reviews visitor access records .

+
+
+ +

Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.

+
+ +

Determine if the organization:

+ + PE-8(a) + + PE-8(a)[1] +

defines the time period to maintain visitor access records to the facility where the information system resides;

+
+ + PE-8(a)[2] +

maintains visitor access records to the facility where the information system resides for the organization-defined time period;

+
+
+ + PE-8(b) + + PE-8(b)[1] +

defines the frequency to review visitor access records; and

+
+ + PE-8(b)[2] +

reviews visitor access records with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing visitor access records

+

security plan

+

visitor access control logs or records

+

visitor access record or log reviews

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with visitor access records responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for maintaining and reviewing visitor access records

+

automated mechanisms supporting and/or implementing maintenance and review of visitor access records

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + POWER EQUIPMENT AND CABLING + PE-9 + P1 + MODERATE + HIGH + +

The organization protects power equipment and power cabling for the information system from damage and destruction.

+
+ +

Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.

+ +
+ +

Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.

+
+ + EXAMINE +

Physical and environmental protection policy

+

procedures addressing power equipment/cabling protection

+

facilities housing power equipment/cabling

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for protecting power equipment/cabling

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing protection of power equipment/cabling

+
+
+
+ + PLANNING + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY PLANNING POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + PL-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PL-1a. +

Develops, documents, and disseminates to :

+ + PL-1a.1. +

A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + PL-1a.2. +

Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

+
+
+ + PL-1b. +

Reviews and updates the current:

+ + PL-1b.1. +

Security planning policy ; and

+
+ + PL-1b.2. +

Security planning procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + PL-1(a)(1) + + PL-1(a)(1)[1] +

develops and documents a planning policy that addresses:

+ + PL-1(a)(1)[1][a] +

purpose;

+
+ + PL-1(a)(1)[1][b] +

scope;

+
+ + PL-1(a)(1)[1][c] +

roles;

+
+ + PL-1(a)(1)[1][d] +

responsibilities;

+
+ + PL-1(a)(1)[1][e] +

management commitment;

+
+ + PL-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + PL-1(a)(1)[1][g] +

compliance;

+
+
+ + PL-1(a)(1)[2] +

defines personnel or roles to whom the planning policy is to be disseminated;

+
+ + PL-1(a)(1)[3] +

disseminates the planning policy to organization-defined personnel or roles;

+
+
+ + PL-1(a)(2) + + PL-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;

+
+ + PL-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + PL-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + PL-1(b)(1) + + PL-1(b)(1)[1] +

defines the frequency to review and update the current planning policy;

+
+ + PL-1(b)(1)[2] +

reviews and updates the current planning policy with the organization-defined frequency;

+
+
+ + PL-1(b)(2) + + PL-1(b)(2)[1] +

defines the frequency to review and update the current planning procedures; and

+
+ + PL-1(b)(2)[2] +

reviews and updates the current planning procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Planning policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with planning responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-18 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM SECURITY PLAN + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + PL-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PL-2a. +

Develops a security plan for the information system that:

+ + PL-2a.1. +

Is consistent with the organization�s enterprise architecture;

+
+ + PL-2a.2. +

Explicitly defines the authorization boundary for the system;

+
+ + PL-2a.3. +

Describes the operational context of the information system in terms of missions and business processes;

+
+ + PL-2a.4. +

Provides the security categorization of the information system including supporting rationale;

+
+ + PL-2a.5. +

Describes the operational environment for the information system and relationships with or connections to other information systems;

+
+ + PL-2a.6. +

Provides an overview of the security requirements for the system;

+
+ + PL-2a.7. +

Identifies any relevant overlays, if applicable;

+
+ + PL-2a.8. +

Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and

+
+ + PL-2a.9. +

Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

+
+
+ + PL-2b. +

Distributes copies of the security plan and communicates subsequent changes to the plan to ;

+
+ + PL-2c. +

Reviews the security plan for the information system ;

+
+ + PL-2d. +

Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

+
+ + PL-2e. +

Protects the security plan from unauthorized disclosure and modification.

+
+
+ +

Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. +Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.

+ + + + + + + + + + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES + + organization-defined individuals or groups + organization-defined individuals or groups + + PL-2 (3) + MODERATE + HIGH + +

The organization plans and coordinates security-related activities affecting the information system with before conducting such activities in order to reduce the impact on other organizational entities.

+
+ +

Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.

+ + +
+ +

Determine if the organization:

+ + PL-2(3)[1] +

defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and

+
+ + PL-2(3)[2] +

plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.

+
+
+ + EXAMINE +

Security planning policy

+

access control policy

+

contingency planning policy

+

procedures addressing security-related activity planning for the information system

+

security plan for the information system

+

contingency plan for the information system

+

information system design documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security planning and plan implementation responsibilities

+

organizational individuals or groups with whom security-related activities are to be planned and coordinated

+

organizational personnel with information security responsibilities

+
+
+ +

Determine if the organization:

+ + PL-2(a) +

develops a security plan for the information system that:

+ + PL-2(a)(1) +

is consistent with the organization’s enterprise architecture;

+
+ + PL-2(a)(2) +

explicitly defines the authorization boundary for the system;

+
+ + PL-2(a)(3) +

describes the operational context of the information system in terms of missions and business processes;

+
+ + PL-2(a)(4) +

provides the security categorization of the information system including supporting rationale;

+
+ + PL-2(a)(5) +

describes the operational environment for the information system and relationships with or connections to other information systems;

+
+ + PL-2(a)(6) +

provides an overview of the security requirements for the system;

+
+ + PL-2(a)(7) +

identifies any relevant overlays, if applicable;

+
+ + PL-2(a)(8) +

describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;

+
+ + PL-2(a)(9) +

is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

+
+
+ + PL-2(b) + + PL-2(b)[1] +

defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;

+
+ + PL-2(b)[2] +

distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;

+
+
+ + PL-2(c) + + PL-2(c)[1] +

defines the frequency to review the security plan for the information system;

+
+ + PL-2(c)[2] +

reviews the security plan for the information system with the organization-defined frequency;

+
+
+ + PL-2(d) +

updates the plan to address:

+ + PL-2(d)[1] +

changes to the information system/environment of operation;

+
+ + PL-2(d)[2] +

problems identified during plan implementation;

+
+ + PL-2(d)[3] +

problems identified during security control assessments;

+
+
+ + PL-2(e) +

protects the security plan from unauthorized:

+ + PL-2(e)[1] +

disclosure; and

+
+ + PL-2(e)[2] +

modification.

+
+
+
+ + EXAMINE +

Security planning policy

+

procedures addressing security plan development and implementation

+

procedures addressing security plan reviews and updates

+

enterprise architecture documentation

+

security plan for the information system

+

records of security plan reviews and updates

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security planning and plan implementation responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for security plan development/review/update/approval

+

automated mechanisms supporting the information system security plan

+
+ + + NIST Special Publication 800-18 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + RULES OF BEHAVIOR + + organization-defined frequency + organization-defined frequency + + PL-4 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + PL-4a. +

Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

+
+ + PL-4b. +

Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

+
+ + PL-4c. +

Reviews and updates the rules of behavior ; and

+
+ + PL-4d. +

Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

+
+
+ +

This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.

+ + + + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + SOCIAL MEDIA AND NETWORKING RESTRICTIONS + PL-4 (1) + MODERATE + HIGH + +

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

+
+ +

This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites.

+
+ +

Determine if the organization includes the following in the rules of behavior:

+ + PL-4(1)[1] +

explicit restrictions on the use of social media/networking sites; and

+
+ + PL-4(1)[2] +

posting organizational information on public websites.

+
+
+ + EXAMINE +

Security planning policy

+

procedures addressing rules of behavior for information system users

+

rules of behavior

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel who are authorized users of the information system and have signed rules of behavior

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for establishing rules of behavior

+

automated mechanisms supporting and/or implementing the establishment of rules of behavior

+
+
+ +

Determine if the organization:

+ + PL-4(a) + + PL-4(a)[1] +

establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

+
+ + PL-4(a)[2] +

makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

+
+
+ + PL-4(b) +

receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

+
+ + PL-4(c) + + PL-4(c)[1] +

defines the frequency to review and update the rules of behavior;

+
+ + PL-4(c)[2] +

reviews and updates the rules of behavior with the organization-defined frequency; and

+
+
+ + PL-4(d) +

requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

+
+
+ + EXAMINE +

Security planning policy

+

procedures addressing rules of behavior for information system users

+

rules of behavior

+

signed acknowledgements

+

records for rules of behavior reviews and updates

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

+

organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

+

automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

+
+ + + NIST Special Publication 800-18 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION SECURITY ARCHITECTURE + + organization-defined frequency + organization-defined frequency + + PL-8 + P1 + MODERATE + HIGH + +

The organization:

+ + PL-8a. +

Develops an information security architecture for the information system that:

+ + PL-8a.1. +

Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

+
+ + PL-8a.2. +

Describes how the information security architecture is integrated into and supports the enterprise architecture; and

+
+ + PL-8a.3. +

Describes any information security assumptions about, and dependencies on, external services;

+
+
+ + PL-8b. +

Reviews and updates the information security architecture to reflect updates in the enterprise architecture; and

+
+ + PL-8c. +

Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

+
+
+ +

This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. +In today�s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization�s enterprise architecture and information security architecture.

+ + + + + + + Appendix J +
+ +

Determine if the organization:

+ + PL-8(a) +

develops an information security architecture for the information system that describes:

+ + PL-8(a)(1) +

the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

+
+ + PL-8(a)(2) +

how the information security architecture is integrated into and supports the enterprise architecture;

+
+ + PL-8(a)(3) +

any information security assumptions about, and dependencies on, external services;

+
+
+ + PL-8(b) + + PL-8(b)[1] +

defines the frequency to review and update the information security architecture;

+
+ + PL-8(b)[2] +

reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;

+
+
+ + PL-8(c) +

ensures that planned information security architecture changes are reflected in:

+ + PL-8(c)[1] +

the security plan;

+
+ + PL-8(c)[2] +

the security Concept of Operations (CONOPS); and

+
+ + PL-8(c)[3] +

the organizational procurements/acquisitions.

+
+
+
+ + EXAMINE +

Security planning policy

+

procedures addressing information security architecture development

+

procedures addressing information security architecture reviews and updates

+

enterprise architecture documentation

+

information security architecture documentation

+

security plan for the information system

+

security CONOPS for the information system

+

records of information security architecture reviews and updates

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security planning and plan implementation responsibilities

+

organizational personnel with information security architecture development responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for developing, reviewing, and updating the information security architecture

+

automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture

+
+
+
+ + PERSONNEL SECURITY + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PERSONNEL SECURITY POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + PS-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PS-1a. +

Develops, documents, and disseminates to :

+ + PS-1a.1. +

A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + PS-1a.2. +

Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

+
+
+ + PS-1b. +

Reviews and updates the current:

+ + PS-1b.1. +

Personnel security policy ; and

+
+ + PS-1b.2. +

Personnel security procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + PS-1(a)(1) + + PS-1(a)(1)[1] +

develops and documents an personnel security policy that addresses:

+ + PS-1(a)(1)[1][a] +

purpose;

+
+ + PS-1(a)(1)[1][b] +

scope;

+
+ + PS-1(a)(1)[1][c] +

roles;

+
+ + PS-1(a)(1)[1][d] +

responsibilities;

+
+ + PS-1(a)(1)[1][e] +

management commitment;

+
+ + PS-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + PS-1(a)(1)[1][g] +

compliance;

+
+
+ + PS-1(a)(1)[2] +

defines personnel or roles to whom the personnel security policy is to be disseminated;

+
+ + PS-1(a)(1)[3] +

disseminates the personnel security policy to organization-defined personnel or roles;

+
+
+ + PS-1(a)(2) + + PS-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;

+
+ + PS-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + PS-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + PS-1(b)(1) + + PS-1(b)(1)[1] +

defines the frequency to review and update the current personnel security policy;

+
+ + PS-1(b)(1)[2] +

reviews and updates the current personnel security policy with the organization-defined frequency;

+
+
+ + PS-1(b)(2) + + PS-1(b)(2)[1] +

defines the frequency to review and update the current personnel security procedures; and

+
+ + PS-1(b)(2)[2] +

reviews and updates the current personnel security procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Personnel security policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with access control responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + POSITION RISK DESIGNATION + + organization-defined frequency + organization-defined frequency + + PS-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PS-2a. +

Assigns a risk designation to all organizational positions;

+
+ + PS-2b. +

Establishes screening criteria for individuals filling those positions; and

+
+ + PS-2c. +

Reviews and updates position risk designations .

+
+
+ +

Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).

+ + + +
+ +

Determine if the organization:

+ + PS-2(a) +

assigns a risk designation to all organizational positions;

+
+ + PS-2(b) +

establishes screening criteria for individuals filling those positions;

+
+ + PS-2(c) + + PS-2(c)[1] +

defines the frequency to review and update position risk designations; and

+
+ + PS-2(c)[2] +

reviews and updates position risk designations with the organization-defined frequency.

+
+
+
+ + EXAMINE +

Personnel security policy

+

procedures addressing position categorization

+

appropriate codes of federal regulations

+

list of risk designations for organizational positions

+

security plan

+

records of position risk designation reviews and updates

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for assigning, reviewing, and updating position risk designations

+

organizational processes for establishing screening criteria

+
+ + + 5 C.F.R. 731.106 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PERSONNEL SCREENING + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + PS-3 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PS-3a. +

Screens individuals prior to authorizing access to the information system; and

+
+ + PS-3b. +

Rescreens individuals according to .

+
+
+ +

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

+ + + + +
+ +

Determine if the organization:

+ + PS-3(a) +

screens individuals prior to authorizing access to the information system;

+
+ + PS-3(b) + + PS-3(b)[1] +

defines conditions requiring re-screening;

+
+ + PS-3(b)[2] +

defines the frequency of re-screening where it is so indicated; and

+
+ + PS-3(b)[3] +

re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.

+
+
+
+ + EXAMINE +

Personnel security policy

+

procedures addressing personnel screening

+

records of screened personnel

+

security plan

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for personnel screening

+
+ + + 5 C.F.R. 731.106 + + + FIPS Publication 199 + + + FIPS Publication 201 + + + NIST Special Publication 800-60 + + + NIST Special Publication 800-73 + + + NIST Special Publication 800-76 + + + NIST Special Publication 800-78 + + + ICD 704 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PERSONNEL TERMINATION + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + PS-4 + P1 + LOW + MODERATE + HIGH + +

The organization, upon termination of individual employment:

+ + PS-4a. +

Disables information system access within ;

+
+ + PS-4b. +

Terminates/revokes any authenticators/credentials associated with the individual;

+
+ + PS-4c. +

Conducts exit interviews that include a discussion of ;

+
+ + PS-4d. +

Retrieves all security-related organizational information system-related property;

+
+ + PS-4e. +

Retains access to organizational information and information systems formerly controlled by terminated individual; and

+
+ + PS-4f. +

Notifies within .

+
+
+ +

Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

+ + + + + +
+ +

Determine if the organization, upon termination of individual employment,:

+ + PS-4(a) + + PS-4(a)[1] +

defines a time period within which to disable information system access;

+
+ + PS-4(a)[2] +

disables information system access within the organization-defined time period;

+
+
+ + PS-4(b) +

terminates/revokes any authenticators/credentials associated with the individual;

+
+ + PS-4(c) + + PS-4(c)[1] +

defines information security topics to be discussed when conducting exit interviews;

+
+ + PS-4(c)[2] +

conducts exit interviews that include a discussion of organization-defined information security topics;

+
+
+ + PS-4(d) +

retrieves all security-related organizational information system-related property;

+
+ + PS-4(e) +

retains access to organizational information and information systems formerly controlled by the terminated individual;

+
+ + PS-4(f) + + PS-4(f)[1] +

defines personnel or roles to be notified of the termination;

+
+ + PS-4(f)[2] +

defines the time period within which to notify organization-defined personnel or roles; and

+
+ + PS-4(f)[3] +

notifies organization-defined personnel or roles within the organization-defined time period.

+
+
+
+ + EXAMINE +

Personnel security policy

+

procedures addressing personnel termination

+

records of personnel termination actions

+

list of information system accounts

+

records of terminated or revoked authenticators/credentials

+

records of exit interviews

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with personnel security responsibilities

+

organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for personnel termination

+

automated mechanisms supporting and/or implementing personnel termination notifications

+

automated mechanisms for disabling information system access/revoking authenticators

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PERSONNEL TRANSFER + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + PS-5 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + PS-5a. +

Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

+
+ + PS-5b. +

Initiates within ;

+
+ + PS-5c. +

Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

+
+ + PS-5d. +

Notifies within .

+
+
+ +

This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

+ + + + +
+ +

Determine if the organization:

+ + PS-5(a) +

when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:

+ + PS-5(a)[1] +

logical access authorizations to information systems;

+
+ + PS-5(a)[2] +

physical access authorizations to information systems and facilities;

+
+
+ + PS-5(b) + + PS-5(b)[1] +

defines transfer or reassignment actions to be initiated following transfer or reassignment;

+
+ + PS-5(b)[2] +

defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;

+
+ + PS-5(b)[3] +

initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;

+
+
+ + PS-5(c) +

modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;

+
+ + PS-5(d) + + PS-5(d)[1] +

defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;

+
+ + PS-5(d)[2] +

defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and

+
+ + PS-5(d)[3] +

notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization.

+
+
+
+ + EXAMINE +

Personnel security policy

+

procedures addressing personnel transfer

+

security plan

+

records of personnel transfer actions

+

list of information system and facility access authorizations

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for personnel transfer

+

automated mechanisms supporting and/or implementing personnel transfer notifications

+

automated mechanisms for disabling information system access/revoking authenticators

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACCESS AGREEMENTS + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + PS-6 + P3 + LOW + MODERATE + HIGH + +

The organization:

+ + PS-6a. +

Develops and documents access agreements for organizational information systems;

+
+ + PS-6b. +

Reviews and updates the access agreements ; and

+
+ + PS-6c. +

Ensures that individuals requiring access to organizational information and information systems:

+ + PS-6c.1. +

Sign appropriate access agreements prior to being granted access; and

+
+ + PS-6c.2. +

Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or .

+
+
+
+ +

Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

+ + + + + +
+ +

Determine if the organization:

+ + PS-6(a) +

develops and documents access agreements for organizational information systems;

+
+ + PS-6(b) + + PS-6(b)[1] +

defines the frequency to review and update the access agreements;

+
+ + PS-6(b)[2] +

reviews and updates the access agreements with the organization-defined frequency;

+
+
+ + PS-6(c) + + PS-6(c)(1) +

ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;

+
+ + PS-6(c)(2) + + PS-6(c)(2)[1] +

defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;

+
+ + PS-6(c)(2)[2] +

ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency.

+
+
+
+
+ + EXAMINE +

Personnel security policy

+

procedures addressing access agreements for organizational information and information systems

+

security plan

+

access agreements

+

records of access agreement reviews and updates

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with personnel security responsibilities

+

organizational personnel who have signed/resigned access agreements

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for access agreements

+

automated mechanisms supporting access agreements

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + THIRD-PARTY PERSONNEL SECURITY + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + PS-7 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + PS-7a. +

Establishes personnel security requirements including security roles and responsibilities for third-party providers;

+
+ + PS-7b. +

Requires third-party providers to comply with personnel security policies and procedures established by the organization;

+
+ + PS-7c. +

Documents personnel security requirements;

+
+ + PS-7d. +

Requires third-party providers to notify of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within ; and

+
+ + PS-7e. +

Monitors provider compliance.

+
+
+ +

Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.

+ + + + + + + +
+ +

Determine if the organization:

+ + PS-7(a) +

establishes personnel security requirements, including security roles and responsibilities, for third-party providers;

+
+ + PS-7(b) +

requires third-party providers to comply with personnel security policies and procedures established by the organization;

+
+ + PS-7(c) +

documents personnel security requirements;

+
+ + PS-7(d) + + PS-7(d)[1] +

defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

+
+ + PS-7(d)[2] +

defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

+
+ + PS-7(d)[3] +

requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and

+
+
+ + PS-7(e) +

monitors provider compliance.

+
+
+ + EXAMINE +

Personnel security policy

+

procedures addressing third-party personnel security

+

list of personnel security requirements

+

acquisition documents

+

service-level agreements

+

compliance monitoring process

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with personnel security responsibilities

+

third-party providers

+

system/network administrators

+

organizational personnel with account management responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for managing and monitoring third-party personnel security

+

automated mechanisms supporting and/or implementing monitoring of provider compliance

+
+ + + NIST Special Publication 800-35 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PERSONNEL SANCTIONS + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + PS-8 + P3 + LOW + MODERATE + HIGH + +

The organization:

+ + PS-8a. +

Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

+
+ + PS-8b. +

Notifies within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+
+
+ +

Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

+ + +
+ +

Determine if the organization:

+ + PS-8(a) +

employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;

+
+ + PS-8(b) + + PS-8(b)[1] +

defines personnel or roles to be notified when a formal employee sanctions process is initiated;

+
+ + PS-8(b)[2] +

defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and

+
+ + PS-8(b)[3] +

notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+
+
+
+ + EXAMINE +

Personnel security policy

+

procedures addressing personnel sanctions

+

rules of behavior

+

records of formal sanctions

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with personnel security responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for managing personnel sanctions

+

automated mechanisms supporting and/or implementing notifications

+
+
+
+ + RISK ASSESSMENT + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + RISK ASSESSMENT POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + RA-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + RA-1a. +

Develops, documents, and disseminates to :

+ + RA-1a.1. +

A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + RA-1a.2. +

Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

+
+
+ + RA-1b. +

Reviews and updates the current:

+ + RA-1b.1. +

Risk assessment policy ; and

+
+ + RA-1b.2. +

Risk assessment procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + RA-1(a)(1) + + RA-1(a)(1)[1] +

develops and documents a risk assessment policy that addresses:

+ + RA-1(a)(1)[1][a] +

purpose;

+
+ + RA-1(a)(1)[1][b] +

scope;

+
+ + RA-1(a)(1)[1][c] +

roles;

+
+ + RA-1(a)(1)[1][d] +

responsibilities;

+
+ + RA-1(a)(1)[1][e] +

management commitment;

+
+ + RA-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + RA-1(a)(1)[1][g] +

compliance;

+
+
+ + RA-1(a)(1)[2] +

defines personnel or roles to whom the risk assessment policy is to be disseminated;

+
+ + RA-1(a)(1)[3] +

disseminates the risk assessment policy to organization-defined personnel or roles;

+
+
+ + RA-1(a)(2) + + RA-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;

+
+ + RA-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + RA-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + RA-1(b)(1) + + RA-1(b)(1)[1] +

defines the frequency to review and update the current risk assessment policy;

+
+ + RA-1(b)(1)[2] +

reviews and updates the current risk assessment policy with the organization-defined frequency;

+
+
+ + RA-1(b)(2) + + RA-1(b)(2)[1] +

defines the frequency to review and update the current risk assessment procedures; and

+
+ + RA-1(b)(2)[2] +

reviews and updates the current risk assessment procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

risk assessment policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-30 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY CATEGORIZATION + RA-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + RA-2a. +

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

+
+ + RA-2b. +

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

+
+ + RA-2c. +

Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+
+
+ +

Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.

+ + + + +
+ +

Determine if the organization:

+ + RA-2(a) +

categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

+
+ + RA-2(b) +

documents the security categorization results (including supporting rationale) in the security plan for the information system; and

+
+ + RA-2(c) +

ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

+
+
+ + EXAMINE +

Risk assessment policy

+

security planning policy and procedures

+

procedures addressing security categorization of organizational information and information systems

+

security plan

+

security categorization documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security categorization and risk assessment responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for security categorization

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-30 + + + NIST Special Publication 800-39 + + + NIST Special Publication 800-60 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + RISK ASSESSMENT + + organization-defined document + organization-defined document + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + RA-3 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + RA-3a. +

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

+
+ + RA-3b. +

Documents risk assessment results in [Selection: security plan; risk assessment report; ];

+
+ + RA-3c. +

Reviews risk assessment results ;

+
+ + RA-3d. +

Disseminates risk assessment results to ; and

+
+ + RA-3e. +

Updates the risk assessment or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

+
+
+ +

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. +Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

+ + +
+ +

Determine if the organization:

+ + RA-3(a) +

conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:

+ + RA-3(a)[1] +

the information system;

+
+ + RA-3(a)[2] +

the information the system processes, stores, or transmits;

+
+
+ + RA-3(b) + + RA-3(b)[1] +

defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);

+
+ + RA-3(b)[2] +

documents risk assessment results in one of the following:

+ + RA-3(b)[2][a] +

the security plan;

+
+ + RA-3(b)[2][b] +

the risk assessment report; or

+
+ + RA-3(b)[2][c] +

the organization-defined document;

+
+
+
+ + RA-3(c) + + RA-3(c)[1] +

defines the frequency to review risk assessment results;

+
+ + RA-3(c)[2] +

reviews risk assessment results with the organization-defined frequency;

+
+
+ + RA-3(d) + + RA-3(d)[1] +

defines personnel or roles to whom risk assessment results are to be disseminated;

+
+ + RA-3(d)[2] +

disseminates risk assessment results to organization-defined personnel or roles;

+
+
+ + RA-3(e) + + RA-3(e)[1] +

defines the frequency to update the risk assessment;

+
+ + RA-3(e)[2] +

updates the risk assessment:

+ + RA-3(e)[2][a] +

with the organization-defined frequency;

+
+ + RA-3(e)[2][b] +

whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and

+
+ + RA-3(e)[2][c] +

whenever there are other conditions that may impact the security state of the system.

+
+
+
+
+ + EXAMINE +

Risk assessment policy

+

security planning policy and procedures

+

procedures addressing organizational assessments of risk

+

security plan

+

risk assessment

+

risk assessment results

+

risk assessment reviews

+

risk assessment updates

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with risk assessment responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for risk assessment

+

automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment

+
+ + + OMB Memorandum 04-04 + + + NIST Special Publication 800-30 + + + NIST Special Publication 800-39 + + + http://idmanagement.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + VULNERABILITY SCANNING + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + RA-5 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + RA-5a. +

Scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;

+
+ + RA-5b. +

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

+ + RA-5b.1. +

Enumerating platforms, software flaws, and improper configurations;

+
+ + RA-5b.2. +

Formatting checklists and test procedures; and

+
+ + RA-5b.3. +

Measuring vulnerability impact;

+
+
+ + RA-5c. +

Analyzes vulnerability scan reports and results from security control assessments;

+
+ + RA-5d. +

Remediates legitimate vulnerabilities in accordance with an organizational assessment of risk; and

+
+ + RA-5e. +

Shares information obtained from the vulnerability scanning process and security control assessments with to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

+
+
+ +

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

+ + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + UPDATE TOOL CAPABILITY + RA-5 (1) + MODERATE + HIGH + +

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

+
+ +

The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.

+ + +
+ +

Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

+
+ + EXAMINE +

Procedures addressing vulnerability scanning

+

security plan

+

security assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for vulnerability scanning

+

automated mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED + + organization-defined frequency + organization-defined frequency + + RA-5 (2) + MODERATE + HIGH + +

The organization updates the information system vulnerabilities scanned [Selection (one or more): ; prior to a new scan; when new vulnerabilities are identified and reported].

+
+ + + + + +

Determine if the organization:

+ + RA-5(2)[1] +

defines the frequency to update the information system vulnerabilities scanned;

+
+ + RA-5(2)[2] +

updates the information system vulnerabilities scanned one or more of the following:

+ + RA-5(2)[2][a] +

with the organization-defined frequency;

+
+ + RA-5(2)[2][b] +

prior to a new scan; and/or

+
+ + RA-5(2)[2][c] +

when new vulnerabilities are identified and reported.

+
+
+
+ + EXAMINE +

Procedures addressing vulnerability scanning

+

security plan

+

security assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for vulnerability scanning

+

automated mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PRIVILEGED ACCESS + + organization-identified information system components + organization-identified information system components + + + organization-defined vulnerability scanning activities + organization-defined vulnerability scanning activities + + RA-5 (5) + MODERATE + HIGH + +

The information system implements privileged access authorization to for selected .

+
+ +

In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.

+
+ +

Determine if:

+ + RA-5(5)[1] +

the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;

+
+ + RA-5(5)[2] +

the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and

+
+ + RA-5(5)[3] +

the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities.

+
+
+ + EXAMINE +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

security plan

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of information system components for vulnerability scanning

+

personnel access authorization list

+

authorization credentials

+

access authorization records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with vulnerability scanning responsibilities

+

system/network administrators

+

organizational personnel responsible for access control to the information system

+

organizational personnel responsible for configuration management of the information system

+

system developers

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for vulnerability scanning

+

organizational processes for access control

+

automated mechanisms supporting and/or implementing access control

+

automated mechanisms/tools supporting and/or implementing vulnerability scanning

+
+
+ +

Determine if the organization:

+ + RA-5(a) + + RA-5(a)[1] + + RA-5(a)[1][a] +

defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or

+
+ + RA-5(a)[1][b] +

defines the process for conducting random vulnerability scans on the information system and hosted applications;

+
+
+ + RA-5(a)[2] +

in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:

+ + RA-5(a)[2][a] +

the information system;

+
+ + RA-5(a)[2][b] +

hosted applications;

+
+
+ + RA-5(a)[3] +

when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:

+ + RA-5(a)[3][a] +

the information system;

+
+ + RA-5(a)[3][b] +

hosted applications;

+
+
+
+ + RA-5(b) +

employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

+ + RA-5(b)(1) + + RA-5(b)(1)[1] +

enumerating platforms;

+
+ + RA-5(b)(1)[2] +

enumerating software flaws;

+
+ + RA-5(b)(1)[3] +

enumerating improper configurations;

+
+
+ + RA-5(b)(2) + + RA-5(b)(2)[1] +

formatting checklists;

+
+ + RA-5(b)(2)[2] +

formatting test procedures;

+
+
+ + RA-5(b)(3) +

measuring vulnerability impact;

+
+
+ + RA-5(c) + + RA-5(c)[1] +

analyzes vulnerability scan reports;

+
+ + RA-5(c)[2] +

analyzes results from security control assessments;

+
+
+ + RA-5(d) + + RA-5(d)[1] +

defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

+
+ + RA-5(d)[2] +

remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;

+
+
+ + RA-5(e) + + RA-5(e)[1] +

defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;

+
+ + RA-5(e)[2] +

shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and

+
+ + RA-5(e)[3] +

shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

+
+
+
+ + EXAMINE +

Risk assessment policy

+

procedures addressing vulnerability scanning

+

risk assessment

+

security plan

+

security assessment report

+

vulnerability scanning tools and associated configuration documentation

+

vulnerability scanning results

+

patch and vulnerability management records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities

+

organizational personnel with vulnerability scan analysis responsibilities

+

organizational personnel with vulnerability remediation responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

+

automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

+
+ + + NIST Special Publication 800-40 + + + NIST Special Publication 800-70 + + + NIST Special Publication 800-115 + + + http://cwe.mitre.org + + + http://nvd.nist.gov + + +
+
+ + SYSTEM AND SERVICES ACQUISITION + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + SA-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SA-1a. +

Develops, documents, and disseminates to :

+ + SA-1a.1. +

A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + SA-1a.2. +

Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

+
+
+ + SA-1b. +

Reviews and updates the current:

+ + SA-1b.1. +

System and services acquisition policy ; and

+
+ + SA-1b.2. +

System and services acquisition procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + SA-1(a)(1) + + SA-1(a)(1)[1] +

develops and documents a system and services acquisition policy that addresses:

+ + SA-1(a)(1)[1][a] +

purpose;

+
+ + SA-1(a)(1)[1][b] +

scope;

+
+ + SA-1(a)(1)[1][c] +

roles;

+
+ + SA-1(a)(1)[1][d] +

responsibilities;

+
+ + SA-1(a)(1)[1][e] +

management commitment;

+
+ + SA-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + SA-1(a)(1)[1][g] +

compliance;

+
+
+ + SA-1(a)(1)[2] +

defines personnel or roles to whom the system and services acquisition policy is to be disseminated;

+
+ + SA-1(a)(1)[3] +

disseminates the system and services acquisition policy to organization-defined personnel or roles;

+
+
+ + SA-1(a)(2) + + SA-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;

+
+ + SA-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + SA-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + SA-1(b)(1) + + SA-1(b)(1)[1] +

defines the frequency to review and update the current system and services acquisition policy;

+
+ + SA-1(b)(1)[2] +

reviews and updates the current system and services acquisition policy with the organization-defined frequency;

+
+
+ + SA-1(b)(2) + + SA-1(b)(2)[1] +

defines the frequency to review and update the current system and services acquisition procedures; and

+
+ + SA-1(b)(2)[2] +

reviews and updates the current system and services acquisition procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

System and services acquisition policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + DEVELOPER CONFIGURATION MANAGEMENT + + organization-defined configuration items under configuration management + organization-defined configuration items under configuration management + + + organization-defined personnel + organization-defined personnel + + SA-10 + P1 + MODERATE + HIGH + +

The organization requires the developer of the information system, system component, or information system service to:

+ + SA-10a. +

Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];

+
+ + SA-10b. +

Document, manage, and control the integrity of changes to ;

+
+ + SA-10c. +

Implement only organization-approved changes to the system, component, or service;

+
+ + SA-10d. +

Document approved changes to the system, component, or service and the potential security impacts of such changes; and

+
+ + SA-10e. +

Track security flaws and flaw resolution within the system, component, or service and report findings to .

+
+
+ +

This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.

+ + + + + +
+ +

Determine if the organization:

+ + SA-10(a) +

requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:

+ + SA-10(a)[1] +

system, component, or service design;

+
+ + SA-10(a)[2] +

system, component, or service development;

+
+ + SA-10(a)[3] +

system, component, or service implementation; and/or

+
+ + SA-10(a)[4] +

system, component, or service operation;

+
+
+ + SA-10(b) + + SA-10(b)[1] +

defines configuration items to be placed under configuration management;

+
+ + SA-10(b)[2] +

requires the developer of the information system, system component, or information system service to:

+ + SA-10(b)[2][a] +

document the integrity of changes to organization-defined items under configuration management;

+
+ + SA-10(b)[2][b] +

manage the integrity of changes to organization-defined items under configuration management;

+
+ + SA-10(b)[2][c] +

control the integrity of changes to organization-defined items under configuration management;

+
+
+
+ + SA-10(c) +

requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;

+
+ + SA-10(d) +

requires the developer of the information system, system component, or information system service to document:

+ + SA-10(d)[1] +

approved changes to the system, component, or service;

+
+ + SA-10(d)[2] +

the potential security impacts of such changes;

+
+
+ + SA-10(e) + + SA-10(e)[1] +

defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;

+
+ + SA-10(e)[2] +

requires the developer of the information system, system component, or information system service to:

+ + SA-10(e)[2][a] +

track security flaws within the system, component, or service;

+
+ + SA-10(e)[2][b] +

track security flaw resolution within the system, component, or service; and

+
+ + SA-10(e)[2][c] +

report findings to organization-defined personnel.

+
+
+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing system developer configuration management

+

solicitation documentation

+

acquisition documentation

+

service-level agreements

+

acquisition contracts for the information system, system component, or information system service

+

system developer configuration management plan

+

security flaw and flaw resolution tracking records

+

system change authorization records

+

change control records

+

configuration management records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with configuration management responsibilities

+

system developers

+
+ + TEST +

Organizational processes for monitoring developer configuration management

+

automated mechanisms supporting and/or implementing the monitoring of developer configuration management

+
+ + + NIST Special Publication 800-128 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + DEVELOPER SECURITY TESTING AND EVALUATION + + organization-defined depth and coverage + organization-defined depth and coverage + + SA-11 + P1 + MODERATE + HIGH + +

The organization requires the developer of the information system, system component, or information system service to:

+ + SA-11a. +

Create and implement a security assessment plan;

+
+ + SA-11b. +

Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at ;

+
+ + SA-11c. +

Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

+
+ + SA-11d. +

Implement a verifiable flaw remediation process; and

+
+ + SA-11e. +

Correct flaws identified during security testing/evaluation.

+
+
+ +

Developmental security testing/evaluation occurs at all post-design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.

+ + + + + + +
+ +

Determine if the organization:

+ + SA-11(a) +

requires the developer of the information system, system component, or information system service to create and implement a security plan;

+
+ + SA-11(b) + + SA-11(b)[1] +

defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

+
+ + SA-11(b)[2] +

defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

+
+ + SA-11(b)[3] +

requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage:

+ + SA-11(b)[3][a] +

unit testing/evaluation;

+
+ + SA-11(b)[3][b] +

integration testing/evaluation;

+
+ + SA-11(b)[3][c] +

system testing/evaluation; and/or

+
+ + SA-11(b)[3][d] +

regression testing/evaluation;

+
+
+
+ + SA-11(c) +

requires the developer of the information system, system component, or information system service to produce evidence of:

+ + SA-11(c)[1] +

the execution of the security assessment plan;

+
+ + SA-11(c)[2] +

the results of the security testing/evaluation;

+
+
+ + SA-11(d) +

requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and

+
+ + SA-11(e) +

requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing system developer security testing

+

procedures addressing flaw remediation

+

solicitation documentation

+

acquisition documentation

+

service-level agreements

+

acquisition contracts for the information system, system component, or information system service

+

system developer security test plans

+

records of developer security testing results for the information system, system component, or information system service

+

security flaw and remediation tracking records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

organizational personnel with developer security testing responsibilities

+

system developers

+
+ + TEST +

Organizational processes for monitoring developer security testing and evaluation

+

automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

+
+ + + ISO/IEC 15408 + + + NIST Special Publication 800-53A + + + http://nvd.nist.gov + + + http://cwe.mitre.org + + + http://cve.mitre.org + + + http://capec.mitre.org + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ALLOCATION OF RESOURCES + SA-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SA-2a. +

Determines information security requirements for the information system or information system service in mission/business process planning;

+
+ + SA-2b. +

Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and

+
+ + SA-2c. +

Establishes a discrete line item for information security in organizational programming and budgeting documentation.

+
+
+ +

Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service.

+ + +
+ +

Determine if the organization:

+ + SA-2(a) +

determines information security requirements for the information system or information system service in mission/business process planning;

+
+ + SA-2(b) +

to protect the information system or information system service as part of its capital planning and investment control process:

+ + SA-2(b)[1] +

determines the resources required;

+
+ + SA-2(b)[2] +

documents the resources required;

+
+ + SA-2(b)[3] +

allocates the resources required; and

+
+
+ + SA-2(c) +

establishes a discrete line item for information security in organizational programming and budgeting documentation.

+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing the allocation of resources to information security requirements

+

procedures addressing capital planning and investment control

+

organizational programming and budgeting documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities

+

organizational personnel responsible for determining information security requirements for information systems/services

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for determining information security requirements

+

organizational processes for capital planning, programming, and budgeting

+

automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

+
+ + + NIST Special Publication 800-65 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM DEVELOPMENT LIFE CYCLE + + organization-defined system development life cycle + organization-defined system development life cycle + + SA-3 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SA-3a. +

Manages the information system using that incorporates information security considerations;

+
+ + SA-3b. +

Defines and documents information security roles and responsibilities throughout the system development life cycle;

+
+ + SA-3c. +

Identifies individuals having information security roles and responsibilities; and

+
+ + SA-3d. +

Integrates the organizational information security risk management process into system development life cycle activities.

+
+
+ +

A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.

+ + + +
+ +

Determine if the organization:

+ + SA-3(a) + + SA-3(a)[1] +

defines a system development life cycle that incorporates information security considerations to be used to manage the information system;

+
+ + SA-3(a)[2] +

manages the information system using the organization-defined system development life cycle;

+
+
+ + SA-3(b) +

defines and documents information security roles and responsibilities throughout the system development life cycle;

+
+ + SA-3(c) +

identifies individuals having information security roles and responsibilities; and

+
+ + SA-3(d) +

integrates the organizational information security risk management process into system development life cycle activities.

+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing the integration of information security into the system development life cycle process

+

information system development life cycle documentation

+

information security risk management strategy/program documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with information security and system life cycle development responsibilities

+

organizational personnel with information security risk management responsibilities

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for defining and documenting the SDLC

+

organizational processes for identifying SDLC roles and responsibilities

+

organizational process for integrating information security risk management into the SDLC

+

automated mechanisms supporting and/or implementing the SDLC

+
+ + + NIST Special Publication 800-37 + + + NIST Special Publication 800-64 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ACQUISITION PROCESS + SA-4 + P1 + LOW + MODERATE + HIGH + +

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

+ + SA-4a. +

Security functional requirements;

+
+ + SA-4b. +

Security strength requirements;

+
+ + SA-4c. +

Security assurance requirements;

+
+ + SA-4d. +

Security-related documentation requirements;

+
+ + SA-4e. +

Requirements for protecting security-related documentation;

+
+ + SA-4f. +

Description of the information system development environment and environment in which the system is intended to operate; and

+
+ + SA-4g. +

Acceptance criteria.

+
+
+ +

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. +Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

+ + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + FUNCTIONAL PROPERTIES OF SECURITY CONTROLS + SA-4 (1) + MODERATE + HIGH + +

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

+
+ +

Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

+ +
+ +

Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

+

solicitation documents

+

acquisition documentation

+

acquisition contracts for the information system, system component, or information system services

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with responsibility for determining information system security functional requirements

+

information system developer or service provider

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for determining information system security functional, requirements

+

organizational processes for developing acquisition contracts

+

automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS + + organization-defined design/implementation information + organization-defined design/implementation information + + + organization-defined level of detail + organization-defined level of detail + + SA-4 (2) + MODERATE + HIGH + +

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; ] at .

+
+ +

Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.

+ +
+ +

Determine if the organization:

+ + SA-4(2)[1] +

defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;

+
+ + SA-4(2)[2] +

defines design/implementation information that the developer is to provide for the security controls to be employed (if selected);

+
+ + SA-4(2)[3] +

requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:

+ + SA-4(2)[3][a] +

security-relevant external system interfaces;

+
+ + SA-4(2)[3][b] +

high-level design;

+
+ + SA-4(2)[3][c] +

low-level design;

+
+ + SA-4(2)[3][d] +

source code;

+
+ + SA-4(2)[3][e] +

hardware schematics; and/or

+
+ + SA-4(2)[3][f] +

organization-defined design/implementation information.

+
+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

+

solicitation documents

+

acquisition documentation

+

acquisition contracts for the information system, system components, or information system services

+

design and implementation information for security controls employed in the information system, system component, or information system service

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with responsibility for determining information system security requirements

+

information system developer or service provider

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for determining level of detail for system design and security controls

+

organizational processes for developing acquisition contracts

+

automated mechanisms supporting and/or implementing development of system design details

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE + SA-4 (9) + MODERATE + HIGH + +

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

+
+ +

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.

+ + +
+ +

Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:

+ + SA-4(9)[1] +

the functions intended for organizational use;

+
+ + SA-4(9)[2] +

the ports intended for organizational use;

+
+ + SA-4(9)[3] +

the protocols intended for organizational use; and

+
+ + SA-4(9)[4] +

the services intended for organizational use.

+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

+

information system design documentation

+

information system documentation including functions, ports, protocols, and services intended for organizational use

+

acquisition contracts for information systems or services

+

acquisition documentation

+

solicitation documentation

+

service-level agreements

+

organizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with responsibility for determining information system security requirements

+

system/network administrators

+

organizational personnel operating, using, and/or maintaining the information system

+

information system developers

+

organizational personnel with information security responsibilities

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + USE OF APPROVED PIV PRODUCTS + SA-4 (10) + LOW + MODERATE + HIGH + +

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

+
+ + + + + +

Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

+

solicitation documentation

+

acquisition documentation

+

acquisition contracts for the information system, system component, or information system service

+

service-level agreements

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with responsibility for determining information system security requirements

+

organizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for selecting and employing FIPS 201-approved products

+
+
+ +

Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

+ + SA-4(a) +

security functional requirements;

+
+ + SA-4(b) +

security strength requirements;

+
+ + SA-4(c) +

security assurance requirements;

+
+ + SA-4(d) +

security-related documentation requirements;

+
+ + SA-4(e) +

requirements for protecting security-related documentation;

+
+ + SA-4(f) +

description of:

+ + SA-4(f)[1] +

the information system development environment;

+
+ + SA-4(f)[2] +

the environment in which the system is intended to operate; and

+
+
+ + SA-4(g) +

acceptance criteria.

+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

+

acquisition contracts for the information system, system component, or information system service

+

information system design documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for determining information system security functional, strength, and assurance requirements

+

organizational processes for developing acquisition contracts

+

automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

+
+ + + HSPD-12 + + + ISO/IEC 15408 + + + FIPS Publication 140-2 + + + FIPS Publication 201 + + + NIST Special Publication 800-23 + + + NIST Special Publication 800-35 + + + NIST Special Publication 800-36 + + + NIST Special Publication 800-37 + + + NIST Special Publication 800-64 + + + NIST Special Publication 800-70 + + + NIST Special Publication 800-137 + + + Federal Acquisition Regulation + + + http://www.niap-ccevs.org + + + http://fips201ep.cio.gov + + + http://www.acquisition.gov/far + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION SYSTEM DOCUMENTATION + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + SA-5 + P2 + LOW + MODERATE + HIGH + +

The organization:

+ + SA-5a. +

Obtains administrator documentation for the information system, system component, or information system service that describes:

+ + SA-5a.1. +

Secure configuration, installation, and operation of the system, component, or service;

+
+ + SA-5a.2. +

Effective use and maintenance of security functions/mechanisms; and

+
+ + SA-5a.3. +

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

+
+
+ + SA-5b. +

Obtains user documentation for the information system, system component, or information system service that describes:

+ + SA-5b.1. +

User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

+
+ + SA-5b.2. +

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

+
+ + SA-5b.3. +

User responsibilities in maintaining the security of the system, component, or service;

+
+
+ + SA-5c. +

Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes in response;

+
+ + SA-5d. +

Protects documentation as required, in accordance with the risk management strategy; and

+
+ + SA-5e. +

Distributes documentation to .

+
+
+ +

This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.

+ + + + + + + +
+ +

Determine if the organization:

+ + SA-5(a) +

obtains administrator documentation for the information system, system component, or information system service that describes:

+ + SA-5(a)(1) + + SA-5(a)(1)[1] +

secure configuration of the system, system component, or service;

+
+ + SA-5(a)(1)[2] +

secure installation of the system, system component, or service;

+
+ + SA-5(a)(1)[3] +

secure operation of the system, system component, or service;

+
+
+ + SA-5(a)(2) + + SA-5(a)(2)[1] +

effective use of the security features/mechanisms;

+
+ + SA-5(a)(2)[2] +

effective maintenance of the security features/mechanisms;

+
+
+ + SA-5(a)(3) +

known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

+
+
+ + SA-5(b) +

obtains user documentation for the information system, system component, or information system service that describes:

+ + SA-5(b)(1) + + SA-5(b)(1)[1] +

user-accessible security functions/mechanisms;

+
+ + SA-5(b)(1)[2] +

how to effectively use those functions/mechanisms;

+
+
+ + SA-5(b)(2) +

methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;

+
+ + SA-5(b)(3) +

user responsibilities in maintaining the security of the system, component, or service;

+
+
+ + SA-5(c) + + SA-5(c)[1] +

defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

+
+ + SA-5(c)[2] +

documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

+
+ + SA-5(c)[3] +

takes organization-defined actions in response;

+
+
+ + SA-5(d) +

protects documentation as required, in accordance with the risk management strategy;

+
+ + SA-5(e) + + SA-5(e)[1] +

defines personnel or roles to whom documentation is to be distributed; and

+
+ + SA-5(e)[2] +

distributes documentation to organization-defined personnel or roles.

+
+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing information system documentation

+

information system documentation including administrator and user guides

+

records documenting attempts to obtain unavailable or nonexistent information system documentation

+

list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation

+

risk management strategy documentation

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with responsibility for determining information system security requirements

+

system administrators

+

organizational personnel operating, using, and/or maintaining the information system

+

information system developers

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY ENGINEERING PRINCIPLES + SA-8 + P1 + MODERATE + HIGH + +

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

+
+ +

Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.

+ + + + + + +
+ +

Determine if the organization applies information system security engineering principles in:

+ + SA-8[1] +

the specification of the information system;

+
+ + SA-8[2] +

the design of the information system;

+
+ + SA-8[3] +

the development of the information system;

+
+ + SA-8[4] +

the implementation of the information system; and

+
+ + SA-8[5] +

the modification of the information system.

+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system

+

information system design documentation

+

information security requirements and specifications for the information system

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with acquisition/contracting responsibilities

+

organizational personnel with responsibility for determining information system security requirements

+

organizational personnel with information system specification, design, development, implementation, and modification responsibilities

+

information system developers

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification

+

automated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification

+
+ + + NIST Special Publication 800-27 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + EXTERNAL INFORMATION SYSTEM SERVICES + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + SA-9 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SA-9a. +

Requires that providers of external information system services comply with organizational information security requirements and employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

+
+ + SA-9b. +

Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

+
+ + SA-9c. +

Employs to monitor security control compliance by external service providers on an ongoing basis.

+
+
+ +

External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

+ + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES + + organization-defined external information system services + organization-defined external information system services + + SA-9 (2) + MODERATE + HIGH + +

The organization requires providers of to identify the functions, ports, protocols, and other services required for the use of such services.

+
+ +

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols.

+ +
+ +

Determine if the organization:

+ + SA-9(2)[1] +

defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;

+
+ + SA-9(2)[2] +

requires providers of organization-defined external information system services to identify:

+ + SA-9(2)[2][a] +

the functions required for the use of such services;

+
+ + SA-9(2)[2][b] +

the ports required for the use of such services;

+
+ + SA-9(2)[2][c] +

the protocols required for the use of such services; and

+
+ + SA-9(2)[2][d] +

the other services required for the use of such services.

+
+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing external information system services

+

acquisition contracts for the information system, system component, or information system service

+

acquisition documentation

+

solicitation documentation, service-level agreements

+

organizational security requirements and security specifications for external service providers

+

list of required functions, ports, protocols, and other services

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with system and services acquisition responsibilities

+

organizational personnel with information security responsibilities

+

system/network administrators

+

external providers of information system services

+
+
+ +

Determine if the organization:

+ + SA-9(a) + + SA-9(a)[1] +

defines security controls to be employed by providers of external information system services;

+
+ + SA-9(a)[2] +

requires that providers of external information system services comply with organizational information security requirements;

+
+ + SA-9(a)[3] +

requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

+
+
+ + SA-9(b) + + SA-9(b)[1] +

defines and documents government oversight with regard to external information system services;

+
+ + SA-9(b)[2] +

defines and documents user roles and responsibilities with regard to external information system services;

+
+
+ + SA-9(c) + + SA-9(c)[1] +

defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and

+
+ + SA-9(c)[2] +

employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

+
+
+
+ + EXAMINE +

System and services acquisition policy

+

procedures addressing external information system services

+

procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services

+

acquisition contracts, service-level agreements

+

organizational security requirements and security specifications for external provider services

+

security control assessment evidence from external providers of information system services

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with system and services acquisition responsibilities

+

external providers of information system services

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for monitoring security control compliance by external service providers on an ongoing basis

+

automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis

+
+ + + NIST Special Publication 800-35 + + +
+
+ + SYSTEM AND COMMUNICATIONS PROTECTION + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + SC-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SC-1a. +

Develops, documents, and disseminates to :

+ + SC-1a.1. +

A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + SC-1a.2. +

Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

+
+
+ + SC-1b. +

Reviews and updates the current:

+ + SC-1b.1. +

System and communications protection policy ; and

+
+ + SC-1b.2. +

System and communications protection procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + SC-1(a)(1) + + SC-1(a)(1)[1] +

develops and documents a system and communications protection policy that addresses:

+ + SC-1(a)(1)[1][a] +

purpose;

+
+ + SC-1(a)(1)[1][b] +

scope;

+
+ + SC-1(a)(1)[1][c] +

roles;

+
+ + SC-1(a)(1)[1][d] +

responsibilities;

+
+ + SC-1(a)(1)[1][e] +

management commitment;

+
+ + SC-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + SC-1(a)(1)[1][g] +

compliance;

+
+
+ + SC-1(a)(1)[2] +

defines personnel or roles to whom the system and communications protection policy is to be disseminated;

+
+ + SC-1(a)(1)[3] +

disseminates the system and communications protection policy to organization-defined personnel or roles;

+
+
+ + SC-1(a)(2) + + SC-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;

+
+ + SC-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + SC-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + SC-1(b)(1) + + SC-1(b)(1)[1] +

defines the frequency to review and update the current system and communications protection policy;

+
+ + SC-1(b)(1)[2] +

reviews and updates the current system and communications protection policy with the organization-defined frequency;

+
+
+ + SC-1(b)(2) + + SC-1(b)(2)[1] +

defines the frequency to review and update the current system and communications protection procedures; and

+
+ + SC-1(b)(2)[2] +

reviews and updates the current system and communications protection procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

System and communications protection policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with system and communications protection responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + NETWORK DISCONNECT + + organization-defined time period + organization-defined time period + + SC-10 + P2 + MODERATE + HIGH + +

The information system terminates the network connection associated with a communications session at the end of the session or after of inactivity.

+
+ +

This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses.

+
+ +

Determine if:

+ + SC-10[1] +

the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and

+
+ + SC-10[2] +

the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing network disconnect

+

information system design documentation

+

security plan

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Automated mechanisms supporting and/or implementing network disconnect capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + SC-12 + P1 + LOW + MODERATE + HIGH + +

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with .

+
+ +

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

+ + +
+ +

Determine if the organization:

+ + SC-12[1] +

defines requirements for cryptographic key:

+ + SC-12[1][a] +

generation;

+
+ + SC-12[1][b] +

distribution;

+
+ + SC-12[1][c] +

storage;

+
+ + SC-12[1][d] +

access;

+
+ + SC-12[1][e] +

destruction; and

+
+
+ + SC-12[2] +

establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing cryptographic key establishment and management

+

information system design documentation

+

cryptographic mechanisms

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for cryptographic key establishment and/or management

+
+ + TEST +

Automated mechanisms supporting and/or implementing cryptographic key establishment and management

+
+ + + NIST Special Publication 800-56 + + + NIST Special Publication 800-57 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + CRYPTOGRAPHIC PROTECTION + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + SC-13 + P1 + LOW + MODERATE + HIGH + +

The information system implements in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

+
+ +

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

+ + + + + + + + + + + + + + + + + + + + +
+ +

Determine if:

+ + SC-13[1] +

the organization defines cryptographic uses; and

+
+ + SC-13[2] +

the organization defines the type of cryptography required for each use; and

+
+ + SC-13[3] +

the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing cryptographic protection

+

information system design documentation

+

information system configuration settings and associated documentation

+

cryptographic module validation certificates

+

list of FIPS validated cryptographic modules

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for cryptographic protection

+
+ + TEST +

Automated mechanisms supporting and/or implementing cryptographic protection

+
+ + + FIPS Publication 140 + + + http://csrc.nist.gov/cryptval + + + http://www.cnss.gov + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + COLLABORATIVE COMPUTING DEVICES + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + SC-15 + P1 + LOW + MODERATE + HIGH + +

The information system:

+ + SC-15a. +

Prohibits remote activation of collaborative computing devices with the following exceptions: ; and

+
+ + SC-15b. +

Provides an explicit indication of use to users physically present at the devices.

+
+
+ +

Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.

+ +
+ +

Determine if:

+ + SC-15(a) + + SC-15(a)[1] +

the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;

+
+ + SC-15(a)[2] +

the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and

+
+
+ + SC-15(b) +

the information system provides an explicit indication of use to users physically present at the devices.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing collaborative computing

+

access control policy and procedures

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with responsibilities for managing collaborative computing devices

+
+ + TEST +

Automated mechanisms supporting and/or implementing management of remote activation of collaborative computing devices

+

automated mechanisms providing an indication of use of collaborative computing devices

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PUBLIC KEY INFRASTRUCTURE CERTIFICATES + + organization-defined certificate policy + organization-defined certificate policy + + SC-17 + P1 + MODERATE + HIGH + +

The organization issues public key certificates under an or obtains public key certificates from an approved service provider.

+
+ +

For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.

+ +
+ +

Determine if the organization:

+ + SC-17[1] +

defines a certificate policy for issuing public key certificates;

+
+ + SC-17[2] +

issues public key certificates:

+ + SC-17[2][a] +

under an organization-defined certificate policy: or

+
+ + SC-17[2][b] +

obtains public key certificates from an approved service provider.

+
+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing public key infrastructure certificates

+

public key certificate policy or policies

+

public key issuing process

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for issuing public key certificates

+

service providers

+
+ + TEST +

Automated mechanisms supporting and/or implementing the management of public key infrastructure certificates

+
+ + + OMB Memorandum 05-24 + + + NIST Special Publication 800-32 + + + NIST Special Publication 800-63 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MOBILE CODE + SC-18 + P2 + MODERATE + HIGH + +

The organization:

+ + SC-18a. +

Defines acceptable and unacceptable mobile code and mobile code technologies;

+
+ + SC-18b. +

Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and

+
+ + SC-18c. +

Authorizes, monitors, and controls the use of mobile code within the information system.

+
+
+ +

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

+ + + + + +
+ +

Determine if the organization:

+ + SC-18(a) +

defines acceptable and unacceptable mobile code and mobile code technologies;

+
+ + SC-18(b) + + SC-18(b)[1] +

establishes usage restrictions for acceptable mobile code and mobile code technologies;

+
+ + SC-18(b)[2] +

establishes implementation guidance for acceptable mobile code and mobile code technologies;

+
+
+ + SC-18(c) + + SC-18(c)[1] +

authorizes the use of mobile code within the information system;

+
+ + SC-18(c)[2] +

monitors the use of mobile code within the information system; and

+
+ + SC-18(c)[3] +

controls the use of mobile code within the information system.

+
+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing mobile code

+

mobile code usage restrictions, mobile code implementation policy and procedures

+

list of acceptable mobile code and mobile code technologies

+

list of unacceptable mobile code and mobile technologies

+

authorization records

+

information system monitoring records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing mobile code

+
+ + TEST +

Organizational process for controlling, authorizing, monitoring, and restricting mobile code

+

automated mechanisms supporting and/or implementing the management of mobile code

+

automated mechanisms supporting and/or implementing the monitoring of mobile code

+
+ + + NIST Special Publication 800-28 + + + DoD Instruction 8552.01 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + VOICE OVER INTERNET PROTOCOL + SC-19 + P1 + MODERATE + HIGH + +

The organization:

+ + SC-19a. +

Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and

+
+ + SC-19b. +

Authorizes, monitors, and controls the use of VoIP within the information system.

+
+
+ + + + + + +

Determine if the organization:

+ + SC-19(a) + + SC-19(a)[1] +

establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

+
+ + SC-19(a)[2] +

establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

+
+
+ + SC-19(b) + + SC-19(b)[1] +

authorizes the use of VoIP within the information system;

+
+ + SC-19(b)[2] +

monitors the use of VoIP within the information system; and

+
+ + SC-19(b)[3] +

controls the use of VoIP within the information system.

+
+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing VoIP

+

VoIP usage restrictions

+

VoIP implementation guidance

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system monitoring records

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing VoIP

+
+ + TEST +

Organizational process for authorizing, monitoring, and controlling VoIP

+

automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling VoIP

+
+ + + NIST Special Publication 800-58 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + APPLICATION PARTITIONING + SC-2 + P1 + MODERATE + HIGH + +

The information system separates user functionality (including user interface services) from information system management functionality.

+
+ +

Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

+ + + +
+ +

Determine if the information system separates user functionality (including user interface services) from information system management functionality.

+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing application partitioning

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Separation of user functionality from information system management functionality

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) + SC-20 + P1 + LOW + MODERATE + HIGH + +

The information system:

+ + SC-20a. +

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

+
+ + SC-20b. +

Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

+
+
+ +

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

+ + + + + + +
+ +

Determine if the information system:

+ + SC-20(a) +

provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;

+
+ + SC-20(b) +

provides the means to, when operating as part of a distributed, hierarchical namespace:

+ + SC-20(b)[1] +

indicate the security status of child zones; and

+
+ + SC-20(b)[2] +

enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

+
+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing secure name/address resolution service (authoritative source)

+

information system design documentation

+

information system configuration settings and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+ + TEST +

Automated mechanisms supporting and/or implementing secure name/address resolution service

+
+ + + OMB Memorandum 08-23 + + + NIST Special Publication 800-81 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) + SC-21 + P1 + LOW + MODERATE + HIGH + +

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

+
+ +

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

+ + +
+ +

Determine if the information system:

+ + SC-21[1] +

requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;

+
+ + SC-21[2] +

requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;

+
+ + SC-21[3] +

performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and

+
+ + SC-21[4] +

performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing secure name/address resolution service (recursive or caching resolver)

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+ + TEST +

Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

+
+ + + NIST Special Publication 800-81 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE + SC-22 + P1 + LOW + MODERATE + HIGH + +

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

+
+ +

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

+ + + + +
+ +

Determine if the information systems that collectively provide name/address resolution service for an organization:

+ + SC-22[1] +

are fault tolerant; and

+
+ + SC-22[2] +

implement internal/external role separation.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing architecture and provisioning for name/address resolution service

+

access control policy and procedures

+

information system design documentation

+

assessment results from independent, testing organizations

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with responsibilities for managing DNS

+
+ + TEST +

Automated mechanisms supporting and/or implementing name/address resolution service for fault tolerance and role separation

+
+ + + NIST Special Publication 800-81 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SESSION AUTHENTICITY + SC-23 + P1 + MODERATE + HIGH + +

The information system protects the authenticity of communications sessions.

+
+ +

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

+ + + +
+ +

Determine if the information system protects the authenticity of communications sessions.

+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing session authenticity

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Automated mechanisms supporting and/or implementing session authenticity

+
+ + + NIST Special Publication 800-52 + + + NIST Special Publication 800-77 + + + NIST Special Publication 800-95 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PROTECTION OF INFORMATION AT REST + + organization-defined information at rest + organization-defined information at rest + + SC-28 + P1 + MODERATE + HIGH + +

The information system protects the [Selection (one or more): confidentiality; integrity] of .

+
+ +

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

+ + + + + + + + + + + +
+ +

Determine if:

+ + SC-28[1] +

the organization defines information at rest requiring one or more of the following:

+ + SC-28[1][a] +

confidentiality protection; and/or

+
+ + SC-28[1][b] +

integrity protection;

+
+
+ + SC-28[2] +

the information system protects:

+ + SC-28[2][a] +

the confidentiality of organization-defined information at rest; and/or

+
+ + SC-28[2][b] +

the integrity of organization-defined information at rest.

+
+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing protection of information at rest

+

information system design documentation

+

information system configuration settings and associated documentation

+

cryptographic mechanisms and associated configuration documentation

+

list of information at rest requiring confidentiality and integrity protections

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Automated mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

+
+ + + NIST Special Publication 800-56 + + + NIST Special Publication 800-57 + + + NIST Special Publication 800-111 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + PROCESS ISOLATION + SC-39 + P1 + LOW + MODERATE + HIGH + +

The information system maintains a separate execution domain for each executing process.

+
+ +

Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.

+ + + + + + + + +
+ +

Determine if the information system maintains a separate execution domain for each executing process.

+
+ + EXAMINE +

Information system design documentation

+

information system architecture

+

independent verification and validation documentation

+

testing and evaluation documentation, other relevant documents or records

+
+ + INTERVIEW +

Information system developers/integrators

+

information system security architect

+
+ + TEST +

Automated mechanisms supporting and/or implementing separate execution domains for each executing process

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION IN SHARED RESOURCES + SC-4 + P1 + MODERATE + HIGH + +

The information system prevents unauthorized and unintended information transfer via shared system resources.

+
+ +

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

+ + + +
+ +

Determine if the information system prevents unauthorized and unintended information transfer via shared system resources.

+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing information protection in shared system resources

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + DENIAL OF SERVICE PROTECTION + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + SC-5 + P1 + LOW + MODERATE + HIGH + +

The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

+
+ +

A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

+ + +
+ +

Determine if:

+ + SC-5[1] +

the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;

+
+ + SC-5[2] +

the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and

+
+ + SC-5[3] +

the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing denial of service protection

+

information system design documentation

+

security plan

+

list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks

+

list of security safeguards protecting against or limiting the effects of denial of service attacks

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+

system developer

+
+ + TEST +

Automated mechanisms protecting against or limiting the effects of denial of service attacks

+
+
+ + RESOURCE AVAILABILITY + + organization-defined resources + organization-defined resources + + + organization-defined security safeguards + organization-defined security safeguards + + SC-6 + P0 + +

The information system protects the availability of resources by allocating by [Selection (one or more); priority; quota; ].

+
+ +

Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles.

+
+ +

Determine if:

+ + SC-6[1] +

the organization defines resources to be allocated to protect the availability of resources;

+
+ + SC-6[2] +

the organization defines security safeguards to be employed to protect the availability of resources;

+
+ + SC-6[3] +

the information system protects the availability of resources by allocating organization-defined resources by one or more of the following:

+ + SC-6[3][a] +

priority;

+
+ + SC-6[3][b] +

quota; and/or

+
+ + SC-6[3][c] +

organization-defined safeguards.

+
+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing prioritization of information system resources

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Automated mechanisms supporting and/or implementing resource allocation capability

+

safeguards employed to protect availability of resources

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + BOUNDARY PROTECTION + SC-7 + P1 + LOW + MODERATE + HIGH + +

The information system:

+ + SC-7a. +

Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

+
+ + SC-7b. +

Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and

+
+ + SC-7c. +

Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

+
+
+ +

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

+ + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + ACCESS POINTS + SC-7 (3) + MODERATE + HIGH + +

The organization limits the number of external network connections to the information system.

+
+ +

Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

+
+ +

Determine if the organization limits the number of external network connections to the information system.

+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing boundary protection

+

information system design documentation

+

boundary protection hardware and software

+

information system architecture and configuration documentation

+

information system configuration settings and associated documentation

+

communications and network traffic monitoring logs

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+ + TEST +

Automated mechanisms implementing boundary protection capability

+

automated mechanisms limiting the number of external network connections to the information system

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + EXTERNAL TELECOMMUNICATIONS SERVICES + + organization-defined frequency + organization-defined frequency + + SC-7 (4) + MODERATE + HIGH + +

The organization:

+ + SC-7 (4)(a) +

Implements a managed interface for each external telecommunication service;

+
+ + SC-7 (4)(b) +

Establishes a traffic flow policy for each managed interface;

+
+ + SC-7 (4)(c) +

Protects the confidentiality and integrity of the information being transmitted across each interface;

+
+ + SC-7 (4)(d) +

Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and

+
+ + SC-7 (4)(e) +

Reviews exceptions to the traffic flow policy and removes exceptions that are no longer supported by an explicit mission/business need.

+
+
+ + + + +

Determine if the organization:

+ + SC-7(4)(a) +

implements a managed interface for each external telecommunication service;

+
+ + SC-7(4)(b) +

establishes a traffic flow policy for each managed interface;

+
+ + SC-7(4)(c) +

protects the confidentiality and integrity of the information being transmitted across each interface;

+
+ + SC-7(4)(d) +

documents each exception to the traffic flow policy with:

+ + SC-7(4)(d)[1] +

a supporting mission/business need;

+
+ + SC-7(4)(d)[2] +

duration of that need;

+
+
+ + SC-7(4)(e) + + SC-7(4)(e)[1] +

defines a frequency to review exceptions to traffic flow policy;

+
+ + SC-7(4)(e)[2] +

reviews exceptions to the traffic flow policy with the organization-defined frequency; and

+
+ + SC-7(4)(e)[3] +

removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need

+
+
+
+ + EXAMINE +

System and communications protection policy

+

traffic flow policy

+

information flow control policy

+

procedures addressing boundary protection

+

information system security architecture

+

information system design documentation

+

boundary protection hardware and software

+

information system architecture and configuration documentation

+

information system configuration settings and associated documentation

+

records of traffic flow policy exceptions

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel with boundary protection responsibilities

+
+ + TEST +

Organizational processes for documenting and reviewing exceptions to the traffic flow policy

+

organizational processes for removing exceptions to the traffic flow policy

+

automated mechanisms implementing boundary protection capability

+

managed interfaces implementing traffic flow policy

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + DENY BY DEFAULT / ALLOW BY EXCEPTION + SC-7 (5) + MODERATE + HIGH + +

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

+
+ +

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

+
+ +

Determine if the information system, at managed interfaces:

+ + SC-7(5)[1] +

denies network traffic by default; and

+
+ + SC-7(5)[2] +

allows network traffic by exception.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing boundary protection

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+ + TEST +

Automated mechanisms implementing traffic management at managed interfaces

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + PREVENT SPLIT TUNNELING FOR REMOTE DEVICES + SC-7 (7) + MODERATE + HIGH + +

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

+
+ +

This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

+
+ +

Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing boundary protection

+

information system design documentation

+

information system hardware and software

+

information system architecture

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+ + TEST +

Automated mechanisms implementing boundary protection capability

+

automated mechanisms supporting/restricting non-remote connections

+
+
+ +

Determine if the information system:

+ + SC-7(a) + + SC-7(a)[1] +

monitors communications at the external boundary of the information system;

+
+ + SC-7(a)[2] +

monitors communications at key internal boundaries within the system;

+
+ + SC-7(a)[3] +

controls communications at the external boundary of the information system;

+
+ + SC-7(a)[4] +

controls communications at key internal boundaries within the system;

+
+
+ + SC-7(b) +

implements subnetworks for publicly accessible system components that are either:

+ + SC-7(b)[1] +

physically separated from internal organizational networks; and/or

+
+ + SC-7(b)[2] +

logically separated from internal organizational networks; and

+
+
+ + SC-7(c) +

connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing boundary protection

+

list of key internal boundaries of the information system

+

information system design documentation

+

boundary protection hardware and software

+

information system configuration settings and associated documentation

+

enterprise security architecture documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+

organizational personnel with boundary protection responsibilities

+
+ + TEST +

Automated mechanisms implementing boundary protection capability

+
+ + + FIPS Publication 199 + + + NIST Special Publication 800-41 + + + NIST Special Publication 800-77 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + TRANSMISSION CONFIDENTIALITY AND INTEGRITY + SC-8 + P1 + MODERATE + HIGH + +

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

+
+ +

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.

+ + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION + + organization-defined alternative physical safeguards + organization-defined alternative physical safeguards + + SC-8 (1) + MODERATE + HIGH + +

The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by .

+
+ +

Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.

+ +
+ +

Determine if:

+ + SC-8(1)[1] +

the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and

+
+ + SC-8(1)[2] +

the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:

+ + SC-8(1)[2][a] +

prevent unauthorized disclosure of information; and/or

+
+ + SC-8(1)[2][b] +

detect changes to information.

+
+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+

automated mechanisms supporting and/or implementing alternative physical safeguards

+

organizational processes for defining and implementing alternative physical safeguards

+
+
+ +

Determine if the information system protects one or more of the following:

+ + SC-8[1] +

confidentiality of transmitted information; and/or

+
+ + SC-8[2] +

integrity of transmitted information.

+
+
+ + EXAMINE +

System and communications protection policy

+

procedures addressing transmission confidentiality and integrity

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity

+
+ + + FIPS Publication 140-2 + + + FIPS Publication 197 + + + NIST Special Publication 800-52 + + + NIST Special Publication 800-77 + + + NIST Special Publication 800-81 + + + NIST Special Publication 800-113 + + + CNSS Policy 15 + + + NSTISSI No. 7003 + + +
+
+ + SYSTEM AND INFORMATION INTEGRITY + + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + SI-1 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SI-1a. +

Develops, documents, and disseminates to :

+ + SI-1a.1. +

A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + SI-1a.2. +

Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

+
+
+ + SI-1b. +

Reviews and updates the current:

+ + SI-1b.1. +

System and information integrity policy ; and

+
+ + SI-1b.2. +

System and information integrity procedures .

+
+
+
+ +

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

+ +
+ +

Determine if the organization:

+ + SI-1(a)(1) + + SI-1(a)(1)[1] +

develops and documents a system and information integrity policy that addresses:

+ + SI-1(a)(1)[1][a] +

purpose;

+
+ + SI-1(a)(1)[1][b] +

scope;

+
+ + SI-1(a)(1)[1][c] +

roles;

+
+ + SI-1(a)(1)[1][d] +

responsibilities;

+
+ + SI-1(a)(1)[1][e] +

management commitment;

+
+ + SI-1(a)(1)[1][f] +

coordination among organizational entities;

+
+ + SI-1(a)(1)[1][g] +

compliance;

+
+
+ + SI-1(a)(1)[2] +

defines personnel or roles to whom the system and information integrity policy is to be disseminated;

+
+ + SI-1(a)(1)[3] +

disseminates the system and information integrity policy to organization-defined personnel or roles;

+
+
+ + SI-1(a)(2) + + SI-1(a)(2)[1] +

develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;

+
+ + SI-1(a)(2)[2] +

defines personnel or roles to whom the procedures are to be disseminated;

+
+ + SI-1(a)(2)[3] +

disseminates the procedures to organization-defined personnel or roles;

+
+
+ + SI-1(b)(1) + + SI-1(b)(1)[1] +

defines the frequency to review and update the current system and information integrity policy;

+
+ + SI-1(b)(1)[2] +

reviews and updates the current system and information integrity policy with the organization-defined frequency;

+
+
+ + SI-1(b)(2) + + SI-1(b)(2)[1] +

defines the frequency to review and update the current system and information integrity procedures; and

+
+ + SI-1(b)(2)[2] +

reviews and updates the current system and information integrity procedures with the organization-defined frequency.

+
+
+
+ + EXAMINE +

System and information integrity policy and procedures

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with system and information integrity responsibilities

+

organizational personnel with information security responsibilities

+
+ + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION INPUT VALIDATION + + organization-defined information inputs + organization-defined information inputs + + SI-10 + P1 + MODERATE + HIGH + +

The information system checks the validity of .

+
+ +

Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

+
+ +

Determine if:

+ + SI-10[1] +

the organization defines information inputs requiring validity checks; and

+
+ + SI-10[2] +

the information system checks the validity of organization-defined information inputs.

+
+
+ + EXAMINE +

System and information integrity policy

+

access control policy and procedures

+

separation of duties policy and procedures

+

procedures addressing information input validation

+

documentation for automated tools and applications to verify validity of information

+

list of information inputs requiring validity checks

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for information input validation

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+ + TEST +

Automated mechanisms supporting and/or implementing validity checks on information inputs

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + ERROR HANDLING + + organization-defined personnel or roles + organization-defined personnel or roles + + SI-11 + P2 + MODERATE + HIGH + +

The information system:

+ + SI-11a. +

Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and

+
+ + SI-11b. +

Reveals error messages only to .

+
+
+ +

Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.

+ + + +
+ +

Determine if:

+ + SI-11(a) +

the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;

+
+ + SI-11(b) + + SI-11(b)[1] +

the organization defines personnel or roles to whom error messages are to be revealed; and

+
+ + SI-11(b)[2] +

the information system reveals error messages only to organization-defined personnel or roles.

+
+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing information system error handling

+

information system design documentation

+

information system configuration settings and associated documentation

+

documentation providing structure/content of error messages

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for information input validation

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+ + TEST +

Organizational processes for error handling

+

automated mechanisms supporting and/or implementing error handling

+

automated mechanisms supporting and/or implementing management of error messages

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION HANDLING AND RETENTION + SI-12 + P2 + LOW + MODERATE + HIGH + +

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

+
+ +

Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

+ + + + + +
+ +

Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:

+ + SI-12[1] +

handles information within the information system;

+
+ + SI-12[2] +

handles output from the information system;

+
+ + SI-12[3] +

retains information within the information system; and

+
+ + SI-12[4] +

retains output from the information system.

+
+
+ + EXAMINE +

System and information integrity policy

+

federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention

+

media protection policy and procedures

+

procedures addressing information system output handling and retention

+

information retention records, other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for information handling and retention

+

organizational personnel with information security responsibilities/network administrators

+
+ + TEST +

Organizational processes for information handling and retention

+

automated mechanisms supporting and/or implementing information handling and retention

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MEMORY PROTECTION + + organization-defined security safeguards + organization-defined security safeguards + + SI-16 + P1 + MODERATE + HIGH + +

The information system implements to protect its memory from unauthorized code execution.

+
+ +

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

+ + +
+ +

Determine if:

+ + SI-16[1] +

the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and

+
+ + SI-16[2] +

the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.

+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing memory protection for the information system

+

information system design documentation

+

information system configuration settings and associated documentation

+

list of security safeguards protecting information system memory from unauthorized code execution

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for memory protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+ + TEST +

Automated mechanisms supporting and/or implementing safeguards to protect information system memory from unauthorized code execution

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + FLAW REMEDIATION + + organization-defined time period + organization-defined time period + + SI-2 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SI-2a. +

Identifies, reports, and corrects information system flaws;

+
+ + SI-2b. +

Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

+
+ + SI-2c. +

Installs security-relevant software and firmware updates within of the release of the updates; and

+
+ + SI-2d. +

Incorporates flaw remediation into the organizational configuration management process.

+
+
+ +

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

+ + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED FLAW REMEDIATION STATUS + + organization-defined frequency + organization-defined frequency + + SI-2 (2) + MODERATE + HIGH + +

The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.

+
+ + + + + +

Determine if the organization:

+ + SI-2(2)[1] +

defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and

+
+ + SI-2(2)[2] +

employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.

+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing flaw remediation

+

automated mechanisms supporting centralized management of flaw remediation

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for flaw remediation

+
+ + TEST +

Automated mechanisms used to determine the state of information system components with regard to flaw remediation

+
+
+ +

Determine if the organization:

+ + SI-2(a) + + SI-2(a)[1] +

identifies information system flaws;

+
+ + SI-2(a)[2] +

reports information system flaws;

+
+ + SI-2(a)[3] +

corrects information system flaws;

+
+
+ + SI-2(b) + + SI-2(b)[1] +

tests software updates related to flaw remediation for effectiveness and potential side effects before installation;

+
+ + SI-2(b)[2] +

tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

+
+
+ + SI-2(c) + + SI-2(c)[1] +

defines the time period within which to install security-relevant software updates after the release of the updates;

+
+ + SI-2(c)[2] +

defines the time period within which to install security-relevant firmware updates after the release of the updates;

+
+ + SI-2(c)[3] +

installs software updates within the organization-defined time period of the release of the updates;

+
+ + SI-2(c)[4] +

installs firmware updates within the organization-defined time period of the release of the updates; and

+
+
+ + SI-2(d) +

incorporates flaw remediation into the organizational configuration management process.

+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing flaw remediation

+

procedures addressing configuration management

+

list of flaws and vulnerabilities potentially affecting the information system

+

list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)

+

test results from the installation of software and firmware updates to correct information system flaws

+

installation/change control records for security-relevant software and firmware updates

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for flaw remediation

+

organizational personnel with configuration management responsibility

+
+ + TEST +

Organizational processes for identifying, reporting, and correcting information system flaws

+

organizational process for installing software and firmware updates

+

automated mechanisms supporting and/or implementing reporting, and correcting information system flaws

+

automated mechanisms supporting and/or implementing testing software and firmware updates

+
+ + + NIST Special Publication 800-40 + + + NIST Special Publication 800-128 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + MALICIOUS CODE PROTECTION + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + SI-3 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SI-3a. +

Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

+
+ + SI-3b. +

Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

+
+ + SI-3c. +

Configures malicious code protection mechanisms to:

+ + SI-3c.1. +

Perform periodic scans of the information system and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and

+
+ + SI-3c.2. +

[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; ] in response to malicious code detection; and

+
+
+ + SI-3d. +

Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

+
+
+ +

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files.

+ + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + CENTRAL MANAGEMENT + SI-3 (1) + MODERATE + HIGH + +

The organization centrally manages malicious code protection mechanisms.

+
+ +

Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.

+ + +
+ +

Determine if the organization centrally manages malicious code protection mechanisms.

+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing malicious code protection

+

automated mechanisms supporting centralized management of malicious code protection mechanisms

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for malicious code protection

+
+ + TEST +

Organizational processes for central management of malicious code protection mechanisms

+

automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATIC UPDATES + SI-3 (2) + MODERATE + HIGH + +

The information system automatically updates malicious code protection mechanisms.

+
+ +

Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.

+ +
+ +

Determine if the information system automatically updates malicious code protection mechanisms.

+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing malicious code protection

+

automated mechanisms supporting centralized management of malicious code protection mechanisms

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for malicious code protection

+
+ + TEST +

Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability

+
+
+ +

Determine if the organization:

+ + SI-3(a) +

employs malicious code protection mechanisms to detect and eradicate malicious code at information system:

+ + SI-3(a)[1] +

entry points;

+
+ + SI-3(a)[2] +

exit points;

+
+
+ + SI-3(b) +

updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);

+
+ + SI-3(c) + + SI-3(c)[1] +

defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;

+
+ + SI-3(c)[2] +

defines action to be initiated by malicious protection mechanisms in response to malicious code detection;

+
+ + SI-3(c)[3] + + SI-3(c)[3](1) +

configures malicious code protection mechanisms to:

+ + SI-3(c)[3](1)[a] +

perform periodic scans of the information system with the organization-defined frequency;

+
+ + SI-3(c)[3](1)[b] +

perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;

+
+
+ + SI-3(c)[3](2) +

configures malicious code protection mechanisms to do one or more of the following:

+ + SI-3(c)[3](2)[a] +

block malicious code in response to malicious code detection;

+
+ + SI-3(c)[3](2)[b] +

quarantine malicious code in response to malicious code detection;

+
+ + SI-3(c)[3](2)[c] +

send alert to administrator in response to malicious code detection; and/or

+
+ + SI-3(c)[3](2)[d] +

initiate organization-defined action in response to malicious code detection;

+
+
+
+
+ + SI-3(d) + + SI-3(d)[1] +

addresses the receipt of false positives during malicious code detection and eradication; and

+
+ + SI-3(d)[2] +

addresses the resulting potential impact on the availability of the information system.

+
+
+
+ + EXAMINE +

System and information integrity policy

+

configuration management policy and procedures

+

procedures addressing malicious code protection

+

malicious code protection mechanisms

+

records of malicious code protection updates

+

information system design documentation

+

information system configuration settings and associated documentation

+

scan results from malicious code protection mechanisms

+

record of actions initiated by malicious code protection mechanisms in response to malicious code detection

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for malicious code protection

+

organizational personnel with configuration management responsibility

+
+ + TEST +

Organizational processes for employing, updating, and configuring malicious code protection mechanisms

+

organizational process for addressing false positives and resulting potential impact

+

automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms

+

automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions

+
+ + + NIST Special Publication 800-83 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + INFORMATION SYSTEM MONITORING + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + SI-4 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SI-4a. +

Monitors the information system to detect:

+ + SI-4a.1. +

Attacks and indicators of potential attacks in accordance with ; and

+
+ + SI-4a.2. +

Unauthorized local, network, and remote connections;

+
+
+ + SI-4b. +

Identifies unauthorized use of the information system through ;

+
+ + SI-4c. +

Deploys monitoring devices:

+ + SI-4c.1. +

Strategically within the information system to collect organization-determined essential information; and

+
+ + SI-4c.2. +

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

+
+
+ + SI-4d. +

Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

+
+ + SI-4e. +

Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

+
+ + SI-4f. +

Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

+
+ + SI-4g. +

Provides to [Selection (one or more): as needed; ].

+
+
+ +

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

+ + + + + + + + + + + + + + + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATED TOOLS FOR REAL-TIME ANALYSIS + SI-4 (2) + MODERATE + HIGH + +

The organization employs automated tools to support near real-time analysis of events.

+
+ +

Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.

+
+ +

Determine if the organization employs automated tools to support near real-time analysis of events.

+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing information system monitoring tools and techniques

+

information system design documentation

+

information system monitoring tools and techniques documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for monitoring the information system

+

organizational personnel with responsibility for incident response/management

+
+ + TEST +

Organizational processes for near real-time analysis of events

+

organizational processes for information system monitoring

+

automated mechanisms supporting and/or implementing information system monitoring

+

automated mechanisms/tools supporting and/or implementing analysis of events

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC + + organization-defined frequency + organization-defined frequency + + SI-4 (4) + MODERATE + HIGH + +

The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

+
+ +

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

+
+ +

Determine if the organization:

+ + SI-4(4)[1] +

defines a frequency to monitor:

+ + SI-4(4)[1][a] +

inbound communications traffic for unusual or unauthorized activities or conditions;

+
+ + SI-4(4)[1][b] +

outbound communications traffic for unusual or unauthorized activities or conditions;

+
+
+ + SI-4(4)[2] +

monitors, with the organization-defined frequency:

+ + SI-4(4)[2][a] +

inbound communications traffic for unusual or unauthorized activities or conditions; and

+
+ + SI-4(4)[2][b] +

outbound communications traffic for unusual or unauthorized activities or conditions.

+
+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing information system monitoring tools and techniques

+

information system design documentation

+

information system monitoring tools and techniques documentation

+

information system configuration settings and associated documentation

+

information system protocols

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for monitoring the information system

+

organizational personnel with responsibility for the intrusion detection system

+
+ + TEST +

Organizational processes for intrusion detection/information system monitoring

+

automated mechanisms supporting and/or implementing intrusion detection capability/information system monitoring

+

automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + SYSTEM-GENERATED ALERTS + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined compromise indicators + organization-defined compromise indicators + + SI-4 (5) + MODERATE + HIGH + +

The information system alerts when the following indications of compromise or potential compromise occur: .

+
+ +

Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.

+ + +
+ +

Determine if:

+ + SI-4(5)[1] +

the organization defines compromise indicators for the information system;

+
+ + SI-4(5)[2] +

the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and

+
+ + SI-4(5)[3] +

the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur.

+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing information system monitoring tools and techniques

+

information system monitoring tools and techniques documentation

+

information system configuration settings and associated documentation

+

alerts/notifications generated based on compromise indicators

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

system developers

+

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility for monitoring the information system

+

organizational personnel with responsibility for the intrusion detection system

+
+ + TEST +

Organizational processes for intrusion detection/information system monitoring

+

automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability

+

automated mechanisms supporting and/or implementing alerts for compromise indicators

+
+
+ +

Determine if the organization:

+ + SI-4(a) + + SI-4(a)(1) + + SI-4(a)(1)[1] +

defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;

+
+ + SI-4(a)(1)[2] +

monitors the information system to detect, in accordance with organization-defined monitoring objectives,:

+ + SI-4(a)(1)[2][a] +

attacks;

+
+ + SI-4(a)(1)[2][b] +

indicators of potential attacks;

+
+
+
+ + SI-4(a)(2) +

monitors the information system to detect unauthorized:

+ + SI-4(a)(2)[1] +

local connections;

+
+ + SI-4(a)(2)[2] +

network connections;

+
+ + SI-4(a)(2)[3] +

remote connections;

+
+
+
+ + SI-4(b) + + SI-4(b)(1) +

defines techniques and methods to identify unauthorized use of the information system;

+
+ + SI-4(b)(2) +

identifies unauthorized use of the information system through organization-defined techniques and methods;

+
+
+ + SI-4(c) +

deploys monitoring devices:

+ + SI-4(c)[1] +

strategically within the information system to collect organization-determined essential information;

+
+ + SI-4(c)[2] +

at ad hoc locations within the system to track specific types of transactions of interest to the organization;

+
+
+ + SI-4(d) +

protects information obtained from intrusion-monitoring tools from unauthorized:

+ + SI-4(d)[1] +

access;

+
+ + SI-4(d)[2] +

modification;

+
+ + SI-4(d)[3] +

deletion;

+
+
+ + SI-4(e) +

heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

+
+ + SI-4(f) +

obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;

+
+ + SI-4(g) + + SI-4(g)[1] +

defines personnel or roles to whom information system monitoring information is to be provided;

+
+ + SI-4(g)[2] +

defines information system monitoring information to be provided to organization-defined personnel or roles;

+
+ + SI-4(g)[3] +

defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;

+
+ + SI-4(g)[4] +

provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:

+ + SI-4(g)[4][a] +

as needed; and/or

+
+ + SI-4(g)[4][b] +

with the organization-defined frequency.

+
+
+
+
+ + EXAMINE +

Continuous monitoring strategy

+

system and information integrity policy

+

procedures addressing information system monitoring tools and techniques

+

facility diagram/layout

+

information system design documentation

+

information system monitoring tools and techniques documentation

+

locations within information system where monitoring devices are deployed

+

information system configuration settings and associated documentation

+

other relevant documents or records

+
+ + INTERVIEW +

System/network administrators

+

organizational personnel with information security responsibilities

+

organizational personnel installing, configuring, and/or maintaining the information system

+

organizational personnel with responsibility monitoring the information system

+
+ + TEST +

Organizational processes for information system monitoring

+

automated mechanisms supporting and/or implementing information system monitoring capability

+
+ + + NIST Special Publication 800-61 + + + NIST Special Publication 800-83 + + + NIST Special Publication 800-92 + + + NIST Special Publication 800-94 + + + NIST Special Publication 800-137 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SECURITY ALERTS, ADVISORIES, AND DIRECTIVES + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + SI-5 + P1 + LOW + MODERATE + HIGH + +

The organization:

+ + SI-5a. +

Receives information system security alerts, advisories, and directives from on an ongoing basis;

+
+ + SI-5b. +

Generates internal security alerts, advisories, and directives as deemed necessary;

+
+ + SI-5c. +

Disseminates security alerts, advisories, and directives to: [Selection (one or more): ; ; ]; and

+
+ + SI-5d. +

Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

+
+
+ +

The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations.

+ +
+ +

Determine if the organization:

+ + SI-5(a) + + SI-5(a)[1] +

defines external organizations from whom information system security alerts, advisories and directives are to be received;

+
+ + SI-5(a)[2] +

receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

+
+
+ + SI-5(b) +

generates internal security alerts, advisories, and directives as deemed necessary;

+
+ + SI-5(c) + + SI-5(c)[1] +

defines personnel or roles to whom security alerts, advisories, and directives are to be provided;

+
+ + SI-5(c)[2] +

defines elements within the organization to whom security alerts, advisories, and directives are to be provided;

+
+ + SI-5(c)[3] +

defines external organizations to whom security alerts, advisories, and directives are to be provided;

+
+ + SI-5(c)[4] +

disseminates security alerts, advisories, and directives to one or more of the following:

+ + SI-5(c)[4][a] +

organization-defined personnel or roles;

+
+ + SI-5(c)[4][b] +

organization-defined elements within the organization; and/or

+
+ + SI-5(c)[4][c] +

organization-defined external organizations; and

+
+
+
+ + SI-5(d) + + SI-5(d)[1] +

implements security directives in accordance with established time frames; or

+
+ + SI-5(d)[2] +

notifies the issuing organization of the degree of noncompliance.

+
+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing security alerts, advisories, and directives

+

records of security alerts and advisories

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security alert and advisory responsibilities

+

organizational personnel implementing, operating, maintaining, and using the information system

+

organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

+

system/network administrators

+

organizational personnel with information security responsibilities

+
+ + TEST +

Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

+

automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives

+

automated mechanisms supporting and/or implementing security directives

+
+ + + NIST Special Publication 800-40 + + +
+ + ../SP800-53/SP800-53-HIGH-baseline.xml + + SECURITY FUNCTION VERIFICATION + + organization-defined security functions + organization-defined security functions + + + organization-defined system transitional states + organization-defined system transitional states + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined alternative action(s) + organization-defined alternative action(s) + + SI-6 + P1 + HIGH + +

The information system:

+ + SI-6a. +

Verifies the correct operation of ;

+
+ + SI-6b. +

Performs this verification [Selection (one or more): ; upon command by user with appropriate privilege; ];

+
+ + SI-6c. +

Notifies of failed security verification tests; and

+
+ + SI-6d. +

[Selection (one or more): shuts the information system down; restarts the information system; ] when anomalies are discovered.

+
+
+ +

Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights.

+ + +
+ +

Determine if:

+ + SI-6(a) + + SI-6(a)[1] +

the organization defines security functions to be verified for correct operation;

+
+ + SI-6(a)[2] +

the information system verifies the correct operation of organization-defined security functions;

+
+
+ + SI-6(b) + + SI-6(b)[1] +

the organization defines system transitional states requiring verification of organization-defined security functions;

+
+ + SI-6(b)[2] +

the organization defines a frequency to verify the correct operation of organization-defined security functions;

+
+ + SI-6(b)[3] +

the information system performs this verification one or more of the following:

+ + SI-6(b)[3][a] +

at organization-defined system transitional states;

+
+ + SI-6(b)[3][b] +

upon command by user with appropriate privilege; and/or

+
+ + SI-6(b)[3][c] +

with the organization-defined frequency;

+
+
+
+ + SI-6(c) + + SI-6(c)[1] +

the organization defines personnel or roles to be notified of failed security verification tests;

+
+ + SI-6(c)[2] +

the information system notifies organization-defined personnel or roles of failed security verification tests;

+
+
+ + SI-6(d) + + SI-6(d)[1] +

the organization defines alternative action(s) to be performed when anomalies are discovered;

+
+ + SI-6(d)[2] +

the information system performs one or more of the following actions when anomalies are discovered:

+ + SI-6(d)[2][a] +

shuts the information system down;

+
+ + SI-6(d)[2][b] +

restarts the information system; and/or

+
+ + SI-6(d)[2][c] +

performs organization-defined alternative action(s).

+
+
+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing security function verification

+

information system design documentation

+

information system configuration settings and associated documentation

+

alerts/notifications of failed security verification tests

+

list of system transition states requiring security functionality verification

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with security function verification responsibilities

+

organizational personnel implementing, operating, and maintaining the information system

+

system/network administrators

+

organizational personnel with information security responsibilities

+

system developer

+
+ + TEST +

Organizational processes for security function verification

+

automated mechanisms supporting and/or implementing security function verification capability

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + SI-7 + P1 + MODERATE + HIGH + +

The organization employs integrity verification tools to detect unauthorized changes to .

+
+ +

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.

+ + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INTEGRITY CHECKS + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined transitional states or security-relevant events + organization-defined transitional states or security-relevant events + + + organization-defined frequency + organization-defined frequency + + SI-7 (1) + MODERATE + HIGH + +

The information system performs an integrity check of [Selection (one or more): at startup; at ; ].

+
+ +

Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort.

+
+ +

Determine if:

+ + SI-7(1)[1] +

the organization defines:

+ + SI-7(1)[1][a] +

software requiring integrity checks to be performed;

+
+ + SI-7(1)[1][b] +

firmware requiring integrity checks to be performed;

+
+ + SI-7(1)[1][c] +

information requiring integrity checks to be performed;

+
+
+ + SI-7(1)[2] +

the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:

+ + SI-7(1)[2][a] +

software;

+
+ + SI-7(1)[2][b] +

firmware;

+
+ + SI-7(1)[2][c] +

information;

+
+
+ + SI-7(1)[3] +

the organization defines a frequency with which to perform an integrity check of organization-defined:

+ + SI-7(1)[3][a] +

software;

+
+ + SI-7(1)[3][b] +

firmware;

+
+ + SI-7(1)[3][c] +

information;

+
+
+ + SI-7(1)[4] +

the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:

+ + SI-7(1)[4][a] +

at startup;

+
+ + SI-7(1)[4][b] +

at organization-defined transitional states or security-relevant events; and/or

+
+ + SI-7(1)[4][c] +

with the organization-defined frequency.

+
+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing software, firmware, and information integrity

+

information system design documentation

+

information system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records of integrity scans

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+ + TEST +

Software, firmware, and information integrity verification tools

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + INTEGRATION OF DETECTION AND RESPONSE + + organization-defined security-relevant changes to the information system + organization-defined security-relevant changes to the information system + + SI-7 (7) + MODERATE + HIGH + +

The organization incorporates the detection of unauthorized into the organizational incident response capability.

+
+ +

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.

+ + + +
+ +

Determine if the organization:

+ + SI-7(7)[1] +

defines unauthorized security-relevant changes to the information system; and

+
+ + SI-7(7)[2] +

incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.

+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing software, firmware, and information integrity

+

procedures addressing incident response

+

information system design documentation

+

information system configuration settings and associated documentation

+

incident response records

+

information audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

organizational personnel with incident response responsibilities

+
+ + TEST +

Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability

+

software, firmware, and information integrity verification tools

+

automated mechanisms supporting and/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability

+
+
+ +

Determine if the organization:

+ + SI-7[1] + + SI-7[1][a] +

defines software requiring integrity verification tools to be employed to detect unauthorized changes;

+
+ + SI-7[1][b] +

defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;

+
+ + SI-7[1][c] +

defines information requiring integrity verification tools to be employed to detect unauthorized changes;

+
+
+ + SI-7[2] +

employs integrity verification tools to detect unauthorized changes to organization-defined:

+ + SI-7[2][a] +

software;

+
+ + SI-7[2][b] +

firmware; and

+
+ + SI-7[2][c] +

information.

+
+
+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing software, firmware, and information integrity

+

information system design documentation

+

information system configuration settings and associated documentation

+

integrity verification tools and associated documentation

+

records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for software, firmware, and/or information integrity

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Software, firmware, and information integrity verification tools

+
+ + + NIST Special Publication 800-147 + + + NIST Special Publication 800-155 + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + + SPAM PROTECTION + SI-8 + P2 + MODERATE + HIGH + +

The organization:

+ + SI-8a. +

Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and

+
+ + SI-8b. +

Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

+
+
+ +

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.

+ + + + + +
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + CENTRAL MANAGEMENT + SI-8 (1) + MODERATE + HIGH + +

The organization centrally manages spam protection mechanisms.

+
+ +

Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.

+ + + +
+ +

Determine if the organization centrally manages spam protection mechanisms.

+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing spam protection

+

spam protection mechanisms

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for spam protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+
+ + TEST +

Organizational processes for central management of spam protection

+

automated mechanisms supporting and/or implementing central management of spam protection

+
+
+ + ../SP800-53/SP800-53-MODERATE-baseline.xml + AUTOMATIC UPDATES + SI-8 (2) + MODERATE + HIGH + +

The information system automatically updates spam protection mechanisms.

+
+ +

Determine if the information system automatically updates spam protection mechanisms.

+
+ + EXAMINE +

System and information integrity policy

+

procedures addressing spam protection

+

spam protection mechanisms

+

records of spam protection updates

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for spam protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+ + TEST +

Organizational processes for spam protection

+

automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

+
+
+ +

Determine if the organization:

+ + SI-8(a) +

employs spam protection mechanisms:

+ + SI-8(a)[1] +

at information system entry points to detect unsolicited messages;

+
+ + SI-8(a)[2] +

at information system entry points to take action on unsolicited messages;

+
+ + SI-8(a)[3] +

at information system exit points to detect unsolicited messages;

+
+ + SI-8(a)[4] +

at information system exit points to take action on unsolicited messages; and

+
+
+ + SI-8(b) +

updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

+
+
+ + EXAMINE +

System and information integrity policy

+

configuration management policy and procedures (CM-1)

+

procedures addressing spam protection

+

spam protection mechanisms

+

records of spam protection updates

+

information system design documentation

+

information system configuration settings and associated documentation

+

information system audit records

+

other relevant documents or records

+
+ + INTERVIEW +

Organizational personnel with responsibility for spam protection

+

organizational personnel with information security responsibilities

+

system/network administrators

+

system developer

+
+ + TEST +

Organizational processes for implementing spam protection

+

automated mechanisms supporting and/or implementing spam protection

+
+ + + NIST Special Publication 800-45 + + +
+
+
+
diff --git a/examples/SP800-53/SP800-53-HIGH-baseline.xml b/examples/SP800-53/SP800-53-HIGH-baseline.xml index 77fcca4416..0857c0c196 100644 --- a/examples/SP800-53/SP800-53-HIGH-baseline.xml +++ b/examples/SP800-53/SP800-53-HIGH-baseline.xml @@ -2,10 +2,9 @@ - + SP800-53 HIGH BASELINE IMPACT - + @@ -350,6 +349,5 @@ - - - + + \ No newline at end of file diff --git a/examples/SP800-53/SP800-53-LOW-baseline.xml b/examples/SP800-53/SP800-53-LOW-baseline.xml index 1f2dc98ef4..7cb170d540 100644 --- a/examples/SP800-53/SP800-53-LOW-baseline.xml +++ b/examples/SP800-53/SP800-53-LOW-baseline.xml @@ -2,10 +2,9 @@ - + SP800-53 LOW BASELINE IMPACT - + @@ -131,6 +130,5 @@ - - - + + \ No newline at end of file diff --git a/examples/SP800-53/SP800-53-MODERATE-baseline.xml b/examples/SP800-53/SP800-53-MODERATE-baseline.xml index 224fc51e7c..6e6b5f61e7 100644 --- a/examples/SP800-53/SP800-53-MODERATE-baseline.xml +++ b/examples/SP800-53/SP800-53-MODERATE-baseline.xml @@ -2,10 +2,9 @@ - + SP800-53 MODERATE BASELINE IMPACT - + @@ -268,6 +267,5 @@ - - - + + \ No newline at end of file diff --git a/examples/SP800-53/control-example-screenshot.png b/examples/SP800-53/control-example-screenshot.png new file mode 100644 index 0000000000..05718ad6c9 Binary files /dev/null and b/examples/SP800-53/control-example-screenshot.png differ diff --git a/examples/SP800-53/pub/SP800-53-HIGH-baseline-rendered.html b/examples/SP800-53/pub/SP800-53-HIGH-baseline-rendered.html deleted file mode 100644 index 26099efa9c..0000000000 --- a/examples/SP800-53/pub/SP800-53-HIGH-baseline-rendered.html +++ /dev/null @@ -1,74760 +0,0 @@ - - - - - - SP800-53 HIGH BASELINE IMPACT - - - - -
-
-

- NIST SP800-53 rev 4 -

-
-

- ACCESS CONTROL -

- - - - - - - - - - - - - - - - - - -
- - - -
-

- CONFIGURATION MANAGEMENT -

- - - - - - - - - - - -
-
-

- CONTINGENCY PLANNING -

- - - - - - - - - -
- - - - - - - - - -
-

- SYSTEM AND COMMUNICATIONS PROTECTION -

- - - - - - - - - - - - - - - - - - - - - -
- -
-
-
-
-

SP800-53 HIGH BASELINE IMPACT

-
-
-

SP800-53-rev4-catalog.xml ➭ Included: - - Control ac.1 - - Control ac.2 - - Subcontrol ac.2.1. - - Subcontrol ac.2.2. - - Subcontrol ac.2.3. - - Subcontrol ac.2.4. - - Subcontrol ac.2.5. - - Subcontrol ac.2.11. - - Subcontrol ac.2.12. - - Subcontrol ac.2.13. - - Control ac.3 - - Control ac.4 - - Control ac.5 - - Control ac.6 - - Subcontrol ac.6.1. - - Subcontrol ac.6.2. - - Subcontrol ac.6.3. - - Subcontrol ac.6.5. - - Subcontrol ac.6.9. - - Subcontrol ac.6.10. - - Control ac.7 - - Control ac.8 - - Control ac.10 - - Control ac.11 - - Subcontrol ac.11.1. - - Control ac.12 - - Control ac.14 - - Control ac.17 - - Subcontrol ac.17.1. - - Subcontrol ac.17.2. - - Subcontrol ac.17.3. - - Subcontrol ac.17.4. - - Control ac.18 - - Subcontrol ac.18.1. - - Subcontrol ac.18.4. - - Subcontrol ac.18.5. - - Control ac.19 - - Subcontrol ac.19.5. - - Control ac.20 - - Subcontrol ac.20.1. - - Subcontrol ac.20.2. - - Control ac.21 - - Control ac.22 - - Control at.1 - - Control at.2 - - Subcontrol at.2.2. - - Control at.3 - - Control at.4 - - Control au.1 - - Control au.2 - - Subcontrol au.2.3. - - Control au.3 - - Subcontrol au.3.1. - - Subcontrol au.3.2. - - Control au.4 - - Control au.5 - - Subcontrol au.5.1. - - Subcontrol au.5.2. - - Control au.6 - - Subcontrol au.6.1. - - Subcontrol au.6.3. - - Subcontrol au.6.5. - - Subcontrol au.6.6. - - Control au.7 - - Subcontrol au.7.1. - - Control au.8 - - Subcontrol au.8.1. - - Control au.9 - - Subcontrol au.9.2. - - Subcontrol au.9.3. - - Subcontrol au.9.4. - - Control au.10 - - Control au.11 - - Control au.12 - - Subcontrol au.12.1. - - Subcontrol au.12.3. - - Control ca.1 - - Control ca.2 - - Subcontrol ca.2.1. - - Subcontrol ca.2.2. - - Control ca.3 - - Subcontrol ca.3.5. - - Control ca.5 - - Control ca.6 - - Control ca.7 - - Subcontrol ca.7.1. - - Control ca.8 - - Control ca.9 - - Control cm.1 - - Control cm.2 - - Subcontrol cm.2.1. - - Subcontrol cm.2.2. - - Subcontrol cm.2.3. - - Subcontrol cm.2.7. - - Control cm.3 - - Subcontrol cm.3.1. - - Subcontrol cm.3.2. - - Control cm.4 - - Subcontrol cm.4.1. - - Control cm.5 - - Subcontrol cm.5.1. - - Subcontrol cm.5.2. - - Subcontrol cm.5.3. - - Control cm.6 - - Subcontrol cm.6.1. - - Subcontrol cm.6.2. - - Control cm.7 - - Subcontrol cm.7.1. - - Subcontrol cm.7.2. - - Subcontrol cm.7.5. - - Control cm.8 - - Subcontrol cm.8.1. - - Subcontrol cm.8.2. - - Subcontrol cm.8.3. - - Subcontrol cm.8.4. - - Subcontrol cm.8.5. - - Control cm.9 - - Control cm.10 - - Control cm.11 - - Control cp.1 - - Control cp.2 - - Subcontrol cp.2.1. - - Subcontrol cp.2.2. - - Subcontrol cp.2.3. - - Subcontrol cp.2.4. - - Subcontrol cp.2.5. - - Subcontrol cp.2.8. - - Control cp.3 - - Subcontrol cp.3.1. - - Control cp.4 - - Subcontrol cp.4.1. - - Subcontrol cp.4.2. - - Control cp.6 - - Subcontrol cp.6.1. - - Subcontrol cp.6.2. - - Subcontrol cp.6.3. - - Control cp.7 - - Subcontrol cp.7.1. - - Subcontrol cp.7.2. - - Subcontrol cp.7.3. - - Subcontrol cp.7.4. - - Control cp.8 - - Subcontrol cp.8.1. - - Subcontrol cp.8.2. - - Subcontrol cp.8.3. - - Subcontrol cp.8.4. - - Control cp.9 - - Subcontrol cp.9.1. - - Subcontrol cp.9.2. - - Subcontrol cp.9.3. - - Subcontrol cp.9.5. - - Control cp.10 - - Subcontrol cp.10.2. - - Subcontrol cp.10.4. - - Control ia.1 - - Control ia.2 - - Subcontrol ia.2.1. - - Subcontrol ia.2.2. - - Subcontrol ia.2.3. - - Subcontrol ia.2.4. - - Subcontrol ia.2.8. - - Subcontrol ia.2.9. - - Subcontrol ia.2.11. - - Subcontrol ia.2.12. - - Control ia.3 - - Control ia.4 - - Control ia.5 - - Subcontrol ia.5.1. - - Subcontrol ia.5.2. - - Subcontrol ia.5.3. - - Subcontrol ia.5.11. - - Control ia.6 - - Control ia.7 - - Control ia.8 - - Subcontrol ia.8.1. - - Subcontrol ia.8.2. - - Subcontrol ia.8.3. - - Subcontrol ia.8.4. - - Control ir.1 - - Control ir.2 - - Subcontrol ir.2.1. - - Subcontrol ir.2.2. - - Control ir.3 - - Subcontrol ir.3.2. - - Control ir.4 - - Subcontrol ir.4.1. - - Subcontrol ir.4.4. - - Control ir.5 - - Subcontrol ir.5.1. - - Control ir.6 - - Subcontrol ir.6.1. - - Control ir.7 - - Subcontrol ir.7.1. - - Control ir.8 - - Control ma.1 - - Control ma.2 - - Subcontrol ma.2.2. - - Control ma.3 - - Subcontrol ma.3.1. - - Subcontrol ma.3.2. - - Subcontrol ma.3.3. - - Control ma.4 - - Subcontrol ma.4.2. - - Subcontrol ma.4.3. - - Control ma.5 - - Subcontrol ma.5.1. - - Control ma.6 - - Control mp.1 - - Control mp.2 - - Control mp.3 - - Control mp.4 - - Control mp.5 - - Subcontrol mp.5.4. - - Control mp.6 - - Subcontrol mp.6.1. - - Subcontrol mp.6.2. - - Subcontrol mp.6.3. - - Control mp.7 - - Subcontrol mp.7.1. - - Control pe.1 - - Control pe.2 - - Control pe.3 - - Subcontrol pe.3.1. - - Control pe.4 - - Control pe.5 - - Control pe.6 - - Subcontrol pe.6.1. - - Subcontrol pe.6.4. - - Control pe.8 - - Subcontrol pe.8.1. - - Control pe.9 - - Control pe.10 - - Control pe.11 - - Subcontrol pe.11.1. - - Control pe.12 - - Control pe.13 - - Subcontrol pe.13.1. - - Subcontrol pe.13.2. - - Subcontrol pe.13.3. - - Control pe.14 - - Control pe.15 - - Subcontrol pe.15.1. - - Control pe.16 - - Control pe.17 - - Control pe.18 - - Control pl.1 - - Control pl.2 - - Subcontrol pl.2.3. - - Control pl.4 - - Subcontrol pl.4.1. - - Control pl.8 - - Control ps.1 - - Control ps.2 - - Control ps.3 - - Control ps.4 - - Subcontrol ps.4.2. - - Control ps.5 - - Control ps.6 - - Control ps.7 - - Control ps.8 - - Control ra.1 - - Control ra.2 - - Control ra.3 - - Control ra.5 - - Subcontrol ra.5.1. - - Subcontrol ra.5.2. - - Subcontrol ra.5.4. - - Subcontrol ra.5.5. - - Control sa.1 - - Control sa.2 - - Control sa.3 - - Control sa.4 - - Subcontrol sa.4.1. - - Subcontrol sa.4.2. - - Subcontrol sa.4.9. - - Subcontrol sa.4.10. - - Control sa.5 - - Control sa.8 - - Control sa.9 - - Subcontrol sa.9.2. - - Control sa.10 - - Control sa.11 - - Control sa.12 - - Control sa.15 - - Control sa.16 - - Control sa.17 - - Control sc.1 - - Control sc.2 - - Control sc.3 - - Control sc.4 - - Control sc.5 - - Control sc.7 - - Subcontrol sc.7.3. - - Subcontrol sc.7.4. - - Subcontrol sc.7.5. - - Subcontrol sc.7.7. - - Subcontrol sc.7.8. - - Subcontrol sc.7.18. - - Subcontrol sc.7.21. - - Control sc.8 - - Subcontrol sc.8.1. - - Control sc.10 - - Control sc.12 - - Subcontrol sc.12.1. - - Control sc.13 - - Control sc.15 - - Control sc.17 - - Control sc.18 - - Control sc.19 - - Control sc.20 - - Control sc.21 - - Control sc.22 - - Control sc.23 - - Control sc.24 - - Control sc.28 - - Control sc.39 - - Control si.1 - - Control si.2 - - Subcontrol si.2.1. - - Subcontrol si.2.2. - - Control si.3 - - Subcontrol si.3.1. - - Subcontrol si.3.2. - - Control si.4 - - Subcontrol si.4.2. - - Subcontrol si.4.4. - - Subcontrol si.4.5. - - Control si.5 - - Subcontrol si.5.1. - - Control si.6 - - Control si.7 - - Subcontrol si.7.1. - - Subcontrol si.7.2. - - Subcontrol si.7.5. - - Subcontrol si.7.7. - - Subcontrol si.7.14. - - Control si.8 - - Subcontrol si.8.1. - - Subcontrol si.8.2. - - Control si.10 - - Control si.11 - - Control si.12 - - Control si.16 -

-
-
-

NIST SP800-53 rev 4

-
-

ACCESS CONTROL

-
-

- AC-1 ACCESS CONTROL POLICY AND PROCEDURES

-
-

- Parameter: - ac-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ac-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ac-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the access control policy and associated access controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Access control policy - - ac-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Access control procedures - - ac-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an access control policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the access control policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the access control policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AC-2 ACCOUNT MANAGEMENT

-
-

- Parameter: - ac-2_a organization-defined information system account types

-

- Value: organization-defined information system account types

-
-
-

- Parameter: - ac-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-2_c organization-defined procedures or conditions

-

- Value: organization-defined procedures or conditions

-
-
-

- Parameter: - ac-2_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies and selects the following types of information system accounts to support organizational missions/business functions: - - ac-2_a - - organization-defined information system account types - organization-defined information system account types - ;

-
-
-
- - - - - - - -
-

b.

-
-

Assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

c.

-
-

Establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

d.

-
-

Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

-
-
-
- - - - - - - -
-

e.

-
-

Requires approvals by - - ac-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - for requests to create information system accounts;

-
-
-
- - - - - - - -
-

f.

-
-

Creates, enables, modifies, disables, and removes information system accounts in accordance with - - ac-2_c - - organization-defined procedures or conditions - organization-defined procedures or conditions - ;

-
-
-
- - - - - - - -
-

g.

-
-

Monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

h.

-
-

Notifies account managers:

-
- - - - - - - -
-

1.

-
-

When accounts are no longer required;

-
-
-
- - - - - - - -
-

2.

-
-

When users are terminated or transferred; and

-
-
-
- - - - - - - -
-

3.

-
-

When individual information system usage or need-to-know changes;

-
-
-
-
-
- - - - - - - -
-

i.

-
-

Authorizes access to the information system based on:

-
- - - - - - - -
-

1.

-
-

A valid access authorization;

-
-
-
- - - - - - - -
-

2.

-
-

Intended system usage; and

-
-
-
- - - - - - - -
-

3.

-
-

Other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

j.

-
-

Reviews accounts for compliance with account management requirements - - ac-2_d - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

k.

-
-

Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Supplemental guidance

-

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

- - - - - - - - - - - - - - - - - - - - - -
-
-

- AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to support the management of information system accounts.

-
-
-
-

Supplemental guidance

-

The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to support the management of information system accounts.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (2) REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS

-
-

- Parameter: - ac-2_e organization-defined time period for each type of account

-

- Value: organization-defined time period for each type of account

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically [Selection: removes; disables] temporary and emergency accounts after - - ac-2_e - - organization-defined time period for each type of account - organization-defined time period for each type of account - .

-
-
-
-

Supplemental guidance

-

This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system-generated list of temporary accounts removed and/or disabled

-

- information system-generated list of emergency accounts removed and/or disabled

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (3) DISABLE INACTIVE ACCOUNTS

-
-

- Parameter: - ac-2_f organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically disables inactive accounts after - - ac-2_f - - organization-defined time period - organization-defined time period - .

-
-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the time period after which the information system automatically disables inactive accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically disables inactive accounts after the organization-defined time period.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system-generated list of temporary accounts removed and/or disabled

-

- information system-generated list of emergency accounts removed and/or disabled

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (4) AUTOMATED AUDIT ACTIONS

-
-

- Parameter: - ac-2_g organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies - - ac-2_g - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system automatically audits the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling;

-
-
-
- - - - - - - -
-

[e]

-
-

removal;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to be notified of the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling;

-
-
-
- - - - - - - -
-

[e]

-
-

removal;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the information system notifies organization-defined personnel or roles of the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling; and

-
-
-
- - - - - - - -
-

[e]

-
-

removal.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- notifications/alerts of account creation, modification, enabling, disabling, and removal actions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (5) INACTIVITY LOGOUT

-
-

- Parameter: - ac-2_h organization-defined time-period of expected inactivity or description of when to log out

-

- Value: organization-defined time-period of expected inactivity or description of when to log out

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that users log out when - - ac-2_h - - organization-defined time-period of expected inactivity or description of when to log out - organization-defined time-period of expected inactivity or description of when to log out - .

-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines either the time period of expected inactivity that requires users to log out or the description of when users are required to log out; and

-
-
-
- - - - - - - -
-

[2]

-
-

requires that users log out when the organization-defined time period of inactivity is reached or in accordance with organization-defined description of when to log out.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security violation reports

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- users that must comply with inactivity logout policy

-
-

References: None -

-
-
-

- AC-2 (11) USAGE CONDITIONS

-
-

- Parameter: - ac-2_m organization-defined circumstances and/or usage conditions

-

- Value: organization-defined circumstances and/or usage conditions

-
-
-

- Parameter: - ac-2_n organization-defined information system accounts

-

- Value: organization-defined information system accounts

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces - - ac-2_m - - organization-defined circumstances and/or usage conditions - organization-defined circumstances and/or usage conditions - for - - ac-2_n - - organization-defined information system accounts - organization-defined information system accounts - .

-
-
-
-

Supplemental guidance

-

Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines circumstances and/or usage conditions to be enforced for information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines information system accounts for which organization-defined circumstances and/or usage conditions are to be enforced; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-generated list of information system accounts and associated assignments of usage circumstances and/or usage conditions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (12) ACCOUNT MONITORING / ATYPICAL USAGE

-
-

- Parameter: - ac-2_o organization-defined atypical usage

-

- Value: organization-defined atypical usage

-
-
-

- Parameter: - ac-2_p organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Monitors information system accounts for - - ac-2_o - - organization-defined atypical usage - organization-defined atypical usage - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Reports atypical usage of information system accounts to - - ac-2_p - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines atypical usage to be monitored for information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors information system accounts for organization-defined atypical usage;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom atypical usage of information system accounts are to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports atypical usage of information system accounts to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system monitoring records

-

- information system audit records

-

- audit tracking and monitoring reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS

-
-

- Parameter: - ac-2_q organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization disables accounts of users posing a significant risk within - - ac-2_q - - organization-defined time period - organization-defined time period - of discovery of the risk.

-
-
-
-

Supplemental guidance

-

Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the time period within which accounts are disabled upon discovery of a significant risk posed by users of such accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

disables accounts of users posing a significant risk within the organization-defined time period of discovery of the risk.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-generated list of disabled accounts

-

- list of user activities posing significant organizational risk

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system account types to be identified and selected to support organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies and selects organization-defined information system account types to support organizational missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

(c)

-
-

establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

(d)

-
-

specifies for each account (as required):

-
- - - - - - - -
-

[1]

-
-

authorized users of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

group and role membership;

-
-
-
- - - - - - - -
-

[3]

-
-

access authorizations (i.e., privileges);

-
-
-
- - - - - - - -
-

[4]

-
-

other attributes;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to approve requests to create information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

requires approvals by organization-defined personnel or roles for requests to create information system accounts;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines procedures or conditions to:

-
- - - - - - - -
-

[a]

-
-

create information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enable information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modify information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disable information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

remove information system accounts;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined procedures or conditions:

-
- - - - - - - -
-

[a]

-
-

creates information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enables information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modifies information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disables information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

removes information system accounts;

-
-
-
-
-
-
-
- - - - - - - -
-

(g)

-
-

monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

(h)

-
-

notifies account managers:

-
- - - - - - - -
-

(1)

-
-

when accounts are no longer required;

-
-
-
- - - - - - - -
-

(2)

-
-

when users are terminated or transferred;

-
-
-
- - - - - - - -
-

(3)

-
-

when individual information system usage or need to know changes;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-

authorizes access to the information system based on;

-
- - - - - - - -
-

(1)

-
-

a valid access authorization;

-
-
-
- - - - - - - -
-

(2)

-
-

intended system usage;

-
-
-
- - - - - - - -
-

(3)

-
-

other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(j)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review accounts for compliance with account management requirements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews accounts for compliance with account management requirements with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(k)

-
-

establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of active system accounts along with the name of the individual associated with each account

-

- list of conditions for group and role membership

-

- notifications or records of recently transferred, separated, or terminated employees

-

- list of recently disabled information system accounts along with the name of the individual associated with each account

-

- access authorization records

-

- account management compliance reviews

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes account management on the information system

-

- automated mechanisms for implementing account management

-
-

References: None -

-
-
-

- AC-3 ACCESS ENFORCEMENT

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Supplemental guidance

-

Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

- - - - - - - - - - - - - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access enforcement

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of approved authorizations (user privileges)

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access enforcement responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy

-
-

References: None -

-
-
-

- AC-4 INFORMATION FLOW ENFORCEMENT

-
-

- Parameter: - ac-4_a organization-defined information flow control policies

-

- Value: organization-defined information flow control policies

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on - - ac-4_a - - organization-defined information flow control policies - organization-defined information flow control policies - .

-
-
-
-

Supplemental guidance

-

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. -Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- information flow control policies

-

- procedures addressing information flow enforcement

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system baseline configuration

-

- list of information flow authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information flow enforcement policy

-
-

References: None -

-
-
-

- AC-5 SEPARATION OF DUTIES

-
-

- Parameter: - ac-5_a organization-defined duties of individuals

-

- Value: organization-defined duties of individuals

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Separates - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

-
-
-
- - - - - - - -
-

b.

-
-

Documents separation of duties of individuals; and

-
-
-
- - - - - - - -
-

c.

-
-

Defines information system access authorizations to support separation of duties.

-
-
-
-
-
-

Supplemental guidance

-

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines duties of individuals to be separated;

-
-
-
- - - - - - - -
-

[2]

-
-

separates organization-defined duties of individuals;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents separation of duties; and

-
-
-
- - - - - - - -
-

(c)

-
-

defines information system access authorizations to support separation of duties.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing divisions of responsibility and separation of duties

-

- information system configuration settings and associated documentation

-

- list of divisions of responsibility and separation of duties

-

- information system access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing separation of duties policy

-
-

References: None -

-
-
-

- AC-6 LEAST PRIVILEGE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

-
-
-
-

Supplemental guidance

-

Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.

- - - - - - -
-
-

- AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS

-
-

- Parameter: - ac-6_a organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information

-

- Value: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization explicitly authorizes access to - - ac-6_a - - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information - .

-
-
-
-

Supplemental guidance

-

Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security-relevant information for which access must be explicitly authorized;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security functions deployed in:

-
- - - - - - - -
-

[a]

-
-

hardware;

-
-
-
- - - - - - - -
-

[b]

-
-

software;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

explicitly authorizes access to:

-
- - - - - - - -
-

[a]

-
-

organization-defined security functions; and

-
-
-
- - - - - - - -
-

[b]

-
-

security-relevant information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

-
-

- Parameter: - ac-6_b organization-defined security functions or security-relevant information

-

- Value: organization-defined security functions or security-relevant information

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that users of information system accounts, or roles, with access to - - ac-6_b - - organization-defined security functions or security-relevant information - organization-defined security functions or security-relevant information - , use non-privileged accounts or roles, when accessing nonsecurity functions.

-
-
-
-

Supplemental guidance

-

This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and

-
-
-
- - - - - - - -
-

[2]

-
-

requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of system-generated security functions or security-relevant information assigned to information system accounts or roles

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS

-
-

- Parameter: - ac-6_c organization-defined privileged commands

-

- Value: organization-defined privileged commands

-
-
-

- Parameter: - ac-6_d organization-defined compelling operational needs

-

- Value: organization-defined compelling operational needs

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes network access to - - ac-6_c - - organization-defined privileged commands - organization-defined privileged commands - only for - - ac-6_d - - organization-defined compelling operational needs - organization-defined compelling operational needs - and documents the rationale for such access in the security plan for the information system.

-
-
-
-

Supplemental guidance

-

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines privileged commands to which network access is to be authorized only for compelling operational needs;

-
-
-
- - - - - - - -
-

[2]

-
-

defines compelling operational needs for which network access to organization-defined privileged commands are to be solely authorized;

-
-
-
- - - - - - - -
-

[3]

-
-

authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs; and

-
-
-
- - - - - - - -
-

[4]

-
-

documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of operational needs for authorizing network access to privileged commands

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-6 (5) PRIVILEGED ACCOUNTS

-
-

- Parameter: - ac-6_e organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization restricts privileged accounts on the information system to - - ac-6_e - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles for which privileged accounts on the information system are to be restricted; and

-
-
-
- - - - - - - -
-

[2]

-
-

restricts privileged accounts on the information system to organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of system-generated privileged accounts

-

- list of system administration personnel

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system audits the execution of privileged functions.

-
-
-
-

Supplemental guidance

-

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system audits the execution of privileged functions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of privileged functions to be audited

-

- list of audited events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms auditing the execution of least privilege functions

-
-

References: None -

-
-
-

- AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

-
-
-
-

Supplemental guidance

-

Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system prevents non-privileged users from executing privileged functions to include:

-
- - - - - - - -
-

[1]

-
-

disabling implemented security safeguards/countermeasures;

-
-
-
- - - - - - - -
-

[2]

-
-

circumventing security safeguards/countermeasures; or

-
-
-
- - - - - - - -
-

[3]

-
-

altering implemented security safeguards/countermeasures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of privileged functions and associated user account assignments

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions for non-privileged users

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of assigned access authorizations (user privileges)

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-7 UNSUCCESSFUL LOGON ATTEMPTS

-
-

- Parameter: - ac-7_a organization-defined number

-

- Value: organization-defined number

-
-
-

- Parameter: - ac-7_b organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ac-7_c organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ac-7_d organization-defined delay algorithm

-

- Value: organization-defined delay algorithm

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Enforces a limit of - - ac-7_a - - organization-defined number - organization-defined number - consecutive invalid logon attempts by a user during a - - ac-7_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Automatically [Selection: locks the account/node for an - - ac-7_c - - organization-defined time period - organization-defined time period - ; locks the account/node until released by an administrator; delays next logon prompt according to - - ac-7_d - - organization-defined delay algorithm - organization-defined delay algorithm - ] when the maximum number of unsuccessful attempts is exceeded.

-
-
-
-
-
-

Supplemental guidance

-

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:

-
- - - - - - - -
-

[a]

-
-

locks the account/node for the organization-defined time period;

-
-
-
- - - - - - - -
-

[b]

-
-

locks the account/node until released by an administrator; or

-
-
-
- - - - - - - -
-

[c]

-
-

delays next logon prompt according to the organization-defined delay algorithm.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing unsuccessful logon attempts

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system developers

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for unsuccessful logon attempts

-
-

References: None -

-
-
-

- AC-8 SYSTEM USE NOTIFICATION

-
-

- Parameter: - ac-8_a organization-defined system use notification message or banner

-

- Value: organization-defined system use notification message or banner

-
-
-

- Parameter: - ac-8_b organization-defined conditions

-

- Value: organization-defined conditions

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Displays to users - - ac-8_a - - organization-defined system use notification message or banner - organization-defined system use notification message or banner - before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

-
- - - - - - - -
-

1.

-
-

Users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

2.

-
-

Information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

3.

-
-

Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

-
-
-
- - - - - - - -
-

4.

-
-

Use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

For publicly accessible systems:

-
- - - - - - - -
-

1.

-
-

Displays system use information - - ac-8_b - - organization-defined conditions - organization-defined conditions - , before granting further access;

-
-
-
- - - - - - - -
-

2.

-
-

Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

3.

-
-

Includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Supplemental guidance

-

System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:

-
- - - - - - - -
-

(1)

-
-

users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

(2)

-
-

information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

(3)

-
-

unauthorized use of the information system is prohibited and subject to criminal and civil penalties;

-
-
-
- - - - - - - -
-

(4)

-
-

use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;

-
-
-
- - - - - - - -
-

(c)

-
-

for publicly accessible systems:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines conditions for system use to be displayed by the information system before granting further access;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays organization-defined conditions before granting further access;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

(3)

-
-

the information system includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- privacy and security policies, procedures addressing system use notification

-

- documented approval of information system use notification messages or banners

-

- information system audit records

-

- user acknowledgements of notification message or banner

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system use notification messages

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for providing legal advice

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing system use notification

-
-

References: None -

-
-
-

- AC-10 CONCURRENT SESSION CONTROL

-
-

- Parameter: - ac-10_a organization-defined account and/or account type

-

- Value: organization-defined account and/or account type

-
-
-

- Parameter: - ac-10_b organization-defined number

-

- Value: organization-defined number

-
-

- priority: P3

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system limits the number of concurrent sessions for each - - ac-10_a - - organization-defined account and/or account type - organization-defined account and/or account type - to - - ac-10_b - - organization-defined number - organization-defined number - .

-
-
-
-

Supplemental guidance

-

Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines account and/or account types for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the number of concurrent sessions to be allowed for each organization-defined account and/or account type; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system limits the number of concurrent sessions for each organization-defined account and/or account type to the organization-defined number of concurrent sessions allowed.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing concurrent session control

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for concurrent session control

-
-

References: None -

-
-
-

- AC-11 SESSION LOCK

-
-

- Parameter: - ac-11_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Prevents further access to the system by initiating a session lock after - - ac-11_a - - organization-defined time period - organization-defined time period - of inactivity or upon receiving a request from a user; and

-
-
-
- - - - - - - -
-

b.

-
-

Retains the session lock until the user reestablishes access using established identification and authentication procedures.

-
-
-
-
-
-

Supplemental guidance

-

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

- -
-
-

- AC-11 (1) PATTERN-HIDING DISPLAYS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

-
-
-
-

Supplemental guidance

-

Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session lock

-

- display screen with session lock activated

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Information system session lock mechanisms

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the time period of user inactivity after which the information system initiates a session lock;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session lock

-

- procedures addressing identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for session lock

-
-
-

References

-
-

OMB Memorandum 06-16

-
-
-
-
-

- AC-12 SESSION TERMINATION

-
-

- Parameter: - ac-12_a organization-defined conditions or trigger events requiring session disconnect

-

- Value: organization-defined conditions or trigger events requiring session disconnect

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically terminates a user session after - - ac-12_a - - organization-defined conditions or trigger events requiring session disconnect - organization-defined conditions or trigger events requiring session disconnect - .

-
-
-
-

Supplemental guidance

-

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user�s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines conditions or trigger events requiring session disconnect; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session termination

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of conditions or trigger events requiring session disconnect

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing user session termination

-
-

References: None -

-
-
-

- AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION

-
-

- Parameter: - ac-14_a organization-defined user actions

-

- Value: organization-defined user actions

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies - - ac-14_a - - organization-defined user actions - organization-defined user actions - that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing permitted actions without identification or authentication

-

- information system configuration settings and associated documentation

-

- security plan

-

- list of user actions that can be performed without identification or authentication

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- AC-17 REMOTE ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

- - - - - - - - - - - - - - - - -
-
-

- AC-17 (1) AUTOMATED MONITORING / CONTROL

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system monitors and controls remote access methods.

-
-
-
-

Supplemental guidance

-

Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system monitors and controls remote access methods.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- information system monitoring records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms monitoring and controlling remote access methods

-
-

References: None -

-
-
-

- AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

-
-
-
-

Supplemental guidance

-

The encryption strength of mechanism is selected based on the security categorization of the information.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic mechanisms and associated configuration documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions

-
-

References: None -

-
-
-

- AC-17 (3) MANAGED ACCESS CONTROL POINTS

-
-

- Parameter: - ac-17_a organization-defined number

-

- Value: organization-defined number

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system routes all remote accesses through - - ac-17_a - - organization-defined number - organization-defined number - managed network access control points.

-
-
-
-

Supplemental guidance

-

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the number of managed network access control points through which all remote accesses are to be routed; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system routes all remote accesses through the organization-defined number of managed network access control points.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- list of all managed network access control points

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms routing all remote accesses through managed network access control points

-
-

References: None -

-
-
-

- AC-17 (4) PRIVILEGED COMMANDS / ACCESS

-
-

- Parameter: - ac-17_b organization-defined needs

-

- Value: organization-defined needs

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Authorizes the execution of privileged commands and access to security-relevant information via remote access only for - - ac-17_b - - organization-defined needs - organization-defined needs - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Documents the rationale for such access in the security plan for the information system.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents the rationale for such access in the information system security plan.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system configuration settings and associated documentation

-

- security plan

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing remote access management

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies the types of remote access allowed to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance; and

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system configuration settings and associated documentation

-

- remote access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing remote access connections

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Remote access management capability for the information system

-
-
-

References

-
-

NIST Special Publication 800-46

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-113

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-121

-
-
-
-
-

- AC-18 WIRELESS ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

- - - - - - - - - - - - -
-
-

- AC-18 (1) AUTHENTICATION AND ENCRYPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system protects wireless access to the system using encryption and one or more of the following:

-
- - - - - - - -
-

[1]

-
-

authentication of users; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

authentication of devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless implementation and usage (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing wireless access protections to the information system

-
-

References: None -

-
-
-

- AC-18 (4) RESTRICT CONFIGURATIONS BY USERS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

-
-
-
-

Supplemental guidance

-

Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies users allowed to independently configure wireless networking capabilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

explicitly authorizes the identified users allowed to independently configure wireless networking capabilities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless implementation and usage (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms authorizing independent user configuration of wireless networking capabilities

-
-

References: None -

-
-
-

- AC-18 (5) ANTENNAS / TRANSMISSION POWER LEVELS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

-
-
-
-

Supplemental guidance

-

Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

selects radio antennas to reduce the probability that usable signals can be received outside of organization-controlled boundaries; and

-
-
-
- - - - - - - -
-

[2]

-
-

calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless implementation and usage (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Wireless access capability protecting usable signals from unauthorized access outside organization-controlled boundaries

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for wireless access:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- wireless access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing wireless access connections

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Wireless access management capability for the information system

-
-
-

References

-
-

NIST Special Publication 800-48

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-97

-
-
-
-
-

- AC-19 ACCESS CONTROL FOR MOBILE DEVICES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Supplemental guidance

-

A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

- - - - - - - - - - - - - - - - -
-
-

- AC-19 (5) FULL DEVICE / CONTAINER-BASED ENCRYPTION

-
-

- Parameter: - ac-19_c organization-defined mobile devices

-

- Value: organization-defined mobile devices

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on - - ac-19_c - - organization-defined mobile devices - organization-defined mobile devices - .

-
-
-
-

Supplemental guidance

-

Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access control for mobile devices

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- encryption mechanism s and associated configuration documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities for mobile devices

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Encryption mechanisms protecting confidentiality and integrity of information on mobile devices

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for organization-controlled mobile devices:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access control for mobile device usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- authorizations for mobile device connections to organizational information systems

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel using mobile devices to access organizational information systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Access control capability authorizing mobile device connections to organizational information systems

-
-
-

References

-
-

OMB Memorandum 06-16

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-124

-
-
-

NIST Special Publication 800-164

-
-
-
-
-

- AC-20 USE OF EXTERNAL INFORMATION SYSTEMS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

a.

-
-

Access the information system from external information systems; and

-
-
-
- - - - - - - -
-

b.

-
-

Process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Supplemental guidance

-

External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. -For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. -This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

- - - - - - -
-
-

- AC-20 (1) LIMITS ON AUTHORIZED USE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

-
- - - - - - - -
-

(a)

-
-

Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or

-
-
-
- - - - - - - -
-

(b)

-
-

Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

-
- - - - - - - -
-

(a)

-
-

verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or

-
-
-
- - - - - - - -
-

(b)

-
-

retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- security plan

-

- information system connection or processing agreements

-

- account management documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing limits on use of external information systems

-
-

References: None -

-
-
-

- AC-20 (2) PORTABLE STORAGE DEVICES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.

-
-
-
-

Supplemental guidance

-

Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system connection or processing agreements

-

- account management documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing restrictions on use of portable storage devices

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

(a)

-
-

access the information system from the external information systems; and

-
-
-
- - - - - - - -
-

(b)

-
-

process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- external information systems terms and conditions

-

- list of types of applications accessible from external information systems

-

- maximum security categorization for information processed, stored, or transmitted on external information systems

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing terms and conditions on use of external information systems

-
-
-

References

-
-

FIPS Publication 199

-
-
-
-
-

- AC-21 INFORMATION SHARING

-
-

- Parameter: - ac-21_a organization-defined information sharing circumstances where user discretion is required

-

- Value: organization-defined information sharing circumstances where user discretion is required

-
-
-

- Parameter: - ac-21_b organization-defined automated mechanisms or manual processes

-

- Value: organization-defined automated mechanisms or manual processes

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for - - ac-21_a - - organization-defined information sharing circumstances where user discretion is required - organization-defined information sharing circumstances where user discretion is required - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Employs - - ac-21_b - - organization-defined automated mechanisms or manual processes - organization-defined automated mechanisms or manual processes - to assist users in making information sharing/collaboration decisions.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information sharing circumstances where user discretion is required;

-
-
-
- - - - - - - -
-

[2]

-
-

facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines automated mechanisms or manual processes to be employed to assist users in making information sharing/collaboration decisions; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing user-based collaboration and information sharing (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of users authorized to make information sharing/collaboration decisions

-

- list of information sharing circumstances requiring user discretion

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel responsible for making information sharing/collaboration decisions

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions

-
-

References: None -

-
-
-

- AC-22 PUBLICLY ACCESSIBLE CONTENT

-
-

- Parameter: - ac-22_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

b.

-
-

Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the content on the publicly accessible information system for nonpublic information - - ac-22_a - - organization-defined frequency - organization-defined frequency - and removes such information, if discovered.

-
-
-
-
-
-

Supplemental guidance

-

In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

(b)

-
-

trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

(c)

-
-

reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the content on the publicly accessible information system for nonpublic information;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[3]

-
-

removes nonpublic information from the publicly accessible information system, if discovered.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing publicly accessible content

-

- list of users authorized to post publicly accessible content on organizational information systems

-

- training materials and/or records

-

- records of publicly accessible information reviews

-

- records of response to nonpublic information on public websites

-

- system audit logs

-

- security awareness training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing management of publicly accessible content

-
-

References: None -

-
-
-
-

AWARENESS AND TRAINING

-
-

- AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

-
-

- Parameter: - at-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - at-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - at-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - at-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security awareness and training policy - - at-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security awareness and training procedures - - at-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an security awareness and training policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security awareness and training policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security awareness and training policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security awareness and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AT-2 SECURITY AWARENESS TRAINING

-
-

- Parameter: - at-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

-
- - - - - - - -
-

a.

-
-

As part of initial training for new users;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-2_a - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

- - - -
-
-

- AT-2 (2) INSIDER THREAT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

-
-
-
-

Supplemental guidance

-

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.

- - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security awareness training implementation

-

- security awareness training curriculum

-

- security awareness training materials

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel that participate in security awareness training

-

- organizational personnel with responsibilities for basic security awareness training

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;

-
-
-
- - - - - - - -
-

(b)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security awareness training implementation

-

- appropriate codes of federal regulations

-

- security awareness training curriculum

-

- security awareness training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for security awareness training

-

- organizational personnel with information security responsibilities

-

- organizational personnel comprising the general information system user community

-
-
-

Assessment: TEST

-

- Automated mechanisms managing security awareness training

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-3 ROLE-BASED SECURITY TRAINING

-
-

- Parameter: - at-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-3_a - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

(b)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training implementation

-

- codes of federal regulations

-

- security training curriculum

-

- security training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for role-based security training

-

- organizational personnel with assigned information system security roles and responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms managing role-based security training

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-4 SECURITY TRAINING RECORDS

-
-

- Parameter: - at-4_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

-
-
-
- - - - - - - -
-

b.

-
-

Retains individual training records for - - at-4_a - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

Documentation for specialized training may be maintained by individual supervisors at the option of the organization.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

documents individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

monitors individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period to retain individual training records; and

-
-
-
- - - - - - - -
-

[2]

-
-

retains individual training records for the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training records

-

- security awareness and training records

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security training record retention responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting management of security training records

-
-

References: None -

-
-
-
-

AUDIT AND ACCOUNTABILITY

-
-

- AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

-
-

- Parameter: - au-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - au-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Audit and accountability policy - - au-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Audit and accountability procedures - - au-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an audit and accountability policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the audit and accountability policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the audit and accountability policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AU-2 AUDIT EVENTS

-
-

- Parameter: - au-2_a organization-defined auditable events

-

- Value: organization-defined auditable events

-
-
-

- Parameter: - au-2_b organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event

-

- Value: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines that the information system is capable of auditing the following events: - - au-2_a - - organization-defined auditable events - organization-defined auditable events - ;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

c.

-
-

Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

d.

-
-

Determines that the following events are to be audited within the information system: - - au-2_b - - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - .

-
-
-
-
-
-

Supplemental guidance

-

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

- - - - - - - - -
-
-

- AU-2 (3) REVIEWS AND UPDATES

-
-

- Parameter: - au-2_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews and updates the audited events - - au-2_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-

Supplemental guidance

-

Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the audited events; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the auditable events with organization-defined frequency.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing auditable events

-

- security plan

-

- list of organization-defined auditable events

-

- auditable events review and update records

-

- information system audit records

-

- information system incident reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting review and update of auditable events

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the auditable events that the information system must be capable of auditing;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the information system is capable of auditing organization-defined auditable events;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

(c)

-
-

provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the subset of auditable events defined in AU-2a that are to be audited within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

determines the frequency of (or situation requiring) auditing for each identified event.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing auditable events

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- information system auditable events

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing

-
-
-

References

-
-

NIST Special Publication 800-92

-
-
-

http://idmanagement.gov

-
-
-
-
-

- AU-3 CONTENT OF AUDIT RECORDS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

-
-
-
-

Supplemental guidance

-

Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).

- - - - -
-
-

- AU-3 (1) ADDITIONAL AUDIT INFORMATION

-
-

- Parameter: - au-3_a organization-defined additional, more detailed information

-

- Value: organization-defined additional, more detailed information

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system generates audit records containing the following additional information: - - au-3_a - - organization-defined additional, more detailed information - organization-defined additional, more detailed information - .

-
-
-
-

Supplemental guidance

-

Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines additional, more detailed information to be contained in audit records that the information system generates; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system generates audit records containing the organization-defined additional, more detailed information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Information system audit capability

-
-

References: None -

-
-
-

- AU-3 (2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT

-
-

- Parameter: - au-3_b organization-defined information system components

-

- Value: organization-defined information system components

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides centralized management and configuration of the content to be captured in audit records generated by - - au-3_b - - organization-defined information system components - organization-defined information system components - .

-
-
-
-

Supplemental guidance

-

This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information system components that generate audit records whose content is to be centrally managed and configured by the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides centralized management and configuration of the content to be captured in audit records generated by the organization-defined information system components.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Information system capability implementing centralized management and configuration of audit record content

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system generates audit records containing information that establishes:

-
- - - - - - - -
-

[1]

-
-

what type of event occurred;

-
-
-
- - - - - - - -
-

[2]

-
-

when the event occurred;

-
-
-
- - - - - - - -
-

[3]

-
-

where the event occurred;

-
-
-
- - - - - - - -
-

[4]

-
-

the source of the event;

-
-
-
- - - - - - - -
-

[5]

-
-

the outcome of the event; and

-
-
-
- - - - - - - -
-

[6]

-
-

the identity of any individuals or subjects associated with the event.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- information system incident reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing of auditable events

-
-

References: None -

-
-
-

- AU-4 AUDIT STORAGE CAPACITY

-
-

- Parameter: - au-4_a organization-defined audit record storage requirements

-

- Value: organization-defined audit record storage requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization allocates audit record storage capacity in accordance with - - au-4_a - - organization-defined audit record storage requirements - organization-defined audit record storage requirements - .

-
-
-
-

Supplemental guidance

-

Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines audit record storage requirements; and

-
-
-
- - - - - - - -
-

[2]

-
-

allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit storage capacity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit record storage requirements

-

- audit record storage capability for information system components

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Audit record storage capacity and related configuration settings

-
-

References: None -

-
-
-

- AU-5 RESPONSE TO AUDIT PROCESSING FAILURES

-
-

- Parameter: - au-5_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-5_b organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)

-

- Value: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Alerts - - au-5_a - - organization-defined personnel or roles - organization-defined personnel or roles - in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

b.

-
-

Takes the following additional actions: - - au-5_b - - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - .

-
-
-
-
-
-

Supplemental guidance

-

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

- - -
-
-

- AU-5 (1) AUDIT STORAGE CAPACITY

-
-

- Parameter: - au-5_c organization-defined personnel, roles, and/or locations

-

- Value: organization-defined personnel, roles, and/or locations

-
-
-

- Parameter: - au-5_d organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - au-5_e organization-defined percentage

-

- Value: organization-defined percentage

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides a warning to - - au-5_c - - organization-defined personnel, roles, and/or locations - organization-defined personnel, roles, and/or locations - within - - au-5_d - - organization-defined time period - organization-defined time period - when allocated audit record storage volume reaches - - au-5_e - - organization-defined percentage - organization-defined percentage - of repository maximum audit record storage capacity.

-
-
-
-

Supplemental guidance

-

Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines:

-
- - - - - - - -
-

[a]

-
-

personnel to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;

-
-
-
- - - - - - - -
-

[b]

-
-

roles to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

locations to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the time period within which the information system is to provide a warning to the organization-defined personnel, roles, and/or locations when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines the percentage of repository maximum audit record storage capacity that, if reached, requires a warning to be provided; and

-
-
-
- - - - - - - -
-

[4]

-
-

the information system provides a warning to the organization-defined personnel, roles, and/or locations within the organization-defined time period when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit storage limit warnings

-
-

References: None -

-
-
-

- AU-5 (2) REAL-TIME ALERTS

-
-

- Parameter: - au-5_f organization-defined real-time period

-

- Value: organization-defined real-time period

-
-
-

- Parameter: - au-5_g organization-defined personnel, roles, and/or locations

-

- Value: organization-defined personnel, roles, and/or locations

-
-
-

- Parameter: - au-5_h organization-defined audit failure events requiring real-time alerts

-

- Value: organization-defined audit failure events requiring real-time alerts

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides an alert in - - au-5_f - - organization-defined real-time period - organization-defined real-time period - to - - au-5_g - - organization-defined personnel, roles, and/or locations - organization-defined personnel, roles, and/or locations - when the following audit failure events occur: - - au-5_h - - organization-defined audit failure events requiring real-time alerts - organization-defined audit failure events requiring real-time alerts - .

-
-
-
-

Supplemental guidance

-

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines audit failure events requiring real-time alerts;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines:

-
- - - - - - - -
-

[a]

-
-

personnel to be alerted when organization-defined audit failure events requiring real-time alerts occur;

-
-
-
- - - - - - - -
-

[b]

-
-

roles to be alerted when organization-defined audit failure events requiring real-time alerts occur; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

locations to be alerted when organization-defined audit failure events requiring real-time alerts occur;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines the real-time period within which the information system is to provide an alert to the organization-defined personnel, roles, and/or locations when the organization-defined audit failure events requiring real-time alerts occur; and

-
-
-
- - - - - - - -
-

[4]

-
-

the information system provides an alert within the organization-defined real-time period to the organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- records of notifications or real-time alerts when audit processing failures occur

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing real-time audit alerts when organization-defined audit failure events occur

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles to be alerted in the event of an audit processing failure;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system takes the additional organization-defined actions in the event of an audit processing failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- list of personnel to be notified in case of an audit processing failure

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system response to audit processing failures

-
-

References: None -

-
-
-

- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING

-
-

- Parameter: - au-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-6_b organization-defined inappropriate or unusual activity

-

- Value: organization-defined inappropriate or unusual activity

-
-
-

- Parameter: - au-6_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and analyzes information system audit records - - au-6_a - - organization-defined frequency - organization-defined frequency - for indications of - - au-6_b - - organization-defined inappropriate or unusual activity - organization-defined inappropriate or unusual activity - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports findings to - - au-6_c - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-

- AU-6 (1) PROCESS INTEGRATION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

-
-
-
-

Supplemental guidance

-

Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

employs automated mechanisms to integrate:

-
- - - - - - - -
-

[a]

-
-

audit review;

-
-
-
- - - - - - - -
-

[b]

-
-

analysis;

-
-
-
- - - - - - - -
-

[c]

-
-

reporting processes;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

uses integrated audit review, analysis and reporting processes to support organizational processes for:

-
- - - - - - - -
-

[a]

-
-

investigation of suspicious activities; and

-
-
-
- - - - - - - -
-

[b]

-
-

response to suspicious activities.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- procedures addressing investigation and response to suspicious activities

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms integrating audit review, analysis, and reporting processes

-
-

References: None -

-
-
-

- AU-6 (3) CORRELATE AUDIT REPOSITORIES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

-
-
-
-

Supplemental guidance

-

Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records across different repositories

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting analysis and correlation of audit records

-
-

References: None -

-
-
-

- AU-6 (5) INTEGRATION / SCANNING AND MONITORING CAPABILITIES

-
-

- Parameter: - au-6_d organization-defined data/information collected from other sources

-

- Value: organization-defined data/information collected from other sources

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; - - au-6_d - - organization-defined data/information collected from other sources - organization-defined data/information collected from other sources - ] to further enhance the ability to identify inappropriate or unusual activity.

-
-
-
-

Supplemental guidance

-

This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines data/information to be collected from other sources;

-
-
-
- - - - - - - -
-

[2]

-
-

selects sources of data/information to be analyzed and integrated with the analysis of audit records from one or more of the following:

-
- - - - - - - -
-

[a]

-
-

vulnerability scanning information;

-
-
-
- - - - - - - -
-

[b]

-
-

performance data;

-
-
-
- - - - - - - -
-

[c]

-
-

information system monitoring information; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

organization-defined data/information collected from other sources; and

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

integrates the analysis of audit records with the analysis of selected data/information to further enhance the ability to identify inappropriate or unusual activity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing capability to integrate analysis of audit records with analysis of data/information sources

-
-

References: None -

-
-
-

- AU-6 (6) CORRELATION WITH PHYSICAL MONITORING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

-
-
-
-

Supplemental guidance

-

The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual�s identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- procedures addressing physical access monitoring

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- documentation providing evidence of correlated information obtained from audit records and physical access monitoring records

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing capability to correlate information from audit records with information from monitoring physical access

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports findings to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- reports of audit findings

-

- records of actions taken in response to reviews/analyses of audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- AU-7 AUDIT REDUCTION AND REPORT GENERATION

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides an audit reduction and report generation capability that:

-
- - - - - - - -
-

a.

-
-

Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

b.

-
-

Does not alter the original content or time ordering of audit records.

-
-
-
-
-
-

Supplemental guidance

-

Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.

- -
-
-

- AU-7 (1) AUTOMATIC PROCESSING

-
-

- Parameter: - au-7_a organization-defined audit fields within audit records

-

- Value: organization-defined audit fields within audit records

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides the capability to process audit records for events of interest based on - - au-7_a - - organization-defined audit fields within audit records - organization-defined audit fields within audit records - .

-
-
-
-

Supplemental guidance

-

Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines audit fields within audit records in order to process audit records for events of interest; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit reduction and report generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit reduction, review, analysis, and reporting tools

-

- audit record criteria (fields) establishing events of interest

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit reduction and report generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Audit reduction and report generation capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system provides an audit reduction and report generation capability that supports:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

on-demand audit review;

-
-
-
- - - - - - - -
-

[2]

-
-

analysis;

-
-
-
- - - - - - - -
-

[3]

-
-

reporting requirements;

-
-
-
- - - - - - - -
-

[4]

-
-

after-the-fact investigations of security incidents; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

does not alter the original content or time ordering of audit records.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit reduction and report generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit reduction, review, analysis, and reporting tools

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit reduction and report generation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Audit reduction and report generation capability

-
-

References: None -

-
-
-

- AU-8 TIME STAMPS

-
-

- Parameter: - au-8_a organization-defined granularity of time measurement

-

- Value: organization-defined granularity of time measurement

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Uses internal system clocks to generate time stamps for audit records; and

-
-
-
- - - - - - - -
-

b.

-
-

Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets - - au-8_a - - organization-defined granularity of time measurement - organization-defined granularity of time measurement - .

-
-
-
-
-
-

Supplemental guidance

-

Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

- - -
-
-

- AU-8 (1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE

-
-

- Parameter: - au-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-8_c organization-defined authoritative time source

-

- Value: organization-defined authoritative time source

-
-
-

- Parameter: - au-8_d organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

(a)

-
-

Compares the internal information system clocks - - au-8_b - - organization-defined frequency - organization-defined frequency - with - - au-8_c - - organization-defined authoritative time source - organization-defined authoritative time source - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than - - au-8_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the authoritative time source to which internal information system clocks are to be compared;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing time stamp generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing internal information system clock synchronization

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-

the information system uses internal system clocks to generate time stamps for audit records;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and

-
-
-
- - - - - - - -
-

[3]

-
-

the organization records time stamps for audit records that meet the organization-defined granularity of time measurement.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing time stamp generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing time stamp generation

-
-

References: None -

-
-
-

- AU-9 PROTECTION OF AUDIT INFORMATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

-
-
-
-

Supplemental guidance

-

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

- - - - - - - -
-
-

- AU-9 (2) AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS

-
-

- Parameter: - au-9_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system backs up audit records - - au-9_a - - organization-defined frequency - organization-defined frequency - onto a physically different system or system component than the system or component being audited.

-
-
-
-

Supplemental guidance

-

This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to back up audit records onto a physically different system or system component than the system or component being audited; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system backs up audit records with the organization-defined frequency, onto a physically different system or system component than the system or component being audited.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, system or media storing backups of information system audit records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing the backing up of audit records

-
-

References: None -

-
-
-

- AU-9 (3) CRYPTOGRAPHIC PROTECTION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

-
-
-
-

Supplemental guidance

-

Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

uses cryptographic mechanisms to protect the integrity of audit information; and

-
-
-
- - - - - - - -
-

[2]

-
-

uses cryptographic mechanisms to protect the integrity of audit tools.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system hardware settings

-

- information system configuration settings and associated documentation, information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting integrity of audit information and tools

-
-

References: None -

-
-
-

- AU-9 (4) ACCESS BY SUBSET OF PRIVILEGED USERS

-
-

- Parameter: - au-9_b organization-defined subset of privileged users

-

- Value: organization-defined subset of privileged users

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes access to management of audit functionality to only - - au-9_b - - organization-defined subset of privileged users - organization-defined subset of privileged users - .

-
-
-
-

Supplemental guidance

-

Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a subset of privileged users to be authorized access to management of audit functionality; and

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes access to management of audit functionality to only the organization-defined subset of privileged users.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality

-

- access authorizations

-

- access control list

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms managing access to audit functionality

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system protects audit information from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects audit tools from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification; and

-
-
-
- - - - - - - -
-

[c]

-
-

deletion.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, information system audit records

-

- audit tools

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit information protection

-
-

References: None -

-
-
-

- AU-10 NON-REPUDIATION

-
-

- Parameter: - au-10_a organization-defined actions to be covered by non-repudiation

-

- Value: organization-defined actions to be covered by non-repudiation

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed - - au-10_a - - organization-defined actions to be covered by non-repudiation - organization-defined actions to be covered by non-repudiation - .

-
-
-
-

Supplemental guidance

-

Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines actions to be covered by non-repudiation; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing non-repudiation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing non-repudiation capability

-
-

References: None -

-
-
-

- AU-11 AUDIT RECORD RETENTION

-
-

- Parameter: - au-11_a organization-defined time period consistent with records retention policy

-

- Value: organization-defined time period consistent with records retention policy

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization retains audit records for - - au-11_a - - organization-defined time period consistent with records retention policy - organization-defined time period consistent with records retention policy - to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

-
-
-
-

Supplemental guidance

-

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period to retain audit records that is consistent with records retention policy;

-
-
-
- - - - - - - -
-

[2]

-
-

retains audit records for the organization-defined time period consistent with records retention policy to:

-
- - - - - - - -
-

[a]

-
-

provide support for after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

[b]

-
-

meet regulatory and organizational information retention requirements.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- audit record retention policy and procedures

-

- security plan

-

- organization-defined retention period for audit records

-

- audit record archives

-

- audit logs

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record retention responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-

References: None -

-
-
-

- AU-12 AUDIT GENERATION

-
-

- Parameter: - au-12_a organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - au-12_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides audit record generation capability for the auditable events defined in AU-2 a. at - - au-12_a - - organization-defined information system components - organization-defined information system components - ;

-
-
-
- - - - - - - -
-

b.

-
-

Allows - - au-12_b - - organization-defined personnel or roles - organization-defined personnel or roles - to select which auditable events are to be audited by specific components of the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

-
-
-
-
-
-

Supplemental guidance

-

Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.

- - - - - -
-
-

- AU-12 (1) SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL

-
-

- Parameter: - au-12_c organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - au-12_d organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail

-

- Value: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system compiles audit records from - - au-12_c - - organization-defined information system components - organization-defined information system components - into a system-wide (logical or physical) audit trail that is time-correlated to within - - au-12_d - - organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - .

-
-
-
-

Supplemental guidance

-

Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the information system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the level of tolerance for the relationship between time stamps of individual records in the audit trail; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-wide audit trail (logical or physical)

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-

References: None -

-
-
-

- AU-12 (3) CHANGES BY AUTHORIZED INDIVIDUALS

-
-

- Parameter: - au-12_e organization-defined individuals or roles

-

- Value: organization-defined individuals or roles

-
-
-

- Parameter: - au-12_f organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - au-12_g organization-defined selectable event criteria

-

- Value: organization-defined selectable event criteria

-
-
-

- Parameter: - au-12_h organization-defined time thresholds

-

- Value: organization-defined time thresholds

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides the capability for - - au-12_e - - organization-defined individuals or roles - organization-defined individuals or roles - to change the auditing to be performed on - - au-12_f - - organization-defined information system components - organization-defined information system components - based on - - au-12_g - - organization-defined selectable event criteria - organization-defined selectable event criteria - within - - au-12_h - - organization-defined time thresholds - organization-defined time thresholds - .

-
-
-
-

Supplemental guidance

-

This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information system components on which auditing is to be performed;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines individuals or roles authorized to change the auditing to be performed on organization-defined information system components;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines time thresholds within which organization-defined individuals or roles can change the auditing to be performed on organization-defined information system components;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines selectable event criteria that support the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components; and

-
-
-
- - - - - - - -
-

[5]

-
-

the information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- system-generated list of individuals or roles authorized to change auditing to be performed

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-

References: None -

-
-
-
-

SECURITY ASSESSMENT AND AUTHORIZATION

-
-

- CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES

-
-

- Parameter: - ca-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ca-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security assessment and authorization policy - - ca-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security assessment and authorization procedures - - ca-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a security assessment and authorization policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security assessment and authorization policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment and authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CA-2 SECURITY ASSESSMENTS

-
-

- Parameter: - ca-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-2_b organization-defined individuals or roles

-

- Value: organization-defined individuals or roles

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

1.

-
-

Security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

2.

-
-

Assessment procedures to be used to determine security control effectiveness; and

-
-
-
- - - - - - - -
-

3.

-
-

Assessment environment, assessment team, and assessment roles and responsibilities;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Assesses the security controls in the information system and its environment of operation - - ca-2_a - - organization-defined frequency - organization-defined frequency - to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Produces a security assessment report that documents the results of the assessment; and

-
-
-
- - - - - - - -
-

d.

-
-

Provides the results of the security control assessment to - - ca-2_b - - organization-defined individuals or roles - organization-defined individuals or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

- - - - - - - - -
-
-

- CA-2 (1) INDEPENDENT ASSESSORS

-
-

- Parameter: - ca-2_c organization-defined level of independence

-

- Value: organization-defined level of independence

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs assessors or assessment teams with - - ca-2_c - - organization-defined level of independence - organization-defined level of independence - to conduct security control assessments.

-
-
-
-

Supplemental guidance

-

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the level of independence to be employed to conduct security control assessments; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessments

-

- security authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CA-2 (2) SPECIALIZED ASSESSMENTS

-
-

- Parameter: - ca-2_d organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-2_e organization-defined other forms of security assessment

-

- Value: organization-defined other forms of security assessment

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes as part of security control assessments, - - ca-2_d - - organization-defined frequency - organization-defined frequency - , [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; - - ca-2_e - - organization-defined other forms of security assessment - organization-defined other forms of security assessment - ].

-
-
-
-

Supplemental guidance

-

Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

selects one or more of the following forms of specialized security assessment to be included as part of security control assessments:

-
- - - - - - - -
-

[a]

-
-

in-depth monitoring;

-
-
-
- - - - - - - -
-

[b]

-
-

vulnerability scanning;

-
-
-
- - - - - - - -
-

[c]

-
-

malicious user testing;

-
-
-
- - - - - - - -
-

[d]

-
-

insider threat assessment;

-
-
-
- - - - - - - -
-

[e]

-
-

performance/load testing; and/or

-
-
-
- - - - - - - -
-

[f]

-
-

other forms of organization-defined specialized security assessment;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency for conducting the selected form(s) of specialized security assessment;

-
-
-
- - - - - - - -
-

[3]

-
-

defines whether the specialized security assessment will be announced or unannounced; and

-
-
-
- - - - - - - -
-

[4]

-
-

conducts announced or unannounced organization-defined forms of specialized security assessments with the organization-defined frequency as part of security control assessments.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessments

-

- security plan

-

- security assessment plan

-

- security assessment report

-

- security assessment evidence

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting security control assessment

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

(1)

-
-

security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

(2)

-
-

assessment procedures to be used to determine security control effectiveness;

-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

assessment environment;

-
-
-
- - - - - - - -
-

[2]

-
-

assessment team;

-
-
-
- - - - - - - -
-

[3]

-
-

assessment roles and responsibilities;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to assess the security controls in the information system and its environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

produces a security assessment report that documents the results of the assessment;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines individuals or roles to whom the results of the security control assessment are to be provided; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides the results of the security control assessment to organization-defined individuals or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessment planning

-

- procedures addressing security assessments

-

- security assessment plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting

-
-
-

References

-
-

Executive Order 13587

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-3 SYSTEM INTERCONNECTIONS

-
-

- Parameter: - ca-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates Interconnection Security Agreements - - ca-3_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.

- - - - - - - - - - - -
-
-

- CA-3 (5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

-
-

- Parameter: - ca-3_h organization-defined information systems

-

- Value: organization-defined information systems

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing - - ca-3_h - - organization-defined information systems - organization-defined information systems - to connect to external information systems.

-
-
-
-

Supplemental guidance

-

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems to be allowed to connect to external information systems;

-
-
-
- - - - - - - -
-

[2]

-
-

employs one of the following policies for allowing organization-defined information systems to connect to external information systems:

-
- - - - - - - -
-

[a]

-
-

allow-all policy;

-
-
-
- - - - - - - -
-

[b]

-
-

deny-by-exception policy;

-
-
-
- - - - - - - -
-

[c]

-
-

deny-all policy; or

-
-
-
- - - - - - - -
-

[d]

-
-

permit-by-exception policy.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- information system interconnection agreements

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security assessment report

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for managing connections to external information systems

-

- network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing restrictions on external system connections

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each interconnection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update Interconnection Security Agreements; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates Interconnection Security Agreements with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- information system Interconnection Security Agreements

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements

-

- organizational personnel with information security responsibilities

-

- personnel managing the system(s) to which the Interconnection Security Agreement applies

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-47

-
-
-
-
-

- CA-5 PLAN OF ACTION AND MILESTONES

-
-

- Parameter: - ca-5_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

-
-
-
- - - - - - - -
-

b.

-
-

Updates existing plan of action and milestones - - ca-5_a - - organization-defined frequency - organization-defined frequency - based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

-
-
-
-
-
-

Supplemental guidance

-

Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a plan of action and milestones for the information system to:

-
- - - - - - - -
-

[1]

-
-

document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

reduce or eliminate known vulnerabilities in the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the existing plan of action and milestones;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:

-
- - - - - - - -
-

[a]

-
-

security controls assessments;

-
-
-
- - - - - - - -
-

[b]

-
-

security impact analyses; and

-
-
-
- - - - - - - -
-

[c]

-
-

continuous monitoring activities.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing plan of action and milestones

-

- security plan

-

- security assessment plan

-

- security assessment report

-

- security assessment evidence

-

- plan of action and milestones

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with plan of action and milestones development and implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms for developing, implementing, and maintaining plan of action and milestones

-
-
-

References

-
-

OMB Memorandum 02-01

-
-
-

NIST Special Publication 800-37

-
-
-
-
-

- CA-6 SECURITY AUTHORIZATION

-
-

- Parameter: - ca-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

-
-
-
- - - - - - - -
-

c.

-
-

Updates the security authorization - - ca-6_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

ensures that the authorizing official authorizes the information system for processing before commencing operations;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the security authorization; and

-
-
-
- - - - - - - -
-

[2]

-
-

updates the security authorization with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security authorization

-

- security authorization package (including security plan

-

- security assessment report

-

- plan of action and milestones

-

- authorization statement)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that facilitate security authorizations and updates

-
-
-

References

-
-

OMB Circular A-130

-
-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-7 CONTINUOUS MONITORING

-
-

- Parameter: - ca-7_a organization-defined metrics

-

- Value: organization-defined metrics

-
-
-

- Parameter: - ca-7_b organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_c organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-7_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

-
- - - - - - - -
-

a.

-
-

Establishment of - - ca-7_a - - organization-defined metrics - organization-defined metrics - to be monitored;

-
-
-
- - - - - - - -
-

b.

-
-

Establishment of - - ca-7_b - - organization-defined frequencies - organization-defined frequencies - for monitoring and - - ca-7_c - - organization-defined frequencies - organization-defined frequencies - for assessments supporting such monitoring;

-
-
-
- - - - - - - -
-

c.

-
-

Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

d.

-
-

Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

e.

-
-

Correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

f.

-
-

Response actions to address results of the analysis of security-related information; and

-
-
-
- - - - - - - -
-

g.

-
-

Reporting the security status of organization and the information system to - - ca-7_d - - organization-defined personnel or roles - organization-defined personnel or roles - - - - ca-7_e - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.

- - - - - - - - - - - - -
-
-

- CA-7 (1) INDEPENDENT ASSESSMENT

-
-

- Parameter: - ca-7_f organization-defined level of independence

-

- Value: organization-defined level of independence

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs assessors or assessment teams with - - ca-7_f - - organization-defined level of independence - organization-defined level of independence - to monitor the security controls in the information system on an ongoing basis.

-
-
-
-

Supplemental guidance

-

Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing continuous monitoring of information system security controls

-

- security plan

-

- security assessment report

-

- plan of action and milestones

-

- information system monitoring records

-

- security impact analyses

-

- status reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with continuous monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines metrics to be monitored;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[3]

-
-

implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines frequencies for monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

defines frequencies for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security control assessments;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing continuous monitoring of information system security controls

-

- procedures addressing configuration management

-

- security plan

-

- security assessment report

-

- plan of action and milestones

-

- information system monitoring records

-

- configuration management records, security impact analyses

-

- status reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with continuous monitoring responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Mechanisms implementing continuous monitoring

-
-
-

References

-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-

US-CERT Technical Cyber Security Alerts

-
-
-

DoD Information Assurance Vulnerability Alerts

-
-
-
-
-

- CA-8 PENETRATION TESTING

-
-

- Parameter: - ca-8_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-8_b organization-defined information systems or system components

-

- Value: organization-defined information systems or system components

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization conducts penetration testing - - ca-8_a - - organization-defined frequency - organization-defined frequency - on - - ca-8_b - - organization-defined information systems or system components - organization-defined information systems or system components - .

-
-
-
-

Supplemental guidance

-

Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems or system components on which penetration testing is to be conducted;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to conduct penetration testing on organization-defined information systems or system components; and

-
-
-
- - - - - - - -
-

[3]

-
-

conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing penetration testing

-

- security plan

-

- security assessment plan

-

- penetration test report

-

- security assessment report

-

- security assessment evidence

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities, system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting penetration testing

-
-

References: None -

-
-
-

- CA-9 INTERNAL SYSTEM CONNECTIONS

-
-

- Parameter: - ca-9_a organization-defined information system components or classes of components

-

- Value: organization-defined information system components or classes of components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes internal connections of - - ca-9_a - - organization-defined information system components or classes of components - organization-defined information system components or classes of components - to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components or classes of components to be authorized as internal connections to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes internal connections of organization-defined information system components or classes of components to the information system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each internal connection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements; and

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of components or classes of components authorized as internal system connections

-

- security assessment report

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-
-

CONFIGURATION MANAGEMENT

-
-

- CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES

-
-

- Parameter: - cm-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cm-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cm-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Configuration management policy - - cm-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Configuration management procedures - - cm-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a configuration management policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the configuration management policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the configuration management policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CM-2 BASELINE CONFIGURATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

-
-
-
-

Supplemental guidance

-

This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.

- - - - - - - -
-
-

- CM-2 (1) REVIEWS AND UPDATES

-
-

- Parameter: - cm-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-2_b Assignment organization-defined circumstances

-

- Value: Assignment organization-defined circumstances

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews and updates the baseline configuration of the information system:

-
- - - - - - - -
-

(a)

-
-

- - - cm-2_a - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

(b)

-
-

When required due to - - cm-2_b - - Assignment organization-defined circumstances - Assignment organization-defined circumstances - ; and

-
-
-
- - - - - - - -
-

(c)

-
-

As an integral part of information system component installations and upgrades.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the baseline configuration of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the baseline configuration of the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines circumstances that require the baseline configuration of the information system to be reviewed and updated;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing the baseline configuration of the information system

-

- procedures addressing information system component installations and upgrades

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of information system baseline configuration reviews and updates

-

- information system component installations/upgrades and associated records

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms supporting review and update of the baseline configuration

-
-

References: None -

-
-
-

- CM-2 (2) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

-
-
-
-

Supplemental guidance

-

Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs automated mechanisms to maintain:

-
- - - - - - - -
-

[1]

-
-

an up-to-date baseline configuration of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

a complete baseline configuration of the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

an accurate baseline configuration of the information system; and

-
-
-
- - - - - - - -
-

[4]

-
-

a readily available baseline configuration of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- configuration change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms implementing baseline configuration maintenance

-
-

References: None -

-
-
-

- CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS

-
-

- Parameter: - cm-2_c organization-defined previous versions of baseline configurations of the information system

-

- Value: organization-defined previous versions of baseline configurations of the information system

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization retains - - cm-2_c - - organization-defined previous versions of baseline configurations of the information system - organization-defined previous versions of baseline configurations of the information system - to support rollback.

-
-
-
-

Supplemental guidance

-

Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines previous versions of baseline configurations of the information system to be retained to support rollback; and

-
-
-
- - - - - - - -
-

[2]

-
-

retains organization-defined previous versions of baseline configurations of the information system to support rollback.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- copies of previous baseline configuration versions

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-
-

References: None -

-
-
-

- CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS

-
-

- Parameter: - cm-2_d organization-defined information systems, system components, or devices

-

- Value: organization-defined information systems, system components, or devices

-
-
-

- Parameter: - cm-2_e organization-defined configurations

-

- Value: organization-defined configurations

-
-
-

- Parameter: - cm-2_f organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Issues - - cm-2_d - - organization-defined information systems, system components, or devices - organization-defined information systems, system components, or devices - with - - cm-2_e - - organization-defined configurations - organization-defined configurations - to individuals traveling to locations that the organization deems to be of significant risk; and

-
-
-
- - - - - - - -
-

(b)

-
-

Applies - - cm-2_f - - organization-defined security safeguards - organization-defined security safeguards - to the devices when the individuals return.

-
-
-
-
-
-

Supplemental guidance

-

When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;

-
-
-
- - - - - - - -
-

[2]

-
-

defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;

-
-
-
- - - - - - - -
-

[3]

-
-

issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be applied to the devices when the individuals return; and

-
-
-
- - - - - - - -
-

[2]

-
-

applies organization-defined safeguards to the devices when the individuals return.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing the baseline configuration of the information system

-

- procedures addressing information system component installations and upgrades

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of information system baseline configuration reviews and updates

-

- information system component installations/upgrades and associated records

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

develops and documents a current baseline configuration of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains, under configuration control, a current baseline configuration of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- enterprise architecture documentation

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms supporting configuration control of the baseline configuration

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-3 CONFIGURATION CHANGE CONTROL

-
-

- Parameter: - cm-3_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - cm-3_b organization-defined configuration change control element (e.g., committee, board)

-

- Value: organization-defined configuration change control element (e.g., committee, board)

-
-
-

- Parameter: - cm-3_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-3_d organization-defined configuration change conditions

-

- Value: organization-defined configuration change conditions

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines the types of changes to the information system that are configuration-controlled;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

-
-
-
- - - - - - - -
-

c.

-
-

Documents configuration change decisions associated with the information system;

-
-
-
- - - - - - - -
-

d.

-
-

Implements approved configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

e.

-
-

Retains records of configuration-controlled changes to the information system for - - cm-3_a - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

f.

-
-

Audits and reviews activities associated with configuration-controlled changes to the information system; and

-
-
-
- - - - - - - -
-

g.

-
-

Coordinates and provides oversight for configuration change control activities through - - cm-3_b - - organization-defined configuration change control element (e.g., committee, board) - organization-defined configuration change control element (e.g., committee, board) - that convenes [Selection (one or more): - - cm-3_c - - organization-defined frequency - organization-defined frequency - ; - - cm-3_d - - organization-defined configuration change conditions - organization-defined configuration change conditions - ].

-
-
-
-
-
-

Supplemental guidance

-

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

- - - - - - - - - -
-
-

- CM-3 (1) AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES

-
-

- Parameter: - cm-3_e organized-defined approval authorities

-

- Value: organized-defined approval authorities

-
-
-

- Parameter: - cm-3_f organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - cm-3_g organization-defined personnel

-

- Value: organization-defined personnel

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to:

-
- - - - - - - -
-

(a)

-
-

Document proposed changes to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

Notify - - cm-3_e - - organized-defined approval authorities - organized-defined approval authorities - of proposed changes to the information system and request change approval;

-
-
-
- - - - - - - -
-

(c)

-
-

Highlight proposed changes to the information system that have not been approved or disapproved by - - cm-3_f - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

(d)

-
-

Prohibit changes to the information system until designated approvals are received;

-
-
-
- - - - - - - -
-

(e)

-
-

Document all changes to the information system; and

-
-
-
- - - - - - - -
-

(f)

-
-

Notify - - cm-3_g - - organization-defined personnel - organization-defined personnel - when approved changes to the information system are completed.

-
-
-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs automated mechanisms to document proposed changes to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines approval authorities to be notified of proposed changes to the information system and request change approval;

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which proposed changes to the information system that have not been approved or disapproved must be highlighted;

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

employs automated mechanisms to prohibit changes to the information system until designated approvals are received;

-
-
-
- - - - - - - -
-

(e)

-
-

employs automated mechanisms to document all changes to the information system;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel to be notified when approved changes to the information system are completed; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system configuration change control

-

- configuration management plan

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- automated configuration control mechanisms

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- change approval requests

-

- change approvals

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms implementing configuration change control activities

-
-

References: None -

-
-
-

- CM-3 (2) TEST / VALIDATE / DOCUMENT CHANGES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

-
-
-
-

Supplemental guidance

-

Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems).

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization, before implementing changes on the operational system:

-
- - - - - - - -
-

[1]

-
-

tests changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

validates changes to the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

documents changes to the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing information system configuration change control

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- test records

-

- validation records

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms supporting and/or implementing testing, validating, and documenting information system changes

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

determines the type of changes to the information system that must be configuration-controlled;

-
-
-
- - - - - - - -
-

(b)

-
-

reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

-
-
-
- - - - - - - -
-

(c)

-
-

documents configuration change decisions associated with the information system;

-
-
-
- - - - - - - -
-

(d)

-
-

implements approved configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period to retain records of configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

retains records of configuration-controlled changes to the information system for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

audits and reviews activities associated with configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency with which the configuration change control element must convene; and/or

-
-
-
- - - - - - - -
-

[3]

-
-

defines configuration change conditions that prompt the configuration change control element to convene; and

-
-
-
- - - - - - - -
-

[4]

-
-

coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system configuration change control

-

- configuration management plan

-

- information system architecture and configuration documentation

-

- security plan

-

- change control records

-

- information system audit records

-

- change control audit and review reports

-

- agenda /minutes from configuration change control oversight meetings

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- members of change control board or similar

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms that implement configuration change control

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-4 SECURITY IMPACT ANALYSIS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Supplemental guidance

-

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

- - - - - - - - -
-
-

- CM-4 (1) SEPARATE TEST ENVIRONMENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

-
-
-
-

Supplemental guidance

-

Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

analyzes changes to the information system in a separate test environment before implementation in an operational environment;

-
-
-
- - - - - - - -
-

[2]

-
-

when analyzing changes to the information system in a separate test environment, looks for security impacts due to:

-
- - - - - - - -
-

[a]

-
-

flaws;

-
-
-
- - - - - - - -
-

[b]

-
-

weaknesses;

-
-
-
- - - - - - - -
-

[c]

-
-

incompatibility; and

-
-
-
- - - - - - - -
-

[d]

-
-

intentional malice.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing security impact analysis for changes to the information system

-

- configuration management plan

-

- security impact analysis documentation

-

- analysis tools and associated outputs information system design documentation

-

- information system architecture and configuration documentation

-

- change control records

-

- information system audit records

-

- documentation evidence of separate test and operational environments

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for conducting security impact analysis

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for security impact analysis

-

- automated mechanisms supporting and/or implementing security impact analysis of changes

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing security impact analysis for changes to the information system

-

- configuration management plan

-

- security impact analysis documentation

-

- analysis tools and associated outputs

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for conducting security impact analysis

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for security impact analysis

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-5 ACCESS RESTRICTIONS FOR CHANGE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

-
-
-
-

Supplemental guidance

-

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

- - - -
-
-

- CM-5 (1) AUTOMATED ACCESS ENFORCEMENT / AUDITING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces access restrictions and supports auditing of the enforcement actions.

-
-
-
-

Supplemental guidance

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

enforces access restrictions for change; and

-
-
-
- - - - - - - -
-

[2]

-
-

supports auditing of the enforcement actions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms implementing enforcement of access restrictions for changes to the information system

-

- automated mechanisms supporting auditing of enforcement actions

-
-

References: None -

-
-
-

- CM-5 (2) REVIEW SYSTEM CHANGES

-
-

- Parameter: - cm-5_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-5_b organization-defined circumstances

-

- Value: organization-defined circumstances

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews information system changes - - cm-5_a - - organization-defined frequency - organization-defined frequency - and - - cm-5_b - - organization-defined circumstances - organization-defined circumstances - to determine whether unauthorized changes have occurred.

-
-
-
-

Supplemental guidance

-

Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, in an effort to ascertain whether unauthorized changes have occurred:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to review information system changes;

-
-
-
- - - - - - - -
-

[2]

-
-

defines circumstances that warrant review of information system changes;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews information system changes with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

reviews information system changes with the organization-defined circumstances.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- configuration management plan

-

- security plan

-

- reviews of information system changes

-

- audit and review reports

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms supporting/implementing information system reviews to determine whether unauthorized changes have occurred

-
-

References: None -

-
-
-

- CM-5 (3) SIGNED COMPONENTS

-
-

- Parameter: - cm-5_c organization-defined software and firmware components

-

- Value: organization-defined software and firmware components

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents the installation of - - cm-5_c - - organization-defined software and firmware components - organization-defined software and firmware components - without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

-
-
-
-

Supplemental guidance

-

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines software and firmware components that the information system will prevent from being installed without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents the installation of organization-defined software and firmware components without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- configuration management plan

-

- security plan

-

- list of software and firmware components to be prohibited from installation without a recognized and approved certificate

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms preventing installation of software and firmware components not signed with an organization-recognized and approved certificate

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

documents physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

approves physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

enforces physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[5]

-
-

defines logical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[6]

-
-

documents logical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[7]

-
-

approves logical access restrictions associated with changes to the information system; and

-
-
-
- - - - - - - -
-

[8]

-
-

enforces logical access restrictions associated with changes to the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- configuration management plan

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- logical access approvals

-

- physical access approvals

-

- access credentials

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with logical access control responsibilities

-

- organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms supporting/implementing/enforcing access restrictions associated with changes to the information system

-
-

References: None -

-
-
-

- CM-6 CONFIGURATION SETTINGS

-
-

- Parameter: - cm-6_a organization-defined security configuration checklists

-

- Value: organization-defined security configuration checklists

-
-
-

- Parameter: - cm-6_b organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - cm-6_c organization-defined operational requirements

-

- Value: organization-defined operational requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents configuration settings for information technology products employed within the information system using - - cm-6_a - - organization-defined security configuration checklists - organization-defined security configuration checklists - that reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Implements the configuration settings;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies, documents, and approves any deviations from established configuration settings for - - cm-6_b - - organization-defined information system components - organization-defined information system components - based on - - cm-6_c - - organization-defined operational requirements - organization-defined operational requirements - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. -Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

- - - - - -
-
-

- CM-6 (1) AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION

-
-

- Parameter: - cm-6_d organization-defined information system components

-

- Value: organization-defined information system components

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for - - cm-6_d - - organization-defined information system components - organization-defined information system components - .

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system components for which automated mechanisms are to be employed to:

-
- - - - - - - -
-

[a]

-
-

centrally manage configuration settings of such components;

-
-
-
- - - - - - - -
-

[b]

-
-

apply configuration settings of such components;

-
-
-
- - - - - - - -
-

[c]

-
-

verify configuration settings of such components;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to:

-
- - - - - - - -
-

[a]

-
-

centrally manage configuration settings for organization-defined information system components;

-
-
-
- - - - - - - -
-

[b]

-
-

apply configuration settings for organization-defined information system components; and

-
-
-
- - - - - - - -
-

[c]

-
-

verify configuration settings for organization-defined information system components.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for managing configuration settings

-

- automated mechanisms implemented to centrally manage, apply, and verify information system configuration settings

-
-

References: None -

-
-
-

- CM-6 (2) RESPOND TO UNAUTHORIZED CHANGES

-
-

- Parameter: - cm-6_e organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-
-

- Parameter: - cm-6_f organization-defined configuration settings

-

- Value: organization-defined configuration settings

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs - - cm-6_e - - organization-defined security safeguards - organization-defined security safeguards - to respond to unauthorized changes to - - cm-6_f - - organization-defined configuration settings - organization-defined configuration settings - .

-
-
-
-

Supplemental guidance

-

Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines configuration settings that, if modified by unauthorized changes, result in organizational security safeguards being employed to respond to such changes;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to be employed to respond to unauthorized changes to organization-defined configuration settings; and

-
-
-
- - - - - - - -
-

[3]

-
-

employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- alerts/notifications of unauthorized changes to information system configuration settings

-

- documented responses to unauthorized changes to information system configuration settings

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational process for responding to unauthorized changes to information system configuration settings

-

- automated mechanisms supporting and/or implementing security safeguards for response to unauthorized changes

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements the configuration settings established/documented in CM-6(a);;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components for which any deviations from established configuration settings must be:

-
- - - - - - - -
-

[a]

-
-

identified;

-
-
-
- - - - - - - -
-

[b]

-
-

documented;

-
-
-
- - - - - - - -
-

[c]

-
-

approved;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines operational requirements to support:

-
- - - - - - - -
-

[a]

-
-

the identification of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[b]

-
-

the documentation of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[c]

-
-

the approval of any deviations from established configuration settings;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[4]

-
-

documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[5]

-
-

approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

monitors changes to the configuration settings in accordance with organizational policies and procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- evidence supporting approved deviations from established configuration settings

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing configuration settings

-

- automated mechanisms that implement, monitor, and/or control information system configuration settings

-

- automated mechanisms that identify and/or document deviations from established configuration settings

-
-
-

References

-
-

OMB Memorandum 07-11

-
-
-

OMB Memorandum 07-18

-
-
-

OMB Memorandum 08-22

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-128

-
-
-

http://nvd.nist.gov

-
-
-

http://checklists.nist.gov

-
-
-

http://www.nsa.gov

-
-
-
-
-

- CM-7 LEAST FUNCTIONALITY

-
-

- Parameter: - cm-7_a organization-defined prohibited or restricted functions, ports, protocols, and/or services

-

- Value: organization-defined prohibited or restricted functions, ports, protocols, and/or services

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Configures the information system to provide only essential capabilities; and

-
-
-
- - - - - - - -
-

b.

-
-

Prohibits or restricts the use of the following functions, ports, protocols, and/or services: - - cm-7_a - - organization-defined prohibited or restricted functions, ports, protocols, and/or services - organization-defined prohibited or restricted functions, ports, protocols, and/or services - .

-
-
-
-
-
-

Supplemental guidance

-

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

- - - - - -
-
-

- CM-7 (1) PERIODIC REVIEW

-
-

- Parameter: - cm-7_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-7_c organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure

-

- Value: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Reviews the information system - - cm-7_b - - organization-defined frequency - organization-defined frequency - to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

-
-
-
- - - - - - - -
-

(b)

-
-

Disables - - cm-7_c - - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - .

-
-
-
-
-
-

Supplemental guidance

-

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the information system to identify unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

reviews the information system with the organization-defined frequency to identify unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines, within the information system, unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

disables organization-defined unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- documented reviews of functions, ports, protocols, and/or services

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for reviewing/disabling nonsecure functions, ports, protocols, and/or services

-

- automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services

-
-

References: None -

-
-
-

- CM-7 (2) PREVENT PROGRAM EXECUTION

-
-

- Parameter: - cm-7_d organization-defined policies regarding software program usage and restrictions

-

- Value: organization-defined policies regarding software program usage and restrictions

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents program execution in accordance with [Selection (one or more): - - cm-7_d - - organization-defined policies regarding software program usage and restrictions - organization-defined policies regarding software program usage and restrictions - ; rules authorizing the terms and conditions of software program usage].

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines policies regarding software program usage and restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents program execution in accordance with one or more of the following:

-
- - - - - - - -
-

[a]

-
-

organization-defined policies regarding program usage and restrictions; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

rules authorizing the terms and conditions of software program usage.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- specifications for preventing software program execution

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes preventing program execution on the information system

-

- organizational processes for software program usage and restrictions

-

- automated mechanisms preventing program execution on the information system

-

- automated mechanisms supporting and/or implementing software program usage and restrictions

-
-

References: None -

-
-
-

- CM-7 (5) AUTHORIZED SOFTWARE / WHITELISTING

-
-

- Parameter: - cm-7_h organization-defined software programs authorized to execute on the information system

-

- Value: organization-defined software programs authorized to execute on the information system

-
-
-

- Parameter: - cm-7_i organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Identifies - - cm-7_h - - organization-defined software programs authorized to execute on the information system - organization-defined software programs authorized to execute on the information system - ;

-
-
-
- - - - - - - -
-

(b)

-
-

Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and

-
-
-
- - - - - - - -
-

(c)

-
-

Reviews and updates the list of authorized software programs - - cm-7_i - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

Identifies/defines software programs authorized to execute on the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the list of authorized software programs on the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the list of authorized software programs with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of software programs authorized to execute on the information system

-

- security configuration checklists

-

- review and update records associated with list of authorized software programs

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for identifying software authorized to execute on the information system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational process for identifying, reviewing, and updating programs authorized to execute on the information system

-

- organizational process for implementing whitelisting

-

- automated mechanisms implementing whitelisting

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

configures the information system to provide only essential capabilities;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines prohibited or restricted:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

prohibits or restricts the use of organization-defined:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing least functionality in the information system

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes prohibiting or restricting functions, ports, protocols, and/or services

-

- automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services

-
-
-

References

-
-

DoD Instruction 8551.01

-
-
-
-
-

- CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

-
-

- Parameter: - cm-8_a organization-defined information deemed necessary to achieve effective information system component accountability

-

- Value: organization-defined information deemed necessary to achieve effective information system component accountability

-
-
-

- Parameter: - cm-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents an inventory of information system components that:

-
- - - - - - - -
-

1.

-
-

Accurately reflects the current information system;

-
-
-
- - - - - - - -
-

2.

-
-

Includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

3.

-
-

Is at the level of granularity deemed necessary for tracking and reporting; and

-
-
-
- - - - - - - -
-

4.

-
-

Includes - - cm-8_a - - organization-defined information deemed necessary to achieve effective information system component accountability - organization-defined information deemed necessary to achieve effective information system component accountability - ; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the information system component inventory - - cm-8_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

- - - -
-
-

- CM-8 (1) UPDATES DURING INSTALLATIONS / REMOVALS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization updates the inventory of information system components as an integral part of:

-
- - - - - - - -
-

[1]

-
-

component installations;

-
-
-
- - - - - - - -
-

[2]

-
-

component removals; and

-
-
-
- - - - - - - -
-

[3]

-
-

information system updates.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- inventory reviews and update records

-

- component installation records

-

- component removal records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for updating the information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for updating inventory of information system components

-

- automated mechanisms implementing updating of the information system component inventory

-
-

References: None -

-
-
-

- CM-8 (2) AUTOMATED MAINTENANCE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

-
-
-
-

Supplemental guidance

-

Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs automated mechanisms to maintain an inventory of information system components that is:

-
- - - - - - - -
-

[1]

-
-

up-to-date;

-
-
-
- - - - - - - -
-

[2]

-
-

complete;

-
-
-
- - - - - - - -
-

[3]

-
-

accurate; and

-
-
-
- - - - - - - -
-

[4]

-
-

readily available.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing information system component inventory

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system inventory records

-

- change control records

-

- information system maintenance records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing the automated mechanisms implementing the information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining the inventory of information system components

-

- automated mechanisms implementing the information system component inventory

-
-

References: None -

-
-
-

- CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION

-
-

- Parameter: - cm-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-8_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Employs automated mechanisms - - cm-8_c - - organization-defined frequency - organization-defined frequency - to detect the presence of unauthorized hardware, software, and firmware components within the information system; and

-
-
-
- - - - - - - -
-

(b)

-
-

Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies - - cm-8_d - - organization-defined personnel or roles - organization-defined personnel or roles - ].

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to employ automated mechanisms to detect the presence of unauthorized:

-
- - - - - - - -
-

[a]

-
-

hardware components within the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

software components within the information system;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware components within the information system;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:

-
- - - - - - - -
-

[a]

-
-

hardware components within the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

software components within the information system;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware components within the information system;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when unauthorized components are detected;

-
-
-
- - - - - - - -
-

[2]

-
-

takes one or more of the following actions when unauthorized components are detected:

-
- - - - - - - -
-

[a]

-
-

disables network access by such components;

-
-
-
- - - - - - - -
-

[b]

-
-

isolates the components; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

notifies organization-defined personnel or roles.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system inventory records

-

- alerts/notifications of unauthorized components within the information system

-

- information system monitoring records

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for detection of unauthorized information system components

-

- automated mechanisms implementing the detection of unauthorized information system components

-
-

References: None -

-
-
-

- CM-8 (4) ACCOUNTABILITY INFORMATION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.

-
-
-
-

Supplemental guidance

-

Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated).

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes in the information system component inventory for information system components, a means for identifying the individuals responsible and accountable for administering those components by one or more of the following:

-
- - - - - - - -
-

[1]

-
-

name;

-
-
-
- - - - - - - -
-

[2]

-
-

position; and/or

-
-
-
- - - - - - - -
-

[3]

-
-

role.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing the information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining the inventory of information system components

-

- automated mechanisms implementing the information system component inventory

-
-

References: None -

-
-
-

- CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories.

-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system inventory responsibilities

-

- organizational personnel with responsibilities for defining information system components within the authorization boundary of the system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining the inventory of information system components

-

- automated mechanisms implementing the information system component inventory

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-

develops and documents an inventory of information system components that accurately reflects the current information system;

-
-
-
- - - - - - - -
-

(2)

-
-

develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

(3)

-
-

develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;

-
-
-
- - - - - - - -
-

(4)

-
-
- - - - - - - -
-

[1]

-
-

defines the information deemed necessary to achieve effective information system component accountability;

-
-
-
- - - - - - - -
-

[2]

-
-

develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the information system component inventory; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the information system component inventory with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- inventory reviews and update records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for developing and documenting an inventory of information system components

-

- automated mechanisms supporting and/or implementing the information system component inventory

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-9 CONFIGURATION MANAGEMENT PLAN

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops, documents, and implements a configuration management plan for the information system that:

-
- - - - - - - -
-

a.

-
-

Addresses roles, responsibilities, and configuration management processes and procedures;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

-
-
-
- - - - - - - -
-

c.

-
-

Defines the configuration items for the information system and places the configuration items under configuration management; and

-
-
-
- - - - - - - -
-

d.

-
-

Protects the configuration management plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization develops, documents, and implements a configuration management plan for the information system that:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

addresses roles;

-
-
-
- - - - - - - -
-

[2]

-
-

addresses responsibilities;

-
-
-
- - - - - - - -
-

[3]

-
-

addresses configuration management processes and procedures;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

establishes a process for:

-
- - - - - - - -
-

[1]

-
-

identifying configuration items throughout the SDLC;

-
-
-
- - - - - - - -
-

[2]

-
-

managing the configuration of the configuration items;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the configuration items for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

places the configuration items under configuration management;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects the configuration management plan from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure; and

-
-
-
- - - - - - - -
-

[2]

-
-

modification.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration management planning

-

- configuration management plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for developing the configuration management plan

-

- organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan

-

- organizational personnel with responsibilities for protecting the configuration management plan

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for developing and documenting the configuration management plan

-

- organizational processes for identifying and managing configuration items

-

- organizational processes for protecting the configuration management plan

-

- automated mechanisms implementing the configuration management plan

-

- automated mechanisms for managing configuration items

-

- automated mechanisms for protecting the configuration management plan

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-10 SOFTWARE USAGE RESTRICTIONS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

b.

-
-

Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

c.

-
-

Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Supplemental guidance

-

Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

(b)

-
-

tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

(c)

-
-

controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing software usage restrictions

-

- configuration management plan

-

- security plan

-

- software contract agreements and copyright laws

-

- site license documentation

-

- list of software usage restrictions

-

- software license tracking reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel with software license management responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for tracking the use of software protected by quantity licenses

-

- organization process for controlling/documenting the use of peer-to-peer file sharing technology

-

- automated mechanisms implementing software license tracking

-

- automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology

-
-

References: None -

-
-
-

- CM-11 USER-INSTALLED SOFTWARE

-
-

- Parameter: - cm-11_a organization-defined policies

-

- Value: organization-defined policies

-
-
-

- Parameter: - cm-11_b organization-defined methods

-

- Value: organization-defined methods

-
-
-

- Parameter: - cm-11_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes - - cm-11_a - - organization-defined policies - organization-defined policies - governing the installation of software by users;

-
-
-
- - - - - - - -
-

b.

-
-

Enforces software installation policies through - - cm-11_b - - organization-defined methods - organization-defined methods - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Monitors policy compliance at - - cm-11_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved �app stores.� Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines policies to govern the installation of software by users;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes organization-defined policies governing the installation of software by users;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines methods to enforce software installation policies;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces software installation policies through organization-defined methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines frequency to monitor policy compliance; and

-
-
-
- - - - - - - -
-

[2]

-
-

monitors policy compliance at organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing user installed software

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of rules governing user installed software

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-

- continuous monitoring strategy

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for governing user-installed software

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel monitoring compliance with user-installed software policy

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes governing user-installed software on the information system

-

- automated mechanisms enforcing rules/methods for governing the installation of software by users

-

- automated mechanisms monitoring policy compliance

-
-

References: None -

-
-
-
-

CONTINGENCY PLANNING

-
-

- CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - cp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Contingency planning policy - - cp-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Contingency planning procedures - - cp-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents a contingency planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the contingency planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CP-2 CONTINGENCY PLAN

-
-

- Parameter: - cp-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-2_b organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - cp-2_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-2_d organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a contingency plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

2.

-
-

Provides recovery objectives, restoration priorities, and metrics;

-
-
-
- - - - - - - -
-

3.

-
-

Addresses contingency roles, responsibilities, assigned individuals with contact information;

-
-
-
- - - - - - - -
-

4.

-
-

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

5.

-
-

Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

-
-
-
- - - - - - - -
-

6.

-
-

Is reviewed and approved by - - cp-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the contingency plan to - - cp-2_b - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the contingency plan for the information system - - cp-2_c - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

e.

-
-

Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

f.

-
-

Communicates contingency plan changes to - - cp-2_d - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

- - - - - - - - - - - - - -
-
-

- CP-2 (1) COORDINATE WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates contingency plan development with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business contingency plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- cyber incident response plan

-

- insider threat implementation plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-

- personnel with responsibility for related plans

-
-

References: None -

-
-
-

- CP-2 (2) CAPACITY PLANNING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

-
-
-
-

Supplemental guidance

-

Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization conducts capacity planning so that necessary capacity exists during contingency operations for:

-
- - - - - - - -
-

[1]

-
-

information processing;

-
-
-
- - - - - - - -
-

[2]

-
-

telecommunications; and

-
-
-
- - - - - - - -
-

[3]

-
-

environmental support.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- capacity planning documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-2 (3) RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS

-
-

- Parameter: - cp-2_e organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans for the resumption of essential missions and business functions within - - cp-2_e - - organization-defined time period - organization-defined time period - of contingency plan activation.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- business impact assessment

-

- other related plans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for resumption of missions and business functions

-
-

References: None -

-
-
-

- CP-2 (4) RESUME ALL MISSIONS / BUSINESS FUNCTIONS

-
-

- Parameter: - cp-2_f organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans for the resumption of all missions and business functions within - - cp-2_f - - organization-defined time period - organization-defined time period - of contingency plan activation.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the time period to plan for the resumption of all missions and business functions as a result of contingency plan activation; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- business impact assessment

-

- other related plans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for resumption of missions and business functions

-
-

References: None -

-
-
-

- CP-2 (5) CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites).

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and

-
-
-
- - - - - - - -
-

[2]

-
-

sustains that operational continuity until full information system restoration at primary processing and/or storage sites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business impact assessment

-

- primary processing site agreements

-

- primary storage site agreements

-

- alternate processing site agreements

-

- alternate storage site agreements

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for continuing missions and business functions

-
-

References: None -

-
-
-

- CP-2 (8) IDENTIFY CRITICAL ASSETS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies critical information system assets supporting essential missions and business functions.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies critical information system assets supporting essential missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business impact assessment

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents a contingency plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

provides recovery objectives;

-
-
-
- - - - - - - -
-

[2]

-
-

provides restoration priorities;

-
-
-
- - - - - - - -
-

[3]

-
-

provides metrics;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

addresses contingency roles;

-
-
-
- - - - - - - -
-

[2]

-
-

addresses contingency responsibilities;

-
-
-
- - - - - - - -
-

[3]

-
-

addresses assigned individuals with contact information;

-
-
-
-
-
- - - - - - - -
-

(4)

-
-

addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

(5)

-
-

addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;

-
-
-
- - - - - - - -
-

(6)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the contingency plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

updates the contingency plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the organization, information system, or environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems encountered during plan implementation, execution, and testing;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- evidence of contingency plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan development, review, update, and protection

-

- automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-3 CONTINGENCY TRAINING

-
-

- Parameter: - cp-3_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - cp-3_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - cp-3_a - - organization-defined time period - organization-defined time period - of assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - cp-3_b - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan.

- - - - -
-
-

- CP-3 (1) SIMULATED EVENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency training

-

- contingency plan

-

- contingency training curriculum

-

- contingency training material

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency training

-

- automated mechanisms for simulating contingency events

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency for contingency training thereafter; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency training

-

- contingency plan

-

- contingency training curriculum

-

- contingency training material

-

- security plan

-

- contingency training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency training

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- CP-4 CONTINGENCY PLAN TESTING

-
-

- Parameter: - cp-4_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-4_b organization-defined tests

-

- Value: organization-defined tests

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Tests the contingency plan for the information system - - cp-4_a - - organization-defined frequency - organization-defined frequency - using - - cp-4_b - - organization-defined tests - organization-defined tests - to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

c.

-
-

Initiates corrective actions, if needed.

-
-
-
-
-
-

Supplemental guidance

-

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

- - - -
-
-

- CP-4 (1) COORDINATE WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- incident response policy

-

- procedures addressing contingency plan testing

-

- contingency plan testing documentation

-

- contingency plan

-

- business continuity plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- cyber incident response plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan testing responsibilities

-

- organizational personnel

-

- personnel with responsibilities for related plans

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-4 (2) ALTERNATE PROCESSING SITE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests the contingency plan at the alternate processing site:

-
- - - - - - - -
-

(a)

-
-

To familiarize contingency personnel with the facility and available resources; and

-
-
-
- - - - - - - -
-

(b)

-
-

To evaluate the capabilities of the alternate processing site to support contingency operations.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization tests the contingency plan at the alternate processing site to:

-
- - - - - - - -
-

(a)

-
-

familiarize contingency personnel with the facility and available resources; and

-
-
-
- - - - - - - -
-

(b)

-
-

evaluate the capabilities of the alternate processing site to support contingency operations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency plan testing

-

- contingency plan

-

- contingency plan test documentation

-

- contingency plan test results

-

- alternate processing site agreements

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting the contingency plan and/or contingency plan testing

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

[2]

-
-

defines a frequency to test the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

(c)

-
-

initiates corrective actions, if needed.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency plan testing

-

- contingency plan

-

- security plan

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting the contingency plan and/or contingency plan testing

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-84

-
-
-
-
-

- CP-6 ALTERNATE STORAGE SITE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

-
-
-
-
-
-

Supplemental guidance

-

Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

- - - - - -
-
-

- CP-6 (1) SEPARATION FROM PRIMARY SITE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- alternate storage site agreements

-

- primary storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-6 (2) RECOVERY TIME / POINT OBJECTIVES

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives (as specified in the information system contingency plan).

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- alternate storage site agreements

-

- alternate storage site configurations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan testing responsibilities

-

- organizational personnel with responsibilities for testing related plans

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting recovery time/point objectives

-
-

References: None -

-
-
-

- CP-6 (3) ACCESSIBILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

-
-
-
-

Supplemental guidance

-

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and

-
-
-
- - - - - - - -
-

[2]

-
-

outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- list of potential accessibility problems to alternate storage site

-

- mitigation actions for accessibility problems to alternate storage site

-

- organizational risk assessments

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site agreements

-

- primary storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for storing and retrieving information system backup information at the alternate storage site

-

- automated mechanisms supporting and/or implementing storage and retrieval of information system backup information at the alternate storage site

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-7 ALTERNATE PROCESSING SITE

-
-

- Parameter: - cp-7_a organization-defined information system operations

-

- Value: organization-defined information system operations

-
-
-

- Parameter: - cp-7_b organization-defined time period consistent with recovery time and recovery point objectives

-

- Value: organization-defined time period consistent with recovery time and recovery point objectives

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of - - cp-7_a - - organization-defined information system operations - organization-defined information system operations - for essential missions/business functions within - - cp-7_b - - organization-defined time period consistent with recovery time and recovery point objectives - organization-defined time period consistent with recovery time and recovery point objectives - when the primary processing capabilities are unavailable;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

-
-
-
-
-
-

Supplemental guidance

-

Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

- - - - - - -
-
-

- CP-7 (1) SEPARATION FROM PRIMARY SITE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- primary processing site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-7 (2) ACCESSIBILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

-
-
-
-

Supplemental guidance

-

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and

-
-
-
- - - - - - - -
-

[2]

-
-

outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- primary processing site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-7 (3) PRIORITY OF SERVICE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

-
-
-
-

Supplemental guidance

-

Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan).

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site agreements

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-

References: None -

-
-
-

- CP-7 (4) PREPARATION FOR USE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

-
-
-
-

Supplemental guidance

-

Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- alternate processing site configurations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing recovery at the alternate processing site

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer/resumption of organization-defined information system operations for essential missions/business functions;

-
-
-
- - - - - - - -
-

[3]

-
-

establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site agreements

-

- primary processing site agreements

-

- spare equipment and supplies inventory at alternate processing site

-

- equipment and supply contracts

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for recovery at the alternate site

-

- automated mechanisms supporting and/or implementing recovery at the alternate processing site

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-8 TELECOMMUNICATIONS SERVICES

-
-

- Parameter: - cp-8_a organization-defined information system operations

-

- Value: organization-defined information system operations

-
-
-

- Parameter: - cp-8_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of - - cp-8_a - - organization-defined information system operations - organization-defined information system operations - for essential missions and business functions within - - cp-8_b - - organization-defined time period - organization-defined time period - when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

-
-
-
-

Supplemental guidance

-

This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

- - - -
-
-

- CP-8 (1) PRIORITY OF SERVICE PROVISIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and

-
-
-
- - - - - - - -
-

(b)

-
-

Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

-
-
-
-
-
-

Supplemental guidance

-

Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and

-
-
-
- - - - - - - -
-

[2]

-
-

requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- Telecommunications Service Priority documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting telecommunications

-
-

References: None -

-
-
-

- CP-8 (2) SINGLE POINTS OF FAILURE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- primary and alternate telecommunications service providers

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-8 (3) SEPARATION OF PRIMARY / ALTERNATE PROVIDERS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- alternate telecommunications service provider site

-

- primary telecommunications service provider site

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- primary and alternate telecommunications service providers

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-8 (4) PROVIDER CONTINGENCY PLAN

-
-

- Parameter: - cp-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Requires primary and alternate telecommunications service providers to have contingency plans;

-
-
-
- - - - - - - -
-

(b)

-
-

Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and

-
-
-
- - - - - - - -
-

(c)

-
-

Obtains evidence of contingency testing/training by providers - - cp-8_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

requires primary telecommunications service provider to have contingency plans;

-
-
-
- - - - - - - -
-

[2]

-
-

requires alternate telecommunications service provider(s) to have contingency plans;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

reviews provider contingency plans to ensure that the plans meet organizational contingency requirements;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to obtain evidence of contingency testing/training by providers; and

-
-
-
- - - - - - - -
-

[2]

-
-

obtains evidence of contingency testing/training by providers with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- provider contingency plans

-

- evidence of contingency testing/training by providers

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and testing responsibilities

-

- primary and alternate telecommunications service providers

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and

-
-
-
- - - - - - - -
-

[3]

-
-

establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting telecommunications

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-

National Communications Systems Directive 3-10

-
-
-

http://www.dhs.gov/telecommunications-service-priority-tsp

-
-
-
-
-

- CP-9 INFORMATION SYSTEM BACKUP

-
-

- Parameter: - cp-9_a organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_b organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_c organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts backups of user-level information contained in the information system - - cp-9_a - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

b.

-
-

Conducts backups of system-level information contained in the information system - - cp-9_b - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts backups of information system documentation including security-related documentation - - cp-9_c - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Supplemental guidance

-

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

- - - - - -
-
-

- CP-9 (1) TESTING FOR RELIABILITY / INTEGRITY

-
-

- Parameter: - cp-9_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests backup information - - cp-9_d - - organization-defined frequency - organization-defined frequency - to verify media reliability and information integrity.

-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to test backup information to verify media reliability and information integrity; and

-
-
-
- - - - - - - -
-

[2]

-
-

tests backup information with the organization-defined frequency to verify media reliability and information integrity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-

References: None -

-
-
-

- CP-9 (2) TEST RESTORATION USING SAMPLING

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with contingency planning/contingency plan testing responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-

References: None -

-
-
-

- CP-9 (3) SEPARATE STORAGE FOR CRITICAL INFORMATION

-
-

- Parameter: - cp-9_e organization-defined critical information system software and other security-related information

-

- Value: organization-defined critical information system software and other security-related information

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization stores backup copies of - - cp-9_e - - organization-defined critical information system software and other security-related information - organization-defined critical information system software and other security-related information - in a separate facility or in a fire-rated container that is not collocated with the operational system.

-
-
-
-

Supplemental guidance

-

Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or

-
-
-
- - - - - - - -
-

[b]

-
-

defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- backup storage location(s)

-

- information system backup configurations and associated documentation

-

- information system backup logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-9 (5) TRANSFER TO ALTERNATE STORAGE SITE

-
-

- Parameter: - cp-9_f organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives

-

- Value: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization transfers information system backup information to the alternate storage site - - cp-9_f - - organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives - organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives - .

-
-
-
-

Supplemental guidance

-

Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site;

-
-
-
- - - - - - - -
-

[2]

-
-

defines a transfer rate, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site; and

-
-
-
- - - - - - - -
-

[3]

-
-

transfers information system backup information to the alternate storage site with the organization-defined time period and transfer rate.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup logs or records

-

- evidence of system backup information transferred to alternate storage site

-

- alternate storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for transferring information system backups to the alternate storage site

-

- automated mechanisms supporting and/or implementing information system backups

-

- automated mechanisms supporting and/or implementing information transfer to the alternate storage site

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of user-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of system-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- backup storage location(s)

-

- information system backup logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

-
-
-
-

Supplemental guidance

-

Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.

- - - - - - - - -
-
-

- CP-10 (2) TRANSACTION RECOVERY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements transaction recovery for systems that are transaction-based.

-
-
-
-

Supplemental guidance

-

Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements transaction recovery for systems that are transaction-based.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system recovery and reconstitution

-

- contingency plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- contingency plan test documentation

-

- contingency plan test results

-

- information system transaction recovery records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for transaction recovery

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing transaction recovery capability

-
-

References: None -

-
-
-

- CP-10 (4) RESTORE WITHIN TIME PERIOD

-
-

- Parameter: - cp-10_a organization-defined restoration time-periods

-

- Value: organization-defined restoration time-periods

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides the capability to restore information system components within - - cp-10_a - - organization-defined restoration time-periods - organization-defined restoration time-periods - from configuration-controlled and integrity-protected information representing a known, operational state for the components.

-
-
-
-

Supplemental guidance

-

Restoration of information system components includes, for example, reimaging which restores components to known, operational states.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides the capability to restore information system components within the organization-defined time period from configuration-controlled and integrity-protected information representing a known, operational state for the components.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system recovery and reconstitution

-

- contingency plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- contingency plan test documentation

-

- contingency plan test results

-

- evidence of information system recovery and reconstitution operations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system recovery and reconstitution responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing recovery/reconstitution of information system information

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides for:

-
- - - - - - - -
-

[1]

-
-

the recovery of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the reconstitution of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test results

-

- contingency plan test documentation

-

- redundant secondary system for information system backups

-

- location(s) of redundant secondary backup system(s)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes implementing information system recovery and reconstitution operations

-

- automated mechanisms supporting and/or implementing information system recovery and reconstitution operations

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-
-

IDENTIFICATION AND AUTHENTICATION

-
-

- IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES

-
-

- Parameter: - ia-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ia-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ia-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Identification and authentication policy - - ia-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Identification and authentication procedures - - ia-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an identification and authentication policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the identification and authentication policy is to be disseminated; and

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the identification and authentication policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication policy with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identification and authentication responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Supplemental guidance

-

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. -Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

- - - - - - - - -
-
-

- IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for network access to non-privileged accounts.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for network access to non-privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for local access to privileged accounts.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for local access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for local access to non-privileged accounts.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for local access to non-privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

-
-
-
-

Supplemental guidance

-

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

-
-

References: None -

-
-
-

- IA-2 (9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

-
-
-
-

Supplemental guidance

-

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of non-privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

-
-

References: None -

-
-
-

- IA-2 (11) REMOTE ACCESS - SEPARATE DEVICE

-
-

- Parameter: - ia-2_d organization-defined strength of mechanism requirements

-

- Value: organization-defined strength of mechanism requirements

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets - - ia-2_d - - organization-defined strength of mechanism requirements - organization-defined strength of mechanism requirements - .

-
-
-
-

Supplemental guidance

-

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;

-
-
-
- - - - - - - -
-

[5]

-
-

the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and

-
-
-
- - - - - - - -
-

[6]

-
-

the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of privileged and non-privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-

References: None -

-
-
-

- IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for uniquely identifying and authenticating users

-

- automated mechanisms supporting and/or implementing identification and authentication capability

-
-
-

References

-
-

HSPD-12

-
-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 06-16

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION

-
-

- Parameter: - ia-3_a organization-defined specific and/or types of devices

-

- Value: organization-defined specific and/or types of devices

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates - - ia-3_a - - organization-defined specific and/or types of devices - organization-defined specific and/or types of devices - before establishing a [Selection (one or more): local; remote; network] connection.

-
-
-
-

Supplemental guidance

-

Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:

-
- - - - - - - -
-

[a]

-
-

a local connection;

-
-
-
- - - - - - - -
-

[b]

-
-

a remote connection; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

a network connection; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:

-
- - - - - - - -
-

[a]

-
-

a local connection;

-
-
-
- - - - - - - -
-

[b]

-
-

a remote connection; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

a network connection.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing device identification and authentication

-

- information system design documentation

-

- list of devices requiring unique identification and authentication

-

- device connection reports

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with operational responsibilities for device identification and authentication

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing device identification and authentication capability

-
-

References: None -

-
-
-

- IA-4 IDENTIFIER MANAGEMENT

-
-

- Parameter: - ia-4_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-4_b organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ia-4_c organization-defined time period of inactivity

-

- Value: organization-defined time period of inactivity

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system identifiers by:

-
- - - - - - - -
-

a.

-
-

Receiving authorization from - - ia-4_a - - organization-defined personnel or roles - organization-defined personnel or roles - to assign an individual, group, role, or device identifier;

-
-
-
- - - - - - - -
-

b.

-
-

Selecting an identifier that identifies an individual, group, role, or device;

-
-
-
- - - - - - - -
-

c.

-
-

Assigning the identifier to the intended individual, group, role, or device;

-
-
-
- - - - - - - -
-

d.

-
-

Preventing reuse of identifiers for - - ia-4_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Disabling the identifier after - - ia-4_c - - organization-defined time period of inactivity - organization-defined time period of inactivity - .

-
-
-
-
-
-

Supplemental guidance

-

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system identifiers by:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defining personnel or roles from whom authorization must be received to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

receiving authorization from organization-defined personnel or roles to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

selecting an identifier that identifies:

-
- - - - - - - -
-

[1]

-
-

an individual;

-
-
-
- - - - - - - -
-

[2]

-
-

a group;

-
-
-
- - - - - - - -
-

[3]

-
-

a role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

a device;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

assigning the identifier to the intended:

-
- - - - - - - -
-

[1]

-
-

individual;

-
-
-
- - - - - - - -
-

[2]

-
-

group;

-
-
-
- - - - - - - -
-

[3]

-
-

role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

device;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period for preventing reuse of identifiers;

-
-
-
- - - - - - - -
-

[2]

-
-

preventing reuse of identifiers for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period of inactivity to disable the identifier; and

-
-
-
- - - - - - - -
-

[2]

-
-

disabling the identifier after the organization-defined time period of inactivity.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing identifier management

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system accounts

-

- list of identifiers generated from physical access control devices

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identifier management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identifier management

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-
-
-

- IA-5 AUTHENTICATOR MANAGEMENT

-
-

- Parameter: - ia-5_a organization-defined time period by authenticator type

-

- Value: organization-defined time period by authenticator type

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system authenticators by:

-
- - - - - - - -
-

a.

-
-

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

-
-
-
- - - - - - - -
-

b.

-
-

Establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

d.

-
-

Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

-
-
-
- - - - - - - -
-

e.

-
-

Changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

f.

-
-

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

-
-
-
- - - - - - - -
-

g.

-
-

Changing/refreshing authenticators - - ia-5_a - - organization-defined time period by authenticator type - organization-defined time period by authenticator type - ;

-
-
-
- - - - - - - -
-

h.

-
-

Protecting authenticator content from unauthorized disclosure and modification;

-
-
-
- - - - - - - -
-

i.

-
-

Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

-
-
-
- - - - - - - -
-

j.

-
-

Changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Supplemental guidance

-

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

- - - - - - - - - - - - - - -
-
-

- IA-5 (1) PASSWORD-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_b organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-

- Value: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-
-
-

- Parameter: - ia-5_c organization-defined number

-

- Value: organization-defined number

-
-
-

- Parameter: - ia-5_d organization-defined numbers for lifetime minimum, lifetime maximum

-

- Value: organization-defined numbers for lifetime minimum, lifetime maximum

-
-
-

- Parameter: - ia-5_e organization-defined number

-

- Value: organization-defined number

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-

Enforces minimum password complexity of - - ia-5_b - - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - ;

-
-
-
- - - - - - - -
-

(b)

-
-

Enforces at least the following number of changed characters when new passwords are created: - - ia-5_c - - organization-defined number - organization-defined number - ;

-
-
-
- - - - - - - -
-

(c)

-
-

Stores and transmits only cryptographically-protected passwords;

-
-
-
- - - - - - - -
-

(d)

-
-

Enforces password minimum and maximum lifetime restrictions of - - ia-5_d - - organization-defined numbers for lifetime minimum, lifetime maximum - organization-defined numbers for lifetime minimum, lifetime maximum - ;

-
-
-
- - - - - - - -
-

(e)

-
-

Prohibits password reuse for - - ia-5_e - - organization-defined number - organization-defined number - generations; and

-
-
-
- - - - - - - -
-

(f)

-
-

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

- -
-
-

Objectives

- - - - - - -
- -

Determine if, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines requirements for case sensitivity;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines requirements for number of characters;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines minimum requirements for each type of character;

-
-
-
- - - - - - - -
-

[5]

-
-

the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a minimum number of changed characters to be enforced when new passwords are created;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system stores and transmits only encrypted representations of passwords;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;

-
-
-
- - - - - - - -
-

[4]

-
-

the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of password generations to be prohibited from password reuse;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits password reuse for the organization-defined number of generations; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- password policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- password configurations and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing password-based authenticator management capability

-
-

References: None -

-
-
-

- IA-5 (2) PKI-BASED AUTHENTICATION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for PKI-based authentication:

-
- - - - - - - -
-

(a)

-
-

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

-
-
-
- - - - - - - -
-

(b)

-
-

Enforces authorized access to the corresponding private key;

-
-
-
- - - - - - - -
-

(c)

-
-

Maps the authenticated identity to the account of the individual or group; and

-
-
-
- - - - - - - -
-

(d)

-
-

Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

-
-
-
-
-
-

Supplemental guidance

-

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the information system, for PKI-based authentication:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

validates certifications by constructing a certification path to an accepted trust anchor;

-
-
-
- - - - - - - -
-

[2]

-
-

validates certifications by verifying a certification path to an accepted trust anchor;

-
-
-
- - - - - - - -
-

[3]

-
-

includes checking certificate status information when constructing and verifying the certification path;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

enforces authorized access to the corresponding private key;

-
-
-
- - - - - - - -
-

(c)

-
-

maps the authenticated identity to the account of the individual or group; and

-
-
-
- - - - - - - -
-

(d)

-
-

implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- PKI certification validation records

-

- PKI certification revocation lists

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with PKI-based, authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability

-
-

References: None -

-
-
-

- IA-5 (3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION

-
-

- Parameter: - ia-5_f organization-defined types of and/or specific authenticators

-

- Value: organization-defined types of and/or specific authenticators

-
-
-

- Parameter: - ia-5_g organization-defined registration authority

-

- Value: organization-defined registration authority

-
-
-

- Parameter: - ia-5_h organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that the registration process to receive - - ia-5_f - - organization-defined types of and/or specific authenticators - organization-defined types of and/or specific authenticators - be conducted [Selection: in person; by a trusted third party] before - - ia-5_g - - organization-defined registration authority - organization-defined registration authority - with authorization by - - ia-5_h - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of and/or specific authenticators to be received in person or by a trusted third party;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the registration authority with oversight of the registration process for receipt of organization-defined types of and/or specific authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

defines personnel or roles responsible for authorizing organization-defined registration authority;

-
-
-
- - - - - - - -
-

[4]

-
-

defines if the registration process is to be conducted:

-
- - - - - - - -
-

[a]

-
-

in person; or

-
-
-
- - - - - - - -
-

[b]

-
-

by a trusted third party; and

-
-
-
-
-
- - - - - - - -
-

[5]

-
-

requires that the registration process to receive organization-defined types of and/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- registration process for receiving information system authenticators

-

- list of authenticators requiring in-person registration

-

- list of authenticators requiring trusted third party registration

-

- authenticator registration documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- registration authority

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_l organization-defined token quality requirements

-

- Value: organization-defined token quality requirements

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for hardware token-based authentication, employs mechanisms that satisfy - - ia-5_l - - organization-defined token quality requirements - organization-defined token quality requirements - .

-
-
-
-

Supplemental guidance

-

Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

-
-
-

Objectives

- - - - - - -
- -

Determine if, for hardware token-based authentication:

-
- - - - - - - -
-

[1]

-
-

the organization defines token quality requirements to be satisfied; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system employs mechanisms that satisfy organization-defined token quality requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- automated mechanisms employing hardware token-based authentication for the information system

-

- list of token quality requirements

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system authenticators by:

-
- - - - - - - -
-

(a)

-
-

verifying, as part of the initial authenticator distribution, the identity of:

-
- - - - - - - -
-

[1]

-
-

the individual receiving the authenticator;

-
-
-
- - - - - - - -
-

[2]

-
-

the group receiving the authenticator;

-
-
-
- - - - - - - -
-

[3]

-
-

the role receiving the authenticator; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

the device receiving the authenticator;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

establishing and implementing administrative procedures for initial authenticator distribution;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing and implementing administrative procedures for lost/compromised or damaged authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing and implementing administrative procedures for revoking authenticators;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

establishing minimum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing maximum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing reuse conditions for authenticators;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period (by authenticator type) for changing/refreshing authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

changing/refreshing authenticators with the organization-defined time period by authenticator type;

-
-
-
-
-
- - - - - - - -
-

(h)

-
-

protecting authenticator content from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-
- - - - - - - -
-

[1]

-
-

requiring individuals to take specific security safeguards to protect authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

having devices implement specific security safeguards to protect authenticators; and

-
-
-
-
-
- - - - - - - -
-

(j)

-
-

changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system authenticator types

-

- change control records associated with managing information system authenticators

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing authenticator management capability

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-6 AUTHENTICATOR FEEDBACK

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Supplemental guidance

-

The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator feedback

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

-
-

References: None -

-
-
-

- IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Supplemental guidance

-

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing cryptographic module authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for cryptographic module authentication

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic module authentication

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/groups/STM/cmvp/index.html

-
-
-
-
-

- IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Supplemental guidance

-

Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

- - - - - - - - - - - -
-
-

- IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials from other agencies; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials from other agencies.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept and verify PIV credentials

-
-

References: None -

-
-
-

- IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization

-

- third-party credential verification records

-

- evidence of FICAM-approved third-party credentials

-

- third-party credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept FICAM-approved credentials

-
-

References: None -

-
-
-

- IA-8 (3) USE OF FICAM-APPROVED PRODUCTS

-
-

- Parameter: - ia-8_a organization-defined information systems

-

- Value: organization-defined information systems

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only FICAM-approved information system components in - - ia-8_a - - organization-defined information systems - organization-defined information systems - to accept third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- third-party credential validations

-

- third-party credential authorizations

-

- third-party credential records

-

- list of FICAM-approved information system components procured and implemented by organization

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information system security, acquisition, and contracting responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-

References: None -

-
-
-

- IA-8 (4) USE OF FICAM-ISSUED PROFILES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system conforms to FICAM-issued profiles.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system conforms to FICAM-issued profiles.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-issued profiles and associated, approved protocols

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

OMB Memorandum 10-06-2011

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-116

-
-
-

National Strategy for Trusted Identities in Cyberspace

-
-
-

http://idmanagement.gov

-
-
-
-
-
-

INCIDENT RESPONSE

-
-

- IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES

-
-

- Parameter: - ir-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ir-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Incident response policy - - ir-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Incident response procedures - - ir-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an incident response policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the incident response policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the incident response policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IR-2 INCIDENT RESPONSE TRAINING

-
-

- Parameter: - ir-2_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - ir-2_a - - organization-defined time period - organization-defined time period - of assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - ir-2_b - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.

- - - -
-
-

- IR-2 (1) SIMULATED EVENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that support and/or implement simulated events for incident response training

-
-

References: None -

-
-
-

- IR-2 (2) AUTOMATED TRAINING ENVIRONMENTS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- automated mechanisms supporting incident response training

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that provide a thorough and realistic incident response training environment

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- security plan

-

- incident response plan

-

- security plan

-

- incident response training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- IR-3 INCIDENT RESPONSE TESTING

-
-

- Parameter: - ir-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-3_b organization-defined tests

-

- Value: organization-defined tests

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests the incident response capability for the information system - - ir-3_a - - organization-defined frequency - organization-defined frequency - using - - ir-3_b - - organization-defined tests - organization-defined tests - to determine the incident response effectiveness and documents the results.

-
-
-
-

Supplemental guidance

-

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

- - -
-
-

- IR-3 (2) COORDINATION WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates incident response testing with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates incident response testing with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident response testing

-

- incident response testing documentation

-

- incident response plan

-

- business continuity plans

-

- contingency plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response testing responsibilities

-

- organizational personnel with responsibilities for testing organizational plans related to incident response testing

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines incident response tests to test the incident response capability for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to test the incident response capability for the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident response testing

-

- procedures addressing contingency plan testing

-

- incident response testing material

-

- incident response test results

-

- incident response test plan

-

- incident response plan

-

- contingency plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response testing responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-84

-
-
-

NIST Special Publication 800-115

-
-
-
-
-

- IR-4 INCIDENT HANDLING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates incident handling activities with contingency planning activities; and

-
-
-
- - - - - - - -
-

c.

-
-

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

-
-
-
-
-
-

Supplemental guidance

-

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

- - - - - - - - - - - - - -
-
-

- IR-4 (1) AUTOMATED INCIDENT HANDLING PROCESSES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to support the incident handling process.

-
-
-
-

Supplemental guidance

-

Automated mechanisms supporting incident handling processes include, for example, online incident management systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to support the incident handling process.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident handling

-

- automated mechanisms supporting incident handling

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that support and/or implement the incident handling process

-
-

References: None -

-
-
-

- IR-4 (4) INFORMATION CORRELATION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

-
-
-
-

Supplemental guidance

-

Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident handling

-

- incident response plan

-

- security plan

-

- automated mechanisms supporting incident and event correlation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident management correlation logs

-

- event management correlation logs

-

- security information and event management logs

-

- incident management correlation reports

-

- event management correlation reports

-

- security information and event management reports

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with whom incident information and individual incident responses are to be correlated

-
-
-

Assessment: TEST

-

- Organizational processes for correlating incident information and individual incident responses

-

- automated mechanisms that support and or implement correlation of incident response information with individual incident responses

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements an incident handling capability for security incidents that includes:

-
- - - - - - - -
-

[1]

-
-

preparation;

-
-
-
- - - - - - - -
-

[2]

-
-

detection and analysis;

-
-
-
- - - - - - - -
-

[3]

-
-

containment;

-
-
-
- - - - - - - -
-

[4]

-
-

eradication;

-
-
-
- - - - - - - -
-

[5]

-
-

recovery;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates incident handling activities with contingency planning activities;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

incorporates lessons learned from ongoing incident handling activities into:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training;

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

implements the resulting changes accordingly to:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training; and

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident handling

-

- incident response plan

-

- contingency plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident handling capability for the organization

-
-
-

References

-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-5 INCIDENT MONITORING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tracks and documents information system security incidents.

-
-
-
-

Supplemental guidance

-

Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

- - - - - - - - -
-
-

- IR-5 (1) AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

-
-
-
-

Supplemental guidance

-

Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs automated mechanisms to assist in:

-
- - - - - - - -
-

[1]

-
-

the tracking of security incidents;

-
-
-
- - - - - - - -
-

[2]

-
-

the collection of incident information; and

-
-
-
- - - - - - - -
-

[3]

-
-

the analysis of incident information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident monitoring

-

- automated mechanisms supporting incident monitoring

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

tracks information system security incidents; and

-
-
-
- - - - - - - -
-

[2]

-
-

documents information system security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident monitoring

-

- incident response records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident monitoring capability for the organization

-

- automated mechanisms supporting and/or implementing tracking and documenting of system security incidents

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-6 INCIDENT REPORTING

-
-

- Parameter: - ir-6_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-6_b organization-defined authorities

-

- Value: organization-defined authorities

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires personnel to report suspected security incidents to the organizational incident response capability within - - ir-6_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports security incident information to - - ir-6_b - - organization-defined authorities - organization-defined authorities - .

-
-
-
-
-
-

Supplemental guidance

-

The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.

- - - -
-
-

- IR-6 (1) AUTOMATED REPORTING

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to assist in the reporting of security incidents.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident reporting

-

- automated mechanisms supporting incident reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident reporting

-

- automated mechanisms supporting and/or implementing reporting of security incidents

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which personnel report suspected security incidents to the organizational incident response capability;

-
-
-
- - - - - - - -
-

[2]

-
-

requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines authorities to whom security incident information is to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports security incident information to organization-defined authorities.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident reporting

-

- incident reporting records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident reporting responsibilities

-

- organizational personnel with information security responsibilities

-

- personnel who have/should have reported incidents

-

- personnel (authorities) to whom incident information is to be reported

-
-
-

Assessment: TEST

-

- Organizational processes for incident reporting

-

- automated mechanisms supporting and/or implementing incident reporting

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

http://www.us-cert.gov

-
-
-
-
-

- IR-7 INCIDENT RESPONSE ASSISTANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-

Supplemental guidance

-

Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.

- - - - - -
-
-

- IR-7 (1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

-
-
-
-

Supplemental guidance

-

Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response assistance

-

- automated mechanisms supporting incident response support and assistance

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response support and assistance responsibilities

-

- organizational personnel with access to incident response support and assistance capability

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident response assistance

-

- automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides an incident response support resource:

-
- - - - - - - -
-

[1]

-
-

that is integral to the organizational incident response capability; and

-
-
-
- - - - - - - -
-

[2]

-
-

that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response assistance

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response assistance and support responsibilities

-

- organizational personnel with access to incident response support and assistance capability

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident response assistance

-

- automated mechanisms supporting and/or implementing incident response assistance

-
-

References: None -

-
-
-

- IR-8 INCIDENT RESPONSE PLAN

-
-

- Parameter: - ir-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-8_b organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - ir-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-8_d organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops an incident response plan that:

-
- - - - - - - -
-

1.

-
-

Provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

2.

-
-

Describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

3.

-
-

Provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

4.

-
-

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

-
-
-
- - - - - - - -
-

5.

-
-

Defines reportable incidents;

-
-
-
- - - - - - - -
-

6.

-
-

Provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

7.

-
-

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

-
-
-
- - - - - - - -
-

8.

-
-

Is reviewed and approved by - - ir-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the incident response plan to - - ir-8_b - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the incident response plan - - ir-8_c - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

e.

-
-

Communicates incident response plan changes to - - ir-8_d - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

f.

-
-

Protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops an incident response plan that:

-
- - - - - - - -
-

(1)

-
-

provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

(2)

-
-

describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

(3)

-
-

provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

(4)

-
-

meets the unique requirements of the organization, which relate to:

-
- - - - - - - -
-

[1]

-
-

mission;

-
-
-
- - - - - - - -
-

[2]

-
-

size;

-
-
-
- - - - - - - -
-

[3]

-
-

structure;

-
-
-
- - - - - - - -
-

[4]

-
-

functions;

-
-
-
-
-
- - - - - - - -
-

(5)

-
-

defines reportable incidents;

-
-
-
- - - - - - - -
-

(6)

-
-

provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

(7)

-
-

defines the resources and management support needed to effectively maintain and mature an incident response capability;

-
-
-
- - - - - - - -
-

(8)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom copies of the incident response plan are to be distributed;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the incident response plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the incident response plan to address system/organizational changes or problems encountered during plan:

-
- - - - - - - -
-

[1]

-
-

implementation;

-
-
-
- - - - - - - -
-

[2]

-
-

execution; or

-
-
-
- - - - - - - -
-

[3]

-
-

testing;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom incident response plan changes are to be communicated;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response planning

-

- incident response plan

-

- records of incident response plan reviews and approvals

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational incident response plan and related organizational processes

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-
-

MAINTENANCE

-
-

- MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES

-
-

- Parameter: - ma-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ma-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ma-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System maintenance policy - - ma-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System maintenance procedures - - ma-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system maintenance policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system maintenance policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system maintenance policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Maintenance policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MA-2 CONTROLLED MAINTENANCE

-
-

- Parameter: - ma-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-2_b organization-defined maintenance-related information

-

- Value: organization-defined maintenance-related information

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

c.

-
-

Requires that - - ma-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

d.

-
-

Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

e.

-
-

Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and

-
-
-
- - - - - - - -
-

f.

-
-

Includes - - ma-2_b - - organization-defined maintenance-related information - organization-defined maintenance-related information - in organizational maintenance records.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.

- - - - - - - -
-
-

- MA-2 (2) AUTOMATED MAINTENANCE ACTIVITIES

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and

-
-
-
- - - - - - - -
-

(b)

-
-

Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

-
-
-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs automated mechanisms to:

-
- - - - - - - -
-

[1]

-
-

schedule maintenance and repairs;

-
-
-
- - - - - - - -
-

[2]

-
-

conduct maintenance and repairs;

-
-
-
- - - - - - - -
-

[3]

-
-

document maintenance and repairs;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

produces up-to-date, accurate, and complete records of all maintenance and repair actions:

-
- - - - - - - -
-

[1]

-
-

requested;

-
-
-
- - - - - - - -
-

[2]

-
-

scheduled;

-
-
-
- - - - - - - -
-

[3]

-
-

in process; and

-
-
-
- - - - - - - -
-

[4]

-
-

completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing controlled information system maintenance

-

- automated mechanisms supporting information system maintenance activities

-

- information system configuration settings and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing controlled maintenance

-

- automated mechanisms supporting and/or implementing production of records of maintenance and repair actions

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

schedules maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

performs maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[4]

-
-

reviews records of maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

(e)

-
-

checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines maintenance-related information to be included in organizational maintenance records; and

-
-
-
- - - - - - - -
-

[2]

-
-

includes organization-defined maintenance-related information in organizational maintenance records.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing controlled information system maintenance

-

- maintenance records

-

- manufacturer/vendor maintenance specifications

-

- equipment sanitization records

-

- media sanitization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system

-

- organizational processes for sanitizing information system components

-

- automated mechanisms supporting and/or implementing controlled maintenance

-

- automated mechanisms implementing sanitization of information system components

-
-

References: None -

-
-
-

- MA-3 MAINTENANCE TOOLS

-

- priority: P3

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization approves, controls, and monitors information system maintenance tools.

-
-
-
-

Supplemental guidance

-

This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing �ping,� �ls,� �ipconfig,� or the hardware and software implementing the monitoring port of an Ethernet switch.

- - - -
-
-

- MA-3 (1) INSPECT TOOLS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

-
-
-
-

Supplemental guidance

-

If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance tool inspection records

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for inspecting maintenance tools

-

- automated mechanisms supporting and/or implementing inspection of maintenance tools

-
-

References: None -

-
-
-

- MA-3 (2) INSPECT MEDIA

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

-
-
-
-

Supplemental guidance

-

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for inspecting media for malicious code

-

- automated mechanisms supporting and/or implementing inspection of media used for maintenance

-
-

References: None -

-
-
-

- MA-3 (3) PREVENT UNAUTHORIZED REMOVAL

-
-

- Parameter: - ma-3_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

-
- - - - - - - -
-

(a)

-
-

Verifying that there is no organizational information contained on the equipment;

-
-
-
- - - - - - - -
-

(b)

-
-

Sanitizing or destroying the equipment;

-
-
-
- - - - - - - -
-

(c)

-
-

Retaining the equipment within the facility; or

-
-
-
- - - - - - - -
-

(d)

-
-

Obtaining an exemption from - - ma-3_a - - organization-defined personnel or roles - organization-defined personnel or roles - explicitly authorizing removal of the equipment from the facility.

-
-
-
-
-
-

Supplemental guidance

-

Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

-
- - - - - - - -
-

(a)

-
-

verifying that there is no organizational information contained on the equipment;

-
-
-
- - - - - - - -
-

(b)

-
-

sanitizing or destroying the equipment;

-
-
-
- - - - - - - -
-

(c)

-
-

retaining the equipment within the facility; or

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defining personnel or roles that can grant an exemption from explicitly authorizing removal of the equipment from the facility; and

-
-
-
- - - - - - - -
-

[2]

-
-

obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- equipment sanitization records

-

- media sanitization records

-

- exemptions for equipment removal

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-
-
-

Assessment: TEST

-

- Organizational process for preventing unauthorized removal of information

-

- automated mechanisms supporting media sanitization or destruction of equipment

-

- automated mechanisms supporting verification of media sanitization

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

approves information system maintenance tools;

-
-
-
- - - - - - - -
-

[2]

-
-

controls information system maintenance tools; and

-
-
-
- - - - - - - -
-

[3]

-
-

monitors information system maintenance tools.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for approving, controlling, and monitoring maintenance tools

-

- automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools

-
-
-

References

-
-

NIST Special Publication 800-88

-
-
-
-
-

- MA-4 NONLOCAL MAINTENANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Approves and monitors nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

b.

-
-

Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

d.

-
-

Maintains records for nonlocal maintenance and diagnostic activities; and

-
-
-
- - - - - - - -
-

e.

-
-

Terminates session and network connections when nonlocal maintenance is completed.

-
-
-
-
-
-

Supplemental guidance

-

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

- - - - - - - - - - - - - - - - - -
-
-

- MA-4 (2) DOCUMENT NONLOCAL MAINTENANCE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization documents in the security plan for the information system:

-
- - - - - - - -
-

[1]

-
-

the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and

-
-
-
- - - - - - - -
-

[2]

-
-

the procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing non-local information system maintenance

-

- security plan

-

- maintenance records

-

- diagnostic records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- MA-4 (3) COMPARABLE SECURITY / SANITIZATION

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

-
-
-
- - - - - - - -
-

(b)

-
-

Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

-
-
-
-
-
-

Supplemental guidance

-

Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

removes the component to be serviced from the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

sanitizes the component (with regard to organizational information) prior to nonlocal maintenance or diagnostic services and/or before removal from organizational facilities; and

-
-
-
- - - - - - - -
-

[3]

-
-

inspects and sanitizes the component (with regard to potentially malicious software) after service is performed on the component and before reconnecting the component to the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing nonlocal information system maintenance

-

- service provider contracts and/or service-level agreements

-

- maintenance records

-

- inspection records

-

- audit records

-

- equipment sanitization records

-

- media sanitization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- information system maintenance provider

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for comparable security and sanitization for nonlocal maintenance

-

- organizational processes for removal, sanitization, and inspection of components serviced via nonlocal maintenance

-

- automated mechanisms supporting and/or implementing component sanitization and inspection

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

approves nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors nonlocal maintenance and diagnostic activities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

allows the use of nonlocal maintenance and diagnostic tools only:

-
- - - - - - - -
-

[1]

-
-

as consistent with organizational policy;

-
-
-
- - - - - - - -
-

[2]

-
-

as documented in the security plan for the information system;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

(d)

-
-

maintains records for nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

terminates sessions when nonlocal maintenance or diagnostics is completed; and

-
-
-
- - - - - - - -
-

[2]

-
-

terminates network connections when nonlocal maintenance or diagnostics is completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing nonlocal information system maintenance

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- maintenance records

-

- diagnostic records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing nonlocal maintenance

-

- automated mechanisms implementing, supporting, and/or managing nonlocal maintenance

-

- automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

-

- automated mechanisms for terminating nonlocal maintenance sessions and network connections

-
-
-

References

-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 197

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-88

-
-
-

CNSS Policy 15

-
-
-
-
-

- MA-5 MAINTENANCE PERSONNEL

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

c.

-
-

Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

- - - - - - - -
-
-

- MA-5 (1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

-
- - - - - - - -
-

(1)

-
-

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;

-
-
-
- - - - - - - -
-

(2)

-
-

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

-
- - - - - - - -
-

(1)

-
-

maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who:

-
- - - - - - - -
-

[1]

-
-

are fully cleared;

-
-
-
- - - - - - - -
-

[2]

-
-

have appropriate access authorizations;

-
-
-
- - - - - - - -
-

[3]

-
-

are technically qualified;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals:

-
- - - - - - - -
-

[1]

-
-

all volatile information storage components within the information system are sanitized; and

-
-
-
- - - - - - - -
-

[2]

-
-

all nonvolatile storage media are removed; or

-
-
-
- - - - - - - -
-

[3]

-
-

all nonvolatile storage media are physically disconnected from the system and secured; and

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

develops and implements alternative security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing maintenance personnel

-

- information system media protection policy

-

- physical and environmental protection policy

-

- security plan

-

- list of maintenance personnel requiring escort/supervision

-

- maintenance records

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with personnel security responsibilities

-

- organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing maintenance personnel without appropriate access

-

- automated mechanisms supporting and/or implementing alternative security safeguards

-

- automated mechanisms supporting and/or implementing information storage component sanitization

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes a process for maintenance personnel authorization;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains a list of authorized maintenance organizations or personnel;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

(c)

-
-

designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing maintenance personnel

-

- service provider contracts

-

- service-level agreements

-

- list of authorized personnel

-

- maintenance records

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for authorizing and managing maintenance personnel

-

- automated mechanisms supporting and/or implementing authorization of maintenance personnel

-
-

References: None -

-
-
-

- MA-6 TIMELY MAINTENANCE

-
-

- Parameter: - ma-6_a organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - ma-6_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains maintenance support and/or spare parts for - - ma-6_a - - organization-defined information system components - organization-defined information system components - within - - ma-6_b - - organization-defined time period - organization-defined time period - of failure.

-
-
-
-

Supplemental guidance

-

Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system components for which maintenance support and/or spare parts are to be obtained;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which maintenance support and/or spare parts are to be obtained after a failure;

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

[a]

-
-

obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

obtains spare parts for organization-defined information system components within the organization-defined time period of failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance

-

- service provider contracts

-

- service-level agreements

-

- inventory and availability of spare parts

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for ensuring timely maintenance

-
-

References: None -

-
-
-
-

MEDIA PROTECTION

-
-

- MP-1 MEDIA PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - mp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - mp-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - mp-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - mp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Media protection policy - - mp-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Media protection procedures - - mp-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a media protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the media protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the media protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Media protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MP-2 MEDIA ACCESS

-
-

- Parameter: - mp-2_a organization-defined types of digital and/or non-digital media

-

- Value: organization-defined types of digital and/or non-digital media

-
-
-

- Parameter: - mp-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization restricts access to - - mp-2_a - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - to - - mp-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of digital and/or non-digital media requiring restricted access;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and

-
-
-
- - - - - - - -
-

[3]

-
-

restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media access restrictions

-

- access control policy and procedures

-

- physical and environmental protection policy and procedures

-

- media storage facilities

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for restricting information media

-

- automated mechanisms supporting and/or implementing media access restrictions

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- MP-3 MEDIA MARKING

-
-

- Parameter: - mp-3_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-3_b organization-defined controlled areas

-

- Value: organization-defined controlled areas

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

-
-
-
- - - - - - - -
-

b.

-
-

Exempts - - mp-3_a - - organization-defined types of information system media - organization-defined types of information system media - from marking as long as the media remain within - - mp-3_b - - organization-defined controlled areas - organization-defined controlled areas - .

-
-
-
-
-
-

Supplemental guidance

-

The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

marks information system media indicating the:

-
- - - - - - - -
-

[1]

-
-

distribution limitations of the information;

-
-
-
- - - - - - - -
-

[2]

-
-

handling caveats of the information;

-
-
-
- - - - - - - -
-

[3]

-
-

applicable security markings (if any) of the information;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and

-
-
-
- - - - - - - -
-

[3]

-
-

exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media marking

-

- physical and environmental protection policy and procedures

-

- security plan

-

- list of information system media marking security attributes

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and marking responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for marking information media

-

- automated mechanisms supporting and/or implementing media marking

-
-
-

References

-
-

FIPS Publication 199

-
-
-
-
-

- MP-4 MEDIA STORAGE

-
-

- Parameter: - mp-4_a organization-defined types of digital and/or non-digital media

-

- Value: organization-defined types of digital and/or non-digital media

-
-
-

- Parameter: - mp-4_b organization-defined controlled areas

-

- Value: organization-defined controlled areas

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Physically controls and securely stores - - mp-4_a - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - within - - mp-4_b - - organization-defined controlled areas - organization-defined controlled areas - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media;

-
-
-
- - - - - - - -
-

[3]

-
-

physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas;

-
-
-
- - - - - - - -
-

[4]

-
-

securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media storage

-

- physical and environmental protection policy and procedures

-

- access control policy and procedures

-

- security plan

-

- information system media

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and storage responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for storing information media

-

- automated mechanisms supporting and/or implementing secure media storage/media protection

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- MP-5 MEDIA TRANSPORT

-
-

- Parameter: - mp-5_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-5_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Protects and controls - - mp-5_a - - organization-defined types of information system media - organization-defined types of information system media - during transport outside of controlled areas using - - mp-5_b - - organization-defined security safeguards - organization-defined security safeguards - ;

-
-
-
- - - - - - - -
-

b.

-
-

Maintains accountability for information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

c.

-
-

Documents activities associated with the transport of information system media; and

-
-
-
- - - - - - - -
-

d.

-
-

Restricts the activities associated with the transport of information system media to authorized personnel.

-
-
-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. -Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.

- - - - - - - - -
-
-

- MP-5 (4) CRYPTOGRAPHIC PROTECTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media transport

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system media transport records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media transport responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be protected and controlled during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

[3]

-
-

protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

maintains accountability for information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

(c)

-
-

documents activities associated with the transport of information system media; and

-
-
-
- - - - - - - -
-

(d)

-
-

restricts the activities associated with transport of information system media to authorized personnel.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media storage

-

- physical and environmental protection policy and procedures

-

- access control policy and procedures

-

- security plan

-

- information system media

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and storage responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for storing information media

-

- automated mechanisms supporting and/or implementing media storage/media protection

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-60

-
-
-
-
-

- MP-6 MEDIA SANITIZATION

-
-

- Parameter: - mp-6_a organization-defined information system media

-

- Value: organization-defined information system media

-
-
-

- Parameter: - mp-6_b organization-defined sanitization techniques and procedures

-

- Value: organization-defined sanitization techniques and procedures

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Sanitizes - - mp-6_a - - organization-defined information system media - organization-defined information system media - prior to disposal, release out of organizational control, or release for reuse using - - mp-6_b - - organization-defined sanitization techniques and procedures - organization-defined sanitization techniques and procedures - in accordance with applicable federal and organizational standards and policies; and

-
-
-
- - - - - - - -
-

b.

-
-

Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

- - - - -
-
-

- MP-6 (1) REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.

-
-
-
-

Supplemental guidance

-

Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

reviews media sanitization and disposal actions;

-
-
-
- - - - - - - -
-

[2]

-
-

approves media sanitization and disposal actions;

-
-
-
- - - - - - - -
-

[3]

-
-

tracks media sanitization and disposal actions;

-
-
-
- - - - - - - -
-

[4]

-
-

documents media sanitization and disposal actions; and

-
-
-
- - - - - - - -
-

[5]

-
-

verifies media sanitization and disposal actions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- media sanitization and disposal records

-

- review records for media sanitization and disposal actions

-

- approvals for media sanitization and disposal actions

-

- tracking records

-

- verification records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media sanitization and disposal responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-

References: None -

-
-
-

- MP-6 (2) EQUIPMENT TESTING

-
-

- Parameter: - mp-6_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests sanitization equipment and procedures - - mp-6_c - - organization-defined frequency - organization-defined frequency - to verify that the intended sanitization is being achieved.

-
-
-
-

Supplemental guidance

-

Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers).

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved; and

-
-
-
- - - - - - - -
-

[2]

-
-

tests sanitization equipment and procedures with the organization-defined frequency to verify that the intended sanitization is being achieved.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- procedures addressing testing of media sanitization equipment

-

- results of media sanitization equipment and procedures testing

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-

References: None -

-
-
-

- MP-6 (3) NONDESTRUCTIVE TECHNIQUES

-
-

- Parameter: - mp-6_d organization-defined circumstances requiring sanitization of portable storage devices

-

- Value: organization-defined circumstances requiring sanitization of portable storage devices

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: - - mp-6_d - - organization-defined circumstances requiring sanitization of portable storage devices - organization-defined circumstances requiring sanitization of portable storage devices - .

-
-
-
-

Supplemental guidance

-

This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines circumstances requiring sanitization of portable storage devices; and

-
-
-
- - - - - - - -
-

[2]

-
-

applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under organization-defined circumstances requiring sanitization of portable storage devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- list of circumstances requiring sanitization of portable storage devices

-

- media sanitization records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization of portable storage devices

-

- automated mechanisms supporting and/or implementing media sanitization

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system media to be sanitized prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- applicable federal standards and policies addressing media sanitization

-

- media sanitization records

-

- audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-88

-
-
-

http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml

-
-
-
-
-

- MP-7 MEDIA USE

-
-

- Parameter: - mp-7_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-7_b organization-defined information systems or system components

-

- Value: organization-defined information systems or system components

-
-
-

- Parameter: - mp-7_c organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization [Selection: restricts; prohibits] the use of - - mp-7_a - - organization-defined types of information system media - organization-defined types of information system media - on - - mp-7_b - - organization-defined information systems or system components - organization-defined information systems or system components - using - - mp-7_c - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

- - -
-
-

- MP-7 (1) PROHIBIT USE WITHOUT OWNER

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

-
-
-
-

Supplemental guidance

-

Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- system use policy

-

- procedures addressing media usage restrictions

-

- security plan

-

- rules of behavior

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media use responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media use

-

- automated mechanisms prohibiting use of media on information systems or system components

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be:

-
- - - - - - - -
-

[a]

-
-

restricted on information systems or system components; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited from use on information systems or system components;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:

-
- - - - - - - -
-

[a]

-
-

restricted; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and

-
-
-
- - - - - - - -
-

[4]

-
-

restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- system use policy

-

- procedures addressing media usage restrictions

-

- security plan

-

- rules of behavior

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media use responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media use

-

- automated mechanisms restricting or prohibiting use of information system media on information systems or system components

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-
-

PHYSICAL AND ENVIRONMENTAL PROTECTION

-
-

- PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - pe-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pe-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pe-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Physical and environmental protection policy - - pe-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Physical and environmental protection procedures - - pe-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a physical and environmental protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the physical and environmental protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical and environmental protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PE-2 PHYSICAL ACCESS AUTHORIZATIONS

-
-

- Parameter: - pe-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

b.

-
-

Issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the access list detailing authorized facility access by individuals - - pe-2_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

approves a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the access list detailing authorized facility access by individuals;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access authorizations

-

- security plan

-

- authorized personnel access list

-

- authorization credentials

-

- physical access list reviews

-

- physical access termination records and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access authorization responsibilities

-

- organizational personnel with physical access to information system facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access authorizations

-

- automated mechanisms supporting and/or implementing physical access authorizations

-
-

References: None -

-
-
-

- PE-3 PHYSICAL ACCESS CONTROL

-
-

- Parameter: - pe-3_a organization-defined entry/exit points to the facility where the information system resides

-

- Value: organization-defined entry/exit points to the facility where the information system resides

-
-
-

- Parameter: - pe-3_b organization-defined physical access control systems/devices

-

- Value: organization-defined physical access control systems/devices

-
-
-

- Parameter: - pe-3_c organization-defined entry/exit points

-

- Value: organization-defined entry/exit points

-
-
-

- Parameter: - pe-3_d organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-
-

- Parameter: - pe-3_e organization-defined circumstances requiring visitor escorts and monitoring

-

- Value: organization-defined circumstances requiring visitor escorts and monitoring

-
-
-

- Parameter: - pe-3_f organization-defined physical access devices

-

- Value: organization-defined physical access devices

-
-
-

- Parameter: - pe-3_g organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-3_h organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Enforces physical access authorizations at - - pe-3_a - - organization-defined entry/exit points to the facility where the information system resides - organization-defined entry/exit points to the facility where the information system resides - by;

-
- - - - - - - -
-

1.

-
-

Verifying individual access authorizations before granting access to the facility; and

-
-
-
- - - - - - - -
-

2.

-
-

Controlling ingress/egress to the facility using [Selection (one or more): - - pe-3_b - - organization-defined physical access control systems/devices - organization-defined physical access control systems/devices - ; guards];

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Maintains physical access audit logs for - - pe-3_c - - organization-defined entry/exit points - organization-defined entry/exit points - ;

-
-
-
- - - - - - - -
-

c.

-
-

Provides - - pe-3_d - - organization-defined security safeguards - organization-defined security safeguards - to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

d.

-
-

Escorts visitors and monitors visitor activity - - pe-3_e - - organization-defined circumstances requiring visitor escorts and monitoring - organization-defined circumstances requiring visitor escorts and monitoring - ;

-
-
-
- - - - - - - -
-

e.

-
-

Secures keys, combinations, and other physical access devices;

-
-
-
- - - - - - - -
-

f.

-
-

Inventories - - pe-3_f - - organization-defined physical access devices - organization-defined physical access devices - every - - pe-3_g - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Changes combinations and keys - - pe-3_h - - organization-defined frequency - organization-defined frequency - and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

- - - - - - - - - -
-
-

- PE-3 (1) INFORMATION SYSTEM ACCESS

-
-

- Parameter: - pe-3_i organization-defined physical spaces containing one or more components of the information system

-

- Value: organization-defined physical spaces containing one or more components of the information system

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at - - pe-3_i - - organization-defined physical spaces containing one or more components of the information system - organization-defined physical spaces containing one or more components of the information system - .

-
-
-
-

Supplemental guidance

-

This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers).

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical spaces containing one or more components of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

enforces physical access authorizations to the information system in addition to the physical access controls for the facility at organization-defined physical spaces containing one or more components of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access control

-

- physical access control logs or records

-

- physical access control devices

-

- access authorizations

-

- access credentials

-

- information system entry and exit points

-

- list of areas within the facility containing concentrations of information system components or information system components requiring additional physical protection

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access control to the information system/components

-

- automated mechanisms supporting and/or implementing physical access control for facility areas containing information system components

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:

-
- - - - - - - -
-

(1)

-
-

verifying individual access authorizations before granting access to the facility;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[a]

-
-

defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[b]

-
-

using one or more of the following ways to control ingress/egress to the facility:

-
- - - - - - - -
-

[1]

-
-

organization-defined physical access control systems/devices; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

guards;

-
-
-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points for which physical access audit logs are to be maintained;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains physical access audit logs for organization-defined entry/exit points;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines circumstances requiring visitor:

-
- - - - - - - -
-

[a]

-
-

escorts;

-
-
-
- - - - - - - -
-

[b]

-
-

monitoring;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined circumstances requiring visitor escorts and monitoring:

-
- - - - - - - -
-

[a]

-
-

escorts visitors;

-
-
-
- - - - - - - -
-

[b]

-
-

monitors visitor activities;

-
-
-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

secures keys;

-
-
-
- - - - - - - -
-

[2]

-
-

secures combinations;

-
-
-
- - - - - - - -
-

[3]

-
-

secures other physical access devices;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines physical access devices to be inventoried;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to inventory organization-defined physical access devices;

-
-
-
- - - - - - - -
-

[3]

-
-

inventories the organization-defined physical access devices with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to change combinations and keys; and

-
-
-
- - - - - - - -
-

[2]

-
-

changes combinations and keys with the organization-defined frequency and/or when:

-
- - - - - - - -
-

[a]

-
-

keys are lost;

-
-
-
- - - - - - - -
-

[b]

-
-

combinations are compromised;

-
-
-
- - - - - - - -
-

[c]

-
-

individuals are transferred or terminated.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access control

-

- security plan

-

- physical access control logs or records

-

- inventory records of physical access control devices

-

- information system entry and exit points

-

- records of key and lock combination changes

-

- storage locations for physical access control devices

-

- physical access control devices

-

- list of security safeguards controlling access to designated publicly accessible areas within facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access control

-

- automated mechanisms supporting and/or implementing physical access control

-

- physical access control devices

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-116

-
-
-

ICD 704

-
-
-

ICD 705

-
-
-

DoD Instruction 5200.39

-
-
-

Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)

-
-
-

http://idmanagement.gov

-
-
-

http://fips201ep.cio.gov

-
-
-
-
-

- PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM

-
-

- Parameter: - pe-4_a organization-defined information system distribution and transmission lines

-

- Value: organization-defined information system distribution and transmission lines

-
-
-

- Parameter: - pe-4_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization controls physical access to - - pe-4_a - - organization-defined information system distribution and transmission lines - organization-defined information system distribution and transmission lines - within organizational facilities using - - pe-4_b - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system distribution and transmission lines requiring physical access controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing access control for transmission medium

-

- information system design documentation

-

- facility communications and wiring diagrams

-

- list of physical security safeguards applied to information system distribution and transmission lines

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access control to distribution and transmission lines

-

- automated mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines

-
-
-

References

-
-

NSTISSI No. 7003

-
-
-
-
-

- PE-5 ACCESS CONTROL FOR OUTPUT DEVICES

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

-
-
-
-

Supplemental guidance

-

Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.

- - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing access control for display medium

-

- facility layout of information system components

-

- actual displays from information system components

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access control to output devices

-

- automated mechanisms supporting and/or implementing access control to output devices

-
-

References: None -

-
-
-

- PE-6 MONITORING PHYSICAL ACCESS

-
-

- Parameter: - pe-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-6_b organization-defined events or potential indications of events

-

- Value: organization-defined events or potential indications of events

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews physical access logs - - pe-6_a - - organization-defined frequency - organization-defined frequency - and upon occurrence of - - pe-6_b - - organization-defined events or potential indications of events - organization-defined events or potential indications of events - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Supplemental guidance

-

Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

- - - -
-
-

- PE-6 (1) INTRUSION ALARMS / SURVEILLANCE EQUIPMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization monitors physical intrusion alarms and surveillance equipment.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization monitors physical intrusion alarms and surveillance equipment.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- security plan

-

- physical access logs or records

-

- physical access monitoring records

-

- physical access log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical intrusion alarms and surveillance equipment

-

- automated mechanisms supporting and/or implementing physical access monitoring

-

- automated mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment

-
-

References: None -

-
-
-

- PE-6 (4) MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS

-
-

- Parameter: - pe-6_g organization-defined physical spaces containing one or more components of the information system

-

- Value: organization-defined physical spaces containing one or more components of the information system

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as - - pe-6_g - - organization-defined physical spaces containing one or more components of the information system - organization-defined physical spaces containing one or more components of the information system - .

-
-
-
-

Supplemental guidance

-

This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers).

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical spaces containing one or more components of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

monitors physical access to the information system in addition to the physical access monitoring of the facility at organization-defined physical spaces containing one or more components of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- physical access control logs or records

-

- physical access control devices

-

- access authorizations

-

- access credentials

-

- list of areas within the facility containing concentrations of information system components or information system components requiring additional physical access monitoring

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical access to the information system

-

- automated mechanisms supporting and/or implementing physical access monitoring for facility areas containing information system components

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review physical access logs;

-
-
-
- - - - - - - -
-

[2]

-
-

defines events or potential indication of events requiring physical access logs to be reviewed;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- security plan

-

- physical access logs or records

-

- physical access monitoring records

-

- physical access log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical access

-

- automated mechanisms supporting and/or implementing physical access monitoring

-

- automated mechanisms supporting and/or implementing reviewing of physical access logs

-
-

References: None -

-
-
-

- PE-8 VISITOR ACCESS RECORDS

-
-

- Parameter: - pe-8_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - pe-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains visitor access records to the facility where the information system resides for - - pe-8_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reviews visitor access records - - pe-8_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.

-
-
-

- PE-8 (1) AUTOMATED RECORDS MAINTENANCE / REVIEW

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing visitor access records

-

- automated mechanisms supporting management of visitor access records

-

- visitor access control logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with visitor access records responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining and reviewing visitor access records

-

- automated mechanisms supporting and/or implementing maintenance and review of visitor access records

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period to maintain visitor access records to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains visitor access records to the facility where the information system resides for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review visitor access records; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews visitor access records with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing visitor access records

-

- security plan

-

- visitor access control logs or records

-

- visitor access record or log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with visitor access records responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining and reviewing visitor access records

-

- automated mechanisms supporting and/or implementing maintenance and review of visitor access records

-
-

References: None -

-
-
-

- PE-9 POWER EQUIPMENT AND CABLING

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects power equipment and power cabling for the information system from damage and destruction.

-
-
-
-

Supplemental guidance

-

Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing power equipment/cabling protection

-

- facilities housing power equipment/cabling

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for protecting power equipment/cabling

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing protection of power equipment/cabling

-
-

References: None -

-
-
-

- PE-10 EMERGENCY SHUTOFF

-
-

- Parameter: - pe-10_a organization-defined location by information system or system component

-

- Value: organization-defined location by information system or system component

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Provides the capability of shutting off power to the information system or individual system components in emergency situations;

-
-
-
- - - - - - - -
-

b.

-
-

Places emergency shutoff switches or devices in - - pe-10_a - - organization-defined location by information system or system component - organization-defined location by information system or system component - to facilitate safe and easy access for personnel; and

-
-
-
- - - - - - - -
-

c.

-
-

Protects emergency power shutoff capability from unauthorized activation.

-
-
-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides the capability of shutting off power to the information system or individual system components in emergency situations;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the location of emergency shutoff switches or devices by information system or system component;

-
-
-
- - - - - - - -
-

[2]

-
-

places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

protects emergency power shutoff capability from unauthorized activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing power source emergency shutoff

-

- security plan

-

- emergency shutoff controls or switches

-

- locations housing emergency shutoff switches and devices

-

- security safeguards protecting emergency power shutoff capability from unauthorized activation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing emergency power shutoff

-
-

References: None -

-
-
-

- PE-11 EMERGENCY POWER

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.

-
-
-
-

Supplemental guidance

- - - -
-
-

- PE-11 (1) LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

-
-
-
-

Supplemental guidance

-

This control enhancement can be satisfied, for example, by the use of a secondary commercial power supply or other external power supply. Long-term alternate power supplies for the information system can be either manually or automatically activated.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency power

-

- alternate power supply

-

- alternate power supply documentation

-

- alternate power supply test records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing alternate power supply

-

- the alternate power supply

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:

-
- - - - - - - -
-

[1]

-
-

an orderly shutdown of the information system; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

transition of the information system to long-term alternate power.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency power

-

- uninterruptible power supply

-

- uninterruptible power supply documentation

-

- uninterruptible power supply test records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing uninterruptible power supply

-

- the uninterruptable power supply

-
-

References: None -

-
-
-

- PE-12 EMERGENCY LIGHTING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs and maintains automatic emergency lighting for the information system that:

-
- - - - - - - -
-

[1]

-
-

activates in the event of a power outage or disruption; and

-
-
-
- - - - - - - -
-

[2]

-
-

covers emergency exits and evacuation routes within the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency lighting

-

- emergency lighting documentation

-

- emergency lighting test records

-

- emergency exits and evacuation routes

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency lighting and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing emergency lighting capability

-
-

References: None -

-
-
-

- PE-13 FIRE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

-
-
-

- PE-13 (1) DETECTION DEVICES / SYSTEMS

-
-

- Parameter: - pe-13_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pe-13_b organization-defined emergency responders

-

- Value: organization-defined emergency responders

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs fire detection devices/systems for the information system that activate automatically and notify - - pe-13_a - - organization-defined personnel or roles - organization-defined personnel or roles - and - - pe-13_b - - organization-defined emergency responders - organization-defined emergency responders - in the event of a fire.

-
-
-
-

Supplemental guidance

-

Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified in the event of a fire;

-
-
-
- - - - - - - -
-

[2]

-
-

defines emergency responders to be notified in the event of a fire;

-
-
-
- - - - - - - -
-

[3]

-
-

employs fire detection devices/systems for the information system that, in the event of a fire,:

-
- - - - - - - -
-

[a]

-
-

activate automatically;

-
-
-
- - - - - - - -
-

[b]

-
-

notify organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[c]

-
-

notify organization-defined emergency responders.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- facility housing the information system

-

- alarm service-level agreements

-

- test records of fire suppression and detection devices/systems

-

- fire suppression and detection devices/systems documentation

-

- alerts/notifications of fire events

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire detection devices/systems

-

- activation of fire detection devices/systems (simulated)

-

- automated notifications

-
-

References: None -

-
-
-

- PE-13 (2) SUPPRESSION DEVICES / SYSTEMS

-
-

- Parameter: - pe-13_c organization-defined emergency responders

-

- Value: organization-defined emergency responders

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and - - pe-13_c - - organization-defined emergency responders - organization-defined emergency responders - .

-
-
-
-

Supplemental guidance

-

Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be provided automatic notification of any activation of fire suppression devices/systems for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines emergency responders to be provided automatic notification of any activation of fire suppression devices/systems for the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

employs fire suppression devices/systems for the information system that provide automatic notification of any activation to:

-
- - - - - - - -
-

[a]

-
-

organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[b]

-
-

organization-defined emergency responders.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems documentation

-

- facility housing the information system

-

- alarm service-level agreements

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression devices/systems

-

- activation of fire suppression devices/systems (simulated)

-

- automated notifications

-
-

References: None -

-
-
-

- PE-13 (3) AUTOMATIC FIRE SUPPRESSION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems documentation

-

- facility housing the information system

-

- alarm service-level agreements

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression devices/systems

-

- activation of fire suppression devices/systems (simulated)

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems

-

- fire suppression and detection devices/systems documentation

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems

-
-

References: None -

-
-
-

- PE-14 TEMPERATURE AND HUMIDITY CONTROLS

-
-

- Parameter: - pe-14_a organization-defined acceptable levels

-

- Value: organization-defined acceptable levels

-
-
-

- Parameter: - pe-14_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains temperature and humidity levels within the facility where the information system resides at - - pe-14_a - - organization-defined acceptable levels - organization-defined acceptable levels - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Monitors temperature and humidity levels - - pe-14_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines acceptable temperature levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

defines acceptable humidity levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains temperature levels within the facility where the information system resides at the organization-defined levels;

-
-
-
- - - - - - - -
-

[4]

-
-

maintains humidity levels within the facility where the information system resides at the organization-defined levels;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to monitor temperature levels;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to monitor humidity levels;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors temperature levels with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

monitors humidity levels with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing temperature and humidity control

-

- security plan

-

- temperature and humidity controls

-

- facility housing the information system

-

- temperature and humidity controls documentation

-

- temperature and humidity records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels

-
-

References: None -

-
-
-

- PE-15 WATER DAMAGE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

- -
-
-

- PE-15 (1) AUTOMATION SUPPORT

-
-

- Parameter: - pe-15_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts - - pe-15_a - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Automated mechanisms can include, for example, water detection sensors, alarms, and notification systems.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be alerted when the presence of water is detected in the vicinity of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to detect the presence of water in the vicinity of the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

alerts organization-defined personnel or roles when the presence of water is detected in the vicinity of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing water damage protection

-

- facility housing the information system

-

- automated mechanisms for water shutoff valves

-

- automated mechanisms detecting presence of water in vicinity of information system

-

- alerts/notifications of water detection in information system facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing water detection capability and alerts for the information system

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:

-
- - - - - - - -
-

[1]

-
-

accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

working properly; and

-
-
-
- - - - - - - -
-

[3]

-
-

known to key personnel.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing water damage protection

-

- facility housing the information system

-

- master shutoff valves

-

- list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

-

- master shutoff valve documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Master water-shutoff valves

-

- organizational process for activating master water-shutoff

-
-

References: None -

-
-
-

- PE-16 DELIVERY AND REMOVAL

-
-

- Parameter: - pe-16_a organization-defined types of information system components

-

- Value: organization-defined types of information system components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes, monitors, and controls - - pe-16_a - - organization-defined types of information system components - organization-defined types of information system components - entering and exiting the facility and maintains records of those items.

-
-
-
-

Supplemental guidance

-

Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[4]

-
-

controls organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[5]

-
-

authorizes organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[6]

-
-

monitors organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[7]

-
-

controls organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[8]

-
-

maintains records of information system components entering the facility; and

-
-
-
- - - - - - - -
-

[9]

-
-

maintains records of information system components exiting the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing delivery and removal of information system components from the facility

-

- security plan

-

- facility housing the information system

-

- records of items entering and exiting the facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for controlling information system components entering and exiting the facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-

- automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-
-

References: None -

-
-
-

- PE-17 ALTERNATE WORK SITE

-
-

- Parameter: - pe-17_a organization-defined security controls

-

- Value: organization-defined security controls

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs - - pe-17_a - - organization-defined security controls - organization-defined security controls - at alternate work sites;

-
-
-
- - - - - - - -
-

b.

-
-

Assesses as feasible, the effectiveness of security controls at alternate work sites; and

-
-
-
- - - - - - - -
-

c.

-
-

Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

-
-
-
-
-
-

Supplemental guidance

-

Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security controls to be employed at alternate work sites;

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined security controls at alternate work sites;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

assesses, as feasible, the effectiveness of security controls at alternate work sites; and

-
-
-
- - - - - - - -
-

(c)

-
-

provides a means for employees to communicate with information security personnel in case of security incidents or problems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing alternate work sites for organizational personnel

-

- security plan

-

- list of security controls required for alternate work sites

-

- assessments of security controls at alternate work sites

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel approving use of alternate work sites

-

- organizational personnel using alternate work sites

-

- organizational personnel assessing controls at alternate work sites

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security at alternate work sites

-

- automated mechanisms supporting alternate work sites

-

- security controls employed at alternate work sites

-

- means of communications between personnel at alternate work sites and security personnel

-
-
-

References

-
-

NIST Special Publication 800-46

-
-
-
-
-

- PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS

-
-

- Parameter: - pe-18_a organization-defined physical and environmental hazards

-

- Value: organization-defined physical and environmental hazards

-
-

- priority: P3

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization positions information system components within the facility to minimize potential damage from - - pe-18_a - - organization-defined physical and environmental hazards - organization-defined physical and environmental hazards - and to minimize the opportunity for unauthorized access.

-
-
-
-

Supplemental guidance

-

Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical hazards that could result in potential damage to information system components within the facility;

-
-
-
- - - - - - - -
-

[2]

-
-

defines environmental hazards that could result in potential damage to information system components within the facility;

-
-
-
- - - - - - - -
-

[3]

-
-

positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards; and

-
-
-
- - - - - - - -
-

[4]

-
-

positions information system components within the facility to minimize the opportunity for unauthorized access.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing positioning of information system components

-

- documentation providing the location and position of information system components within the facility

-

- locations housing information system components within the facility

-

- list of physical and environmental hazards with potential to damage information system components within the facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for positioning information system components

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for positioning information system components

-
-

References: None -

-
-
-
-

PLANNING

-
-

- PL-1 SECURITY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - pl-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pl-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pl-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security planning policy - - pl-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security planning procedures - - pl-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-18

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PL-2 SYSTEM SECURITY PLAN

-
-

- Parameter: - pl-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Is consistent with the organization�s enterprise architecture;

-
-
-
- - - - - - - -
-

2.

-
-

Explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

3.

-
-

Describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

4.

-
-

Provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

5.

-
-

Describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

6.

-
-

Provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

7.

-
-

Identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

8.

-
-

Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and

-
-
-
- - - - - - - -
-

9.

-
-

Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the security plan and communicates subsequent changes to the plan to - - pl-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the security plan for the information system - - pl-2_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

-
-
-
- - - - - - - -
-

e.

-
-

Protects the security plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. -Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.

- - - - - - - - - - - - - - - - - - - - - - - - -
-
-

- PL-2 (3) PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES

-
-

- Parameter: - pl-2_c organization-defined individuals or groups

-

- Value: organization-defined individuals or groups

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans and coordinates security-related activities affecting the information system with - - pl-2_c - - organization-defined individuals or groups - organization-defined individuals or groups - before conducting such activities in order to reduce the impact on other organizational entities.

-
-
-
-

Supplemental guidance

-

Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- access control policy

-

- contingency planning policy

-

- procedures addressing security-related activity planning for the information system

-

- security plan for the information system

-

- contingency plan for the information system

-

- information system design documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational individuals or groups with whom security-related activities are to be planned and coordinated

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

is consistent with the organization’s enterprise architecture;

-
-
-
- - - - - - - -
-

(2)

-
-

explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

(3)

-
-

describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

(4)

-
-

provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

(5)

-
-

describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

(6)

-
-

provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

(7)

-
-

identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

(8)

-
-

describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;

-
-
-
- - - - - - - -
-

(9)

-
-

is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the security plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the security plan for the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the information system/environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems identified during plan implementation;

-
-
-
- - - - - - - -
-

[3]

-
-

problems identified during security control assessments;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

protects the security plan from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure; and

-
-
-
- - - - - - - -
-

[2]

-
-

modification.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing security plan development and implementation

-

- procedures addressing security plan reviews and updates

-

- enterprise architecture documentation

-

- security plan for the information system

-

- records of security plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security plan development/review/update/approval

-

- automated mechanisms supporting the information system security plan

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-

- PL-4 RULES OF BEHAVIOR

-
-

- Parameter: - pl-4_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

b.

-
-

Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates the rules of behavior - - pl-4_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.

- - - - - - - - - - - - - - - - - - -
-
-

- PL-4 (1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes the following in the rules of behavior:

-
- - - - - - - -
-

[1]

-
-

explicit restrictions on the use of social media/networking sites; and

-
-
-
- - - - - - - -
-

[2]

-
-

posting organizational information on public websites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing rules of behavior for information system users

-

- rules of behavior

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

-

- organizational personnel who are authorized users of the information system and have signed rules of behavior

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for establishing rules of behavior

-

- automated mechanisms supporting and/or implementing the establishment of rules of behavior

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

[2]

-
-

makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the rules of behavior;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the rules of behavior with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing rules of behavior for information system users

-

- rules of behavior

-

- signed acknowledgements

-

- records for rules of behavior reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

-

- organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

-

- automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-

- PL-8 INFORMATION SECURITY ARCHITECTURE

-
-

- Parameter: - pl-8_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops an information security architecture for the information system that:

-
- - - - - - - -
-

1.

-
-

Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

-
-
-
- - - - - - - -
-

2.

-
-

Describes how the information security architecture is integrated into and supports the enterprise architecture; and

-
-
-
- - - - - - - -
-

3.

-
-

Describes any information security assumptions about, and dependencies on, external services;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the information security architecture - - pl-8_a - - organization-defined frequency - organization-defined frequency - to reflect updates in the enterprise architecture; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. -In today�s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization�s enterprise architecture and information security architecture.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops an information security architecture for the information system that describes:

-
- - - - - - - -
-

(1)

-
-

the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

-
-
-
- - - - - - - -
-

(2)

-
-

how the information security architecture is integrated into and supports the enterprise architecture;

-
-
-
- - - - - - - -
-

(3)

-
-

any information security assumptions about, and dependencies on, external services;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the information security architecture;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

ensures that planned information security architecture changes are reflected in:

-
- - - - - - - -
-

[1]

-
-

the security plan;

-
-
-
- - - - - - - -
-

[2]

-
-

the security Concept of Operations (CONOPS); and

-
-
-
- - - - - - - -
-

[3]

-
-

the organizational procurements/acquisitions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing information security architecture development

-

- procedures addressing information security architecture reviews and updates

-

- enterprise architecture documentation

-

- information security architecture documentation

-

- security plan for the information system

-

- security CONOPS for the information system

-

- records of information security architecture reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational personnel with information security architecture development responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for developing, reviewing, and updating the information security architecture

-

- automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture

-
-

References: None -

-
-
-
-

PERSONNEL SECURITY

-
-

- PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES

-
-

- Parameter: - ps-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ps-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Personnel security policy - - ps-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Personnel security procedures - - ps-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an personnel security policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the personnel security policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the personnel security policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PS-2 POSITION RISK DESIGNATION

-
-

- Parameter: - ps-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes screening criteria for individuals filling those positions; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates position risk designations - - ps-2_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

(b)

-
-

establishes screening criteria for individuals filling those positions;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update position risk designations; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates position risk designations with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing position categorization

-

- appropriate codes of federal regulations

-

- list of risk designations for organizational positions

-

- security plan

-

- records of position risk designation reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for assigning, reviewing, and updating position risk designations

-

- organizational processes for establishing screening criteria

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-
-
-

- PS-3 PERSONNEL SCREENING

-
-

- Parameter: - ps-3_a organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-

- Value: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Screens individuals prior to authorizing access to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Rescreens individuals according to - - ps-3_a - - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - .

-
-
-
-
-
-

Supplemental guidance

-

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

screens individuals prior to authorizing access to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines conditions requiring re-screening;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency of re-screening where it is so indicated; and

-
-
-
- - - - - - - -
-

[3]

-
-

re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel screening

-

- records of screened personnel

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel screening

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-

FIPS Publication 199

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

ICD 704

-
-
-
-
-

- PS-4 PERSONNEL TERMINATION

-
-

- Parameter: - ps-4_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ps-4_b organization-defined information security topics

-

- Value: organization-defined information security topics

-
-
-

- Parameter: - ps-4_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-4_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization, upon termination of individual employment:

-
- - - - - - - -
-

a.

-
-

Disables information system access within - - ps-4_a - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

b.

-
-

Terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts exit interviews that include a discussion of - - ps-4_b - - organization-defined information security topics - organization-defined information security topics - ;

-
-
-
- - - - - - - -
-

d.

-
-

Retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

e.

-
-

Retains access to organizational information and information systems formerly controlled by terminated individual; and

-
-
-
- - - - - - - -
-

f.

-
-

Notifies - - ps-4_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-4_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

- - - - - -
-
-

- PS-4 (2) AUTOMATED NOTIFICATION

-
-

- Parameter: - ps-4_e organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to notify - - ps-4_e - - organization-defined personnel or roles - organization-defined personnel or roles - upon termination of an individual.

-
-
-
-

Supplemental guidance

-

In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications�or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified upon termination of an individual; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel termination

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- records of personnel termination actions

-

- automated notifications of employee terminations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel termination

-

- automated mechanisms supporting and/or implementing personnel termination notifications

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization, upon termination of individual employment,:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which to disable information system access;

-
-
-
- - - - - - - -
-

[2]

-
-

disables information system access within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information security topics to be discussed when conducting exit interviews;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts exit interviews that include a discussion of organization-defined information security topics;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

(e)

-
-

retains access to organizational information and information systems formerly controlled by the terminated individual;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of the termination;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel termination

-

- records of personnel termination actions

-

- list of information system accounts

-

- records of terminated or revoked authenticators/credentials

-

- records of exit interviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel termination

-

- automated mechanisms supporting and/or implementing personnel termination notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-

References: None -

-
-
-

- PS-5 PERSONNEL TRANSFER

-
-

- Parameter: - ps-5_a organization-defined transfer or reassignment actions

-

- Value: organization-defined transfer or reassignment actions

-
-
-

- Parameter: - ps-5_b organization-defined time period following the formal transfer action

-

- Value: organization-defined time period following the formal transfer action

-
-
-

- Parameter: - ps-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-5_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

b.

-
-

Initiates - - ps-5_a - - organization-defined transfer or reassignment actions - organization-defined transfer or reassignment actions - within - - ps-5_b - - organization-defined time period following the formal transfer action - organization-defined time period following the formal transfer action - ;

-
-
-
- - - - - - - -
-

c.

-
-

Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

-
-
-
- - - - - - - -
-

d.

-
-

Notifies - - ps-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-5_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:

-
- - - - - - - -
-

[1]

-
-

logical access authorizations to information systems;

-
-
-
- - - - - - - -
-

[2]

-
-

physical access authorizations to information systems and facilities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines transfer or reassignment actions to be initiated following transfer or reassignment;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;

-
-
-
- - - - - - - -
-

[3]

-
-

initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel transfer

-

- security plan

-

- records of personnel transfer actions

-

- list of information system and facility access authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel transfer

-

- automated mechanisms supporting and/or implementing personnel transfer notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-

References: None -

-
-
-

- PS-6 ACCESS AGREEMENTS

-
-

- Parameter: - ps-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-6_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the access agreements - - ps-6_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that individuals requiring access to organizational information and information systems:

-
- - - - - - - -
-

1.

-
-

Sign appropriate access agreements prior to being granted access; and

-
-
-
- - - - - - - -
-

2.

-
-

Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or - - ps-6_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the access agreements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the access agreements with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

(1)

-
-

ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing access agreements for organizational information and information systems

-

- security plan

-

- access agreements

-

- records of access agreement reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel who have signed/resigned access agreements

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access agreements

-

- automated mechanisms supporting access agreements

-
-

References: None -

-
-
-

- PS-7 THIRD-PARTY PERSONNEL SECURITY

-
-

- Parameter: - ps-7_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-7_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes personnel security requirements including security roles and responsibilities for third-party providers;

-
-
-
- - - - - - - -
-

b.

-
-

Requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Documents personnel security requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Requires third-party providers to notify - - ps-7_a - - organization-defined personnel or roles - organization-defined personnel or roles - of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within - - ps-7_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Monitors provider compliance.

-
-
-
-
-
-

Supplemental guidance

-

Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes personnel security requirements, including security roles and responsibilities, for third-party providers;

-
-
-
- - - - - - - -
-

(b)

-
-

requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

documents personnel security requirements;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[3]

-
-

requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

monitors provider compliance.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing third-party personnel security

-

- list of personnel security requirements

-

- acquisition documents

-

- service-level agreements

-

- compliance monitoring process

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- third-party providers

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing and monitoring third-party personnel security

-

- automated mechanisms supporting and/or implementing monitoring of provider compliance

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-

- PS-8 PERSONNEL SANCTIONS

-
-

- Parameter: - ps-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-8_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

-
-
-
- - - - - - - -
-

b.

-
-

Notifies - - ps-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-8_b - - organization-defined time period - organization-defined time period - when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-

Supplemental guidance

-

Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when a formal employee sanctions process is initiated;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel sanctions

-

- rules of behavior

-

- records of formal sanctions

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing personnel sanctions

-

- automated mechanisms supporting and/or implementing notifications

-
-

References: None -

-
-
-
-

RISK ASSESSMENT

-
-

- RA-1 RISK ASSESSMENT POLICY AND PROCEDURES

-
-

- Parameter: - ra-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ra-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Risk assessment policy - - ra-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Risk assessment procedures - - ra-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a risk assessment policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the risk assessment policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the risk assessment policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- risk assessment policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- RA-2 SECURITY CATEGORIZATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

(b)

-
-

documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

(c)

-
-

ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing security categorization of organizational information and information systems

-

- security plan

-

- security categorization documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security categorization and risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security categorization

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-60

-
-
-
-
-

- RA-3 RISK ASSESSMENT

-
-

- Parameter: - ra-3_a organization-defined document

-

- Value: organization-defined document

-
-
-

- Parameter: - ra-3_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-3_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-3_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

-
-
-
- - - - - - - -
-

b.

-
-

Documents risk assessment results in [Selection: security plan; risk assessment report; - - ra-3_a - - organization-defined document - organization-defined document - ];

-
-
-
- - - - - - - -
-

c.

-
-

Reviews risk assessment results - - ra-3_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Disseminates risk assessment results to - - ra-3_c - - organization-defined personnel or roles - organization-defined personnel or roles - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Updates the risk assessment - - ra-3_d - - organization-defined frequency - organization-defined frequency - or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. -Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:

-
- - - - - - - -
-

[1]

-
-

the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information the system processes, stores, or transmits;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);

-
-
-
- - - - - - - -
-

[2]

-
-

documents risk assessment results in one of the following:

-
- - - - - - - -
-

[a]

-
-

the security plan;

-
-
-
- - - - - - - -
-

[b]

-
-

the risk assessment report; or

-
-
-
- - - - - - - -
-

[c]

-
-

the organization-defined document;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review risk assessment results;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews risk assessment results with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom risk assessment results are to be disseminated;

-
-
-
- - - - - - - -
-

[2]

-
-

disseminates risk assessment results to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the risk assessment;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the risk assessment:

-
- - - - - - - -
-

[a]

-
-

with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and

-
-
-
- - - - - - - -
-

[c]

-
-

whenever there are other conditions that may impact the security state of the system.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing organizational assessments of risk

-

- security plan

-

- risk assessment

-

- risk assessment results

-

- risk assessment reviews

-

- risk assessment updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for risk assessment

-

- automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

http://idmanagement.gov

-
-
-
-
-

- RA-5 VULNERABILITY SCANNING

-
-

- Parameter: - ra-5_a organization-defined frequency and/or randomly in accordance with organization-defined process

-

- Value: organization-defined frequency and/or randomly in accordance with organization-defined process

-
-
-

- Parameter: - ra-5_b organization-defined response times

-

- Value: organization-defined response times

-
-
-

- Parameter: - ra-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Scans for vulnerabilities in the information system and hosted applications - - ra-5_a - - organization-defined frequency and/or randomly in accordance with organization-defined process - organization-defined frequency and/or randomly in accordance with organization-defined process - and when new vulnerabilities potentially affecting the system/applications are identified and reported;

-
-
-
- - - - - - - -
-

b.

-
-

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

1.

-
-

Enumerating platforms, software flaws, and improper configurations;

-
-
-
- - - - - - - -
-

2.

-
-

Formatting checklists and test procedures; and

-
-
-
- - - - - - - -
-

3.

-
-

Measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Analyzes vulnerability scan reports and results from security control assessments;

-
-
-
- - - - - - - -
-

d.

-
-

Remediates legitimate vulnerabilities - - ra-5_b - - organization-defined response times - organization-defined response times - in accordance with an organizational assessment of risk; and

-
-
-
- - - - - - - -
-

e.

-
-

Shares information obtained from the vulnerability scanning process and security control assessments with - - ra-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-

Supplemental guidance

-

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

- - - - - - - - -
-
-

- RA-5 (1) UPDATE TOOL CAPABILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

-
-
-
-

Supplemental guidance

-

The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-

References: None -

-
-
-

- RA-5 (2) UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED

-
-

- Parameter: - ra-5_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization updates the information system vulnerabilities scanned [Selection (one or more): - - ra-5_d - - organization-defined frequency - organization-defined frequency - ; prior to a new scan; when new vulnerabilities are identified and reported].

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the information system vulnerabilities scanned;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the information system vulnerabilities scanned one or more of the following:

-
- - - - - - - -
-

[a]

-
-

with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

prior to a new scan; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

when new vulnerabilities are identified and reported.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-

References: None -

-
-
-

- RA-5 (4) DISCOVERABLE INFORMATION

-
-

- Parameter: - ra-5_e organization-defined corrective actions

-

- Value: organization-defined corrective actions

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization determines what information about the information system is discoverable by adversaries and subsequently takes - - ra-5_e - - organization-defined corrective actions - organization-defined corrective actions - .

-
-
-
-

Supplemental guidance

-

Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines corrective actions to be taken if information about the information system is discoverable by adversaries;

-
-
-
- - - - - - - -
-

[2]

-
-

determines what information about the information system is discoverable by adversaries; and

-
-
-
- - - - - - - -
-

[3]

-
-

subsequently takes organization-defined corrective actions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security assessment report

-

- penetration test results

-

- vulnerability scanning results

-

- risk assessment report

-

- records of corrective actions taken

-

- incident response records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning and/or penetration testing responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel responsible for risk response

-

- organizational personnel responsible for incident management and response

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- organizational processes for risk response

-

- organizational processes for incident management and response

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-

- automated mechanisms supporting and/or implementing risk response

-

- automated mechanisms supporting and/or implementing incident management and response

-
-

References: None -

-
-
-

- RA-5 (5) PRIVILEGED ACCESS

-
-

- Parameter: - ra-5_f organization-identified information system components

-

- Value: organization-identified information system components

-
-
-

- Parameter: - ra-5_g organization-defined vulnerability scanning activities

-

- Value: organization-defined vulnerability scanning activities

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements privileged access authorization to - - ra-5_f - - organization-identified information system components - organization-identified information system components - for selected - - ra-5_g - - organization-defined vulnerability scanning activities - organization-defined vulnerability scanning activities - .

-
-
-
-

Supplemental guidance

-

In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- procedures addressing vulnerability scanning

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system components for vulnerability scanning

-

- personnel access authorization list

-

- authorization credentials

-

- access authorization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- system/network administrators

-

- organizational personnel responsible for access control to the information system

-

- organizational personnel responsible for configuration management of the information system

-

- system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- organizational processes for access control

-

- automated mechanisms supporting and/or implementing access control

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

defines the process for conducting random vulnerability scans on the information system and hosted applications;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

enumerating platforms;

-
-
-
- - - - - - - -
-

[2]

-
-

enumerating software flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

enumerating improper configurations;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

formatting checklists;

-
-
-
- - - - - - - -
-

[2]

-
-

formatting test procedures;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

analyzes vulnerability scan reports;

-
-
-
- - - - - - - -
-

[2]

-
-

analyzes results from security control assessments;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

-
-
-
- - - - - - - -
-

[2]

-
-

remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;

-
-
-
- - - - - - - -
-

[2]

-
-

shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and

-
-
-
- - - - - - - -
-

[3]

-
-

shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- procedures addressing vulnerability scanning

-

- risk assessment

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel with vulnerability remediation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

-

- automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-115

-
-
-

http://cwe.mitre.org

-
-
-

http://nvd.nist.gov

-
-
-
-
-
-

SYSTEM AND SERVICES ACQUISITION

-
-

- SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES

-
-

- Parameter: - sa-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sa-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sa-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sa-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and services acquisition policy - - sa-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and services acquisition procedures - - sa-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and services acquisition policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and services acquisition policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and services acquisition policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SA-2 ALLOCATION OF RESOURCES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

b.

-
-

Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and

-
-
-
- - - - - - - -
-

c.

-
-

Establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Supplemental guidance

-

Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

(b)

-
-

to protect the information system or information system service as part of its capital planning and investment control process:

-
- - - - - - - -
-

[1]

-
-

determines the resources required;

-
-
-
- - - - - - - -
-

[2]

-
-

documents the resources required;

-
-
-
- - - - - - - -
-

[3]

-
-

allocates the resources required; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the allocation of resources to information security requirements

-

- procedures addressing capital planning and investment control

-

- organizational programming and budgeting documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities

-

- organizational personnel responsible for determining information security requirements for information systems/services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information security requirements

-

- organizational processes for capital planning, programming, and budgeting

-

- automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

-
-
-

References

-
-

NIST Special Publication 800-65

-
-
-
-
-

- SA-3 SYSTEM DEVELOPMENT LIFE CYCLE

-
-

- Parameter: - sa-3_a organization-defined system development life cycle

-

- Value: organization-defined system development life cycle

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Manages the information system using - - sa-3_a - - organization-defined system development life cycle - organization-defined system development life cycle - that incorporates information security considerations;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

d.

-
-

Integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Supplemental guidance

-

A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a system development life cycle that incorporates information security considerations to be used to manage the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

manages the information system using the organization-defined system development life cycle;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

(c)

-
-

identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

(d)

-
-

integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security into the system development life cycle process

-

- information system development life cycle documentation

-

- information security risk management strategy/program documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security and system life cycle development responsibilities

-

- organizational personnel with information security risk management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining and documenting the SDLC

-

- organizational processes for identifying SDLC roles and responsibilities

-

- organizational process for integrating information security risk management into the SDLC

-

- automated mechanisms supporting and/or implementing the SDLC

-
-
-

References

-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-
-
-

- SA-4 ACQUISITION PROCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

a.

-
-

Security functional requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Security strength requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Security assurance requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Security-related documentation requirements;

-
-
-
- - - - - - - -
-

e.

-
-

Requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

f.

-
-

Description of the information system development environment and environment in which the system is intended to operate; and

-
-
-
- - - - - - - -
-

g.

-
-

Acceptance criteria.

-
-
-
-
-
-

Supplemental guidance

-

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. -Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

- - - - - - - - -
-
-

- SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

-
-
-
-

Supplemental guidance

-

Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documents

-

- acquisition documentation

-

- acquisition contracts for the information system, system component, or information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security functional requirements

-

- information system developer or service provider

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information system security functional, requirements

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

-
-

References: None -

-
-
-

- SA-4 (2) DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS

-
-

- Parameter: - sa-4_a organization-defined design/implementation information

-

- Value: organization-defined design/implementation information

-
-
-

- Parameter: - sa-4_b organization-defined level of detail

-

- Value: organization-defined level of detail

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; - - sa-4_a - - organization-defined design/implementation information - organization-defined design/implementation information - ] at - - sa-4_b - - organization-defined level of detail - organization-defined level of detail - .

-
-
-
-

Supplemental guidance

-

Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[2]

-
-

defines design/implementation information that the developer is to provide for the security controls to be employed (if selected);

-
-
-
- - - - - - - -
-

[3]

-
-

requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:

-
- - - - - - - -
-

[a]

-
-

security-relevant external system interfaces;

-
-
-
- - - - - - - -
-

[b]

-
-

high-level design;

-
-
-
- - - - - - - -
-

[c]

-
-

low-level design;

-
-
-
- - - - - - - -
-

[d]

-
-

source code;

-
-
-
- - - - - - - -
-

[e]

-
-

hardware schematics; and/or

-
-
-
- - - - - - - -
-

[f]

-
-

organization-defined design/implementation information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documents

-

- acquisition documentation

-

- acquisition contracts for the information system, system components, or information system services

-

- design and implementation information for security controls employed in the information system, system component, or information system service

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- information system developer or service provider

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining level of detail for system design and security controls

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing development of system design details

-
-

References: None -

-
-
-

- SA-4 (9) FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

-
-
-
-

Supplemental guidance

-

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:

-
- - - - - - - -
-

[1]

-
-

the functions intended for organizational use;

-
-
-
- - - - - - - -
-

[2]

-
-

the ports intended for organizational use;

-
-
-
- - - - - - - -
-

[3]

-
-

the protocols intended for organizational use; and

-
-
-
- - - - - - - -
-

[4]

-
-

the services intended for organizational use.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- information system design documentation

-

- information system documentation including functions, ports, protocols, and services intended for organizational use

-

- acquisition contracts for information systems or services

-

- acquisition documentation

-

- solicitation documentation

-

- service-level agreements

-

- organizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- system/network administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- SA-4 (10) USE OF APPROVED PIV PRODUCTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Supplemental guidance

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documentation

-

- acquisition documentation

-

- acquisition contracts for the information system, system component, or information system service

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- organizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for selecting and employing FIPS 201-approved products

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

(a)

-
-

security functional requirements;

-
-
-
- - - - - - - -
-

(b)

-
-

security strength requirements;

-
-
-
- - - - - - - -
-

(c)

-
-

security assurance requirements;

-
-
-
- - - - - - - -
-

(d)

-
-

security-related documentation requirements;

-
-
-
- - - - - - - -
-

(e)

-
-

requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

(f)

-
-

description of:

-
- - - - - - - -
-

[1]

-
-

the information system development environment;

-
-
-
- - - - - - - -
-

[2]

-
-

the environment in which the system is intended to operate; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

acceptance criteria.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- acquisition contracts for the information system, system component, or information system service

-

- information system design documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information system security functional, strength, and assurance requirements

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

-
-
-

References

-
-

HSPD-12

-
-
-

ISO/IEC 15408

-
-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-23

-
-
-

NIST Special Publication 800-35

-
-
-

NIST Special Publication 800-36

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-137

-
-
-

Federal Acquisition Regulation

-
-
-

http://www.niap-ccevs.org

-
-
-

http://fips201ep.cio.gov

-
-
-

http://www.acquisition.gov/far

-
-
-
-
-

- SA-5 INFORMATION SYSTEM DOCUMENTATION

-
-

- Parameter: - sa-5_a organization-defined actions

-

- Value: organization-defined actions

-
-
-

- Parameter: - sa-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

Secure configuration, installation, and operation of the system, component, or service;

-
-
-
- - - - - - - -
-

2.

-
-

Effective use and maintenance of security functions/mechanisms; and

-
-
-
- - - - - - - -
-

3.

-
-

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

-
-
-
- - - - - - - -
-

2.

-
-

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

-
-
-
- - - - - - - -
-

3.

-
-

User responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes - - sa-5_a - - organization-defined actions - organization-defined actions - in response;

-
-
-
- - - - - - - -
-

d.

-
-

Protects documentation as required, in accordance with the risk management strategy; and

-
-
-
- - - - - - - -
-

e.

-
-

Distributes documentation to - - sa-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

secure configuration of the system, system component, or service;

-
-
-
- - - - - - - -
-

[2]

-
-

secure installation of the system, system component, or service;

-
-
-
- - - - - - - -
-

[3]

-
-

secure operation of the system, system component, or service;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

effective use of the security features/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

effective maintenance of the security features/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

user-accessible security functions/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

how to effectively use those functions/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;

-
-
-
- - - - - - - -
-

(3)

-
-

user responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[2]

-
-

documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[3]

-
-

takes organization-defined actions in response;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects documentation as required, in accordance with the risk management strategy;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom documentation is to be distributed; and

-
-
-
- - - - - - - -
-

[2]

-
-

distributes documentation to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing information system documentation

-

- information system documentation including administrator and user guides

-

- records documenting attempts to obtain unavailable or nonexistent information system documentation

-

- list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation

-

- risk management strategy documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- system administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation

-
-

References: None -

-
-
-

- SA-8 SECURITY ENGINEERING PRINCIPLES

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

-
-
-
-

Supplemental guidance

-

Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization applies information system security engineering principles in:

-
- - - - - - - -
-

[1]

-
-

the specification of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the design of the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

the development of the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

the implementation of the information system; and

-
-
-
- - - - - - - -
-

[5]

-
-

the modification of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system

-

- information system design documentation

-

- information security requirements and specifications for the information system

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- organizational personnel with information system specification, design, development, implementation, and modification responsibilities

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification

-

- automated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification

-
-
-

References

-
-

NIST Special Publication 800-27

-
-
-
-
-

- SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

-
-

- Parameter: - sa-9_a organization-defined security controls

-

- Value: organization-defined security controls

-
-
-

- Parameter: - sa-9_b organization-defined processes, methods, and techniques

-

- Value: organization-defined processes, methods, and techniques

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires that providers of external information system services comply with organizational information security requirements and employ - - sa-9_a - - organization-defined security controls - organization-defined security controls - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

-
-
-
- - - - - - - -
-

c.

-
-

Employs - - sa-9_b - - organization-defined processes, methods, and techniques - organization-defined processes, methods, and techniques - to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-

Supplemental guidance

-

External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - -
-
-

- SA-9 (2) IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES

-
-

- Parameter: - sa-9_d organization-defined external information system services

-

- Value: organization-defined external information system services

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires providers of - - sa-9_d - - organization-defined external information system services - organization-defined external information system services - to identify the functions, ports, protocols, and other services required for the use of such services.

-
-
-
-

Supplemental guidance

-

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;

-
-
-
- - - - - - - -
-

[2]

-
-

requires providers of organization-defined external information system services to identify:

-
- - - - - - - -
-

[a]

-
-

the functions required for the use of such services;

-
-
-
- - - - - - - -
-

[b]

-
-

the ports required for the use of such services;

-
-
-
- - - - - - - -
-

[c]

-
-

the protocols required for the use of such services; and

-
-
-
- - - - - - - -
-

[d]

-
-

the other services required for the use of such services.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing external information system services

-

- acquisition contracts for the information system, system component, or information system service

-

- acquisition documentation

-

- solicitation documentation, service-level agreements

-

- organizational security requirements and security specifications for external service providers

-

- list of required functions, ports, protocols, and other services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- external providers of information system services

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security controls to be employed by providers of external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that providers of external information system services comply with organizational information security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines and documents government oversight with regard to external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

defines and documents user roles and responsibilities with regard to external information system services;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing external information system services

-

- procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services

-

- acquisition contracts, service-level agreements

-

- organizational security requirements and security specifications for external provider services

-

- security control assessment evidence from external providers of information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- external providers of information system services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring security control compliance by external service providers on an ongoing basis

-

- automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-

- SA-10 DEVELOPER CONFIGURATION MANAGEMENT

-
-

- Parameter: - sa-10_a organization-defined configuration items under configuration management

-

- Value: organization-defined configuration items under configuration management

-
-
-

- Parameter: - sa-10_b organization-defined personnel

-

- Value: organization-defined personnel

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

a.

-
-

Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];

-
-
-
- - - - - - - -
-

b.

-
-

Document, manage, and control the integrity of changes to - - sa-10_a - - organization-defined configuration items under configuration management - organization-defined configuration items under configuration management - ;

-
-
-
- - - - - - - -
-

c.

-
-

Implement only organization-approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

d.

-
-

Document approved changes to the system, component, or service and the potential security impacts of such changes; and

-
-
-
- - - - - - - -
-

e.

-
-

Track security flaws and flaw resolution within the system, component, or service and report findings to - - sa-10_b - - organization-defined personnel - organization-defined personnel - .

-
-
-
-
-
-

Supplemental guidance

-

This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:

-
- - - - - - - -
-

[1]

-
-

system, component, or service design;

-
-
-
- - - - - - - -
-

[2]

-
-

system, component, or service development;

-
-
-
- - - - - - - -
-

[3]

-
-

system, component, or service implementation; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

system, component, or service operation;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines configuration items to be placed under configuration management;

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

[a]

-
-

document the integrity of changes to organization-defined items under configuration management;

-
-
-
- - - - - - - -
-

[b]

-
-

manage the integrity of changes to organization-defined items under configuration management;

-
-
-
- - - - - - - -
-

[c]

-
-

control the integrity of changes to organization-defined items under configuration management;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-

requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

(d)

-
-

requires the developer of the information system, system component, or information system service to document:

-
- - - - - - - -
-

[1]

-
-

approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

[2]

-
-

the potential security impacts of such changes;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

[a]

-
-

track security flaws within the system, component, or service;

-
-
-
- - - - - - - -
-

[b]

-
-

track security flaw resolution within the system, component, or service; and

-
-
-
- - - - - - - -
-

[c]

-
-

report findings to organization-defined personnel.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing system developer configuration management

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer configuration management plan

-

- security flaw and flaw resolution tracking records

-

- system change authorization records

-

- change control records

-

- configuration management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with configuration management responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring developer configuration management

-

- automated mechanisms supporting and/or implementing the monitoring of developer configuration management

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- SA-11 DEVELOPER SECURITY TESTING AND EVALUATION

-
-

- Parameter: - sa-11_a organization-defined depth and coverage

-

- Value: organization-defined depth and coverage

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

a.

-
-

Create and implement a security assessment plan;

-
-
-
- - - - - - - -
-

b.

-
-

Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at - - sa-11_a - - organization-defined depth and coverage - organization-defined depth and coverage - ;

-
-
-
- - - - - - - -
-

c.

-
-

Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

-
-
-
- - - - - - - -
-

d.

-
-

Implement a verifiable flaw remediation process; and

-
-
-
- - - - - - - -
-

e.

-
-

Correct flaws identified during security testing/evaluation.

-
-
-
-
-
-

Supplemental guidance

-

Developmental security testing/evaluation occurs at all post-design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to create and implement a security plan;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[3]

-
-

requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage:

-
- - - - - - - -
-

[a]

-
-

unit testing/evaluation;

-
-
-
- - - - - - - -
-

[b]

-
-

integration testing/evaluation;

-
-
-
- - - - - - - -
-

[c]

-
-

system testing/evaluation; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

regression testing/evaluation;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-

requires the developer of the information system, system component, or information system service to produce evidence of:

-
- - - - - - - -
-

[1]

-
-

the execution of the security assessment plan;

-
-
-
- - - - - - - -
-

[2]

-
-

the results of the security testing/evaluation;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and

-
-
-
- - - - - - - -
-

(e)

-
-

requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing system developer security testing

-

- procedures addressing flaw remediation

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer security test plans

-

- records of developer security testing results for the information system, system component, or information system service

-

- security flaw and remediation tracking records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with developer security testing responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring developer security testing and evaluation

-

- automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

-
-
-

References

-
-

ISO/IEC 15408

-
-
-

NIST Special Publication 800-53A

-
-
-

http://nvd.nist.gov

-
-
-

http://cwe.mitre.org

-
-
-

http://cve.mitre.org

-
-
-

http://capec.mitre.org

-
-
-
-
-

- SA-12 SUPPLY CHAIN PROTECTION

-
-

- Parameter: - sa-12_a organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects against supply chain threats to the information system, system component, or information system service by employing - - sa-12_a - - organization-defined security safeguards - organization-defined security safeguards - as part of a comprehensive, defense-in-breadth information security strategy.

-
-
-
-

Supplemental guidance

-

Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.

- - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service; and

-
-
-
- - - - - - - -
-

[2]

-
-

protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing supply chain protection

-

- procedures addressing the integration of information security requirements into the acquisition process

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- list of supply chain threats

-

- list of security safeguards to be taken against supply chain threats

-

- system development life cycle documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with supply chain protection responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining safeguards for and protecting against supply chain threats

-

- automated mechanisms supporting and/or implementing safeguards for supply chain threats

-
-
-

References

-
-

NIST Special Publication 800-161

-
-
-

NIST Interagency Report 7622

-
-
-
-
-

- SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS

-
-

- Parameter: - sa-15_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sa-15_b organization-defined security requirements

-

- Value: organization-defined security requirements

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires the developer of the information system, system component, or information system service to follow a documented development process that:

-
- - - - - - - -
-

1.

-
-

Explicitly addresses security requirements;

-
-
-
- - - - - - - -
-

2.

-
-

Identifies the standards and tools used in the development process;

-
-
-
- - - - - - - -
-

3.

-
-

Documents the specific tool options and tool configurations used in the development process; and

-
-
-
- - - - - - - -
-

4.

-
-

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews the development process, standards, tools, and tool options/configurations - - sa-15_a - - organization-defined frequency - organization-defined frequency - to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy - - sa-15_b - - organization-defined security requirements - organization-defined security requirements - .

-
-
-
-
-
-

Supplemental guidance

-

Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to follow a documented development process that:

-
- - - - - - - -
-

(1)

-
-

explicitly addresses security requirements;

-
-
-
- - - - - - - -
-

(2)

-
-

identifies the standards and tools used in the development process;

-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

documents the specific tool options used in the development process;

-
-
-
- - - - - - - -
-

[2]

-
-

documents the specific tool configurations used in the development process;

-
-
-
-
-
- - - - - - - -
-

(4)

-
-
- - - - - - - -
-

[1]

-
-

documents changes to the process and/or tools used in the development;

-
-
-
- - - - - - - -
-

[2]

-
-

manages changes to the process and/or tools used in the development;

-
-
-
- - - - - - - -
-

[3]

-
-

ensures the integrity of changes to the process and/or tools used in the development;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review the development process, standards, tools, and tool options/configurations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security requirements to be satisfied by the process, standards, tools, and tool option/configurations selected and employed; and

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

[a]

-
-

reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements;

-
-
-
- - - - - - - -
-

[b]

-
-

reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements; and

-
-
-
- - - - - - - -
-

[d]

-
-

reviews the development tool options/configurations with the organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing development process, standards, and tools

-

- procedures addressing the integration of security requirements during the development process

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer documentation listing tool options/configuration guides, configuration management records

-

- change control records

-

- configuration control records

-

- documented reviews of development process, standards, tools, and tool options/configurations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system developer

-
-

References: None -

-
-
-

- SA-16 DEVELOPER-PROVIDED TRAINING

-
-

- Parameter: - sa-16_a organization-defined training

-

- Value: organization-defined training

-
-

- priority: P2

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide - - sa-16_a - - organization-defined training - organization-defined training - on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

-
-
-
-

Supplemental guidance

-

This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines training to be provided by the developer of the information system, system component, or information system service; and

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing developer-provided training

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- developer-provided training materials

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information system security responsibilities

-

- system developer

-

- organizational or third-party developers with training responsibilities for the information system, system component, or information system service

-
-

References: None -

-
-
-

- SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN

-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

-
- - - - - - - -
-

a.

-
-

Is consistent with and supportive of the organization�s security architecture which is established within and is an integrated part of the organization�s enterprise architecture;

-
-
-
- - - - - - - -
-

b.

-
-

Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and

-
-
-
- - - - - - - -
-

c.

-
-

Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

-
-
-
-
-
-

Supplemental guidance

-

This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization�s enterprise architecture and information security architecture.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

-
- - - - - - - -
-

(a)

-
-

is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;

-
-
-
- - - - - - - -
-

(b)

-
-

accurately and completely describes:

-
- - - - - - - -
-

[1]

-
-

the required security functionality;

-
-
-
- - - - - - - -
-

[2]

-
-

the allocation of security controls among physical and logical components; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- enterprise architecture policy

-

- procedures addressing developer security architecture and design specification for the information system

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- design specification and security architecture documentation for the system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with security architecture and design responsibilities

-
-

References: None -

-
-
-
-

SYSTEM AND COMMUNICATIONS PROTECTION

-
-

- SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - sc-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sc-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sc-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sc-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and communications protection policy - - sc-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and communications protection procedures - - sc-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and communications protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and communications protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and communications protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and communications protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SC-2 APPLICATION PARTITIONING

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system separates user functionality (including user interface services) from information system management functionality.

-
-
-
-

Supplemental guidance

-

Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system separates user functionality (including user interface services) from information system management functionality.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing application partitioning

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Separation of user functionality from information system management functionality

-
-

References: None -

-
-
-

- SC-3 SECURITY FUNCTION ISOLATION

-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system isolates security functions from nonsecurity functions.

-
-
-
-

Supplemental guidance

-

The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.

- - - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system isolates security functions from nonsecurity functions.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing security function isolation

-

- list of security functions to be isolated from nonsecurity functions

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Separation of security functions from nonsecurity functions within the information system

-
-

References: None -

-
-
-

- SC-4 INFORMATION IN SHARED RESOURCES

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents unauthorized and unintended information transfer via shared system resources.

-
-
-
-

Supplemental guidance

-

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system prevents unauthorized and unintended information transfer via shared system resources.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing information protection in shared system resources

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources

-
-

References: None -

-
-
-

- SC-5 DENIAL OF SERVICE PROTECTION

-
-

- Parameter: - sc-5_a organization-defined types of denial of service attacks or references to sources for such information

-

- Value: organization-defined types of denial of service attacks or references to sources for such information

-
-
-

- Parameter: - sc-5_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects against or limits the effects of the following types of denial of service attacks: - - sc-5_a - - organization-defined types of denial of service attacks or references to sources for such information - organization-defined types of denial of service attacks or references to sources for such information - by employing - - sc-5_b - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing denial of service protection

-

- information system design documentation

-

- security plan

-

- list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks

-

- list of security safeguards protecting against or limiting the effects of denial of service attacks

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with incident response responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms protecting against or limiting the effects of denial of service attacks

-
-

References: None -

-
-
-

- SC-7 BOUNDARY PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

b.

-
-

Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and

-
-
-
- - - - - - - -
-

c.

-
-

Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Supplemental guidance

-

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

- - - - - - - - - -
-
-

- SC-7 (3) ACCESS POINTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization limits the number of external network connections to the information system.

-
-
-
-

Supplemental guidance

-

Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization limits the number of external network connections to the information system.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- communications and network traffic monitoring logs

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-

- automated mechanisms limiting the number of external network connections to the information system

-
-

References: None -

-
-
-

- SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES

-
-

- Parameter: - sc-7_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Implements a managed interface for each external telecommunication service;

-
-
-
- - - - - - - -
-

(b)

-
-

Establishes a traffic flow policy for each managed interface;

-
-
-
- - - - - - - -
-

(c)

-
-

Protects the confidentiality and integrity of the information being transmitted across each interface;

-
-
-
- - - - - - - -
-

(d)

-
-

Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and

-
-
-
- - - - - - - -
-

(e)

-
-

Reviews exceptions to the traffic flow policy - - sc-7_a - - organization-defined frequency - organization-defined frequency - and removes exceptions that are no longer supported by an explicit mission/business need.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements a managed interface for each external telecommunication service;

-
-
-
- - - - - - - -
-

(b)

-
-

establishes a traffic flow policy for each managed interface;

-
-
-
- - - - - - - -
-

(c)

-
-

protects the confidentiality and integrity of the information being transmitted across each interface;

-
-
-
- - - - - - - -
-

(d)

-
-

documents each exception to the traffic flow policy with:

-
- - - - - - - -
-

[1]

-
-

a supporting mission/business need;

-
-
-
- - - - - - - -
-

[2]

-
-

duration of that need;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review exceptions to traffic flow policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews exceptions to the traffic flow policy with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[3]

-
-

removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- traffic flow policy

-

- information flow control policy

-

- procedures addressing boundary protection

-

- information system security architecture

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of traffic flow policy exceptions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for documenting and reviewing exceptions to the traffic flow policy

-

- organizational processes for removing exceptions to the traffic flow policy

-

- automated mechanisms implementing boundary protection capability

-

- managed interfaces implementing traffic flow policy

-
-

References: None -

-
-
-

- SC-7 (5) DENY BY DEFAULT / ALLOW BY EXCEPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

-
-
-
-

Supplemental guidance

-

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system, at managed interfaces:

-
- - - - - - - -
-

[1]

-
-

denies network traffic by default; and

-
-
-
- - - - - - - -
-

[2]

-
-

allows network traffic by exception.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing traffic management at managed interfaces

-
-

References: None -

-
-
-

- SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

-
-
-
-

Supplemental guidance

-

This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system hardware and software

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-

- automated mechanisms supporting/restricting non-remote connections

-
-

References: None -

-
-
-

- SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS

-
-

- Parameter: - sc-7_b organization-defined internal communications traffic

-

- Value: organization-defined internal communications traffic

-
-
-

- Parameter: - sc-7_c organization-defined external networks

-

- Value: organization-defined external networks

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system routes - - sc-7_b - - organization-defined internal communications traffic - organization-defined internal communications traffic - to - - sc-7_c - - organization-defined external networks - organization-defined external networks - through authenticated proxy servers at managed interfaces.

-
-
-
-

Supplemental guidance

-

External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines internal communications traffic to be routed to external networks;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines external networks to which organization-defined internal communications traffic is to be routed; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system hardware and software

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing traffic management through authenticated proxy servers at managed interfaces

-
-

References: None -

-
-
-

- SC-7 (18) FAIL SECURE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system fails securely in the event of an operational failure of a boundary protection device.

-
-
-
-

Supplemental guidance

-

Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system fails securely in the event of an operational failure of a boundary protection device.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing secure failure

-
-

References: None -

-
-
-

- SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS

-
-

- Parameter: - sc-7_l organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - sc-7_m organization-defined missions and/or business functions

-

- Value: organization-defined missions and/or business functions

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs boundary protection mechanisms to separate - - sc-7_l - - organization-defined information system components - organization-defined information system components - supporting - - sc-7_m - - organization-defined missions and/or business functions - organization-defined missions and/or business functions - .

-
-
-
-

Supplemental guidance

-

Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system components to be separated by boundary protection mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

defines missions and/or business functions to be supported by organization-defined information system components separated by boundary protection mechanisms; and

-
-
-
- - - - - - - -
-

[3]

-
-

employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system hardware and software

-

- enterprise architecture documentation

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the capability to separate information system components supporting organizational missions and/or business functions

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

monitors communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors communications at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

[3]

-
-

controls communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

controls communications at key internal boundaries within the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements subnetworks for publicly accessible system components that are either:

-
- - - - - - - -
-

[1]

-
-

physically separated from internal organizational networks; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

logically separated from internal organizational networks; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- list of key internal boundaries of the information system

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system configuration settings and associated documentation

-

- enterprise security architecture documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-41

-
-
-

NIST Special Publication 800-77

-
-
-
-
-

- SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

-
-
-
-

Supplemental guidance

-

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.

- - -
-
-

- SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION

-
-

- Parameter: - sc-8_a organization-defined alternative physical safeguards

-

- Value: organization-defined alternative physical safeguards

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by - - sc-8_a - - organization-defined alternative physical safeguards - organization-defined alternative physical safeguards - .

-
-
-
-

Supplemental guidance

-

Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:

-
- - - - - - - -
-

[a]

-
-

prevent unauthorized disclosure of information; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

detect changes to information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing transmission confidentiality and integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

-

- automated mechanisms supporting and/or implementing alternative physical safeguards

-

- organizational processes for defining and implementing alternative physical safeguards

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system protects one or more of the following:

-
- - - - - - - -
-

[1]

-
-

confidentiality of transmitted information; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

integrity of transmitted information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing transmission confidentiality and integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity

-
-
-

References

-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 197

-
-
-

NIST Special Publication 800-52

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-81

-
-
-

NIST Special Publication 800-113

-
-
-

CNSS Policy 15

-
-
-

NSTISSI No. 7003

-
-
-
-
-

- SC-10 NETWORK DISCONNECT

-
-

- Parameter: - sc-10_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system terminates the network connection associated with a communications session at the end of the session or after - - sc-10_a - - organization-defined time period - organization-defined time period - of inactivity.

-
-
-
-

Supplemental guidance

-

This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing network disconnect

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing network disconnect capability

-
-

References: None -

-
-
-

- SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

-
-

- Parameter: - sc-12_a organization-defined requirements for key generation, distribution, storage, access, and destruction

-

- Value: organization-defined requirements for key generation, distribution, storage, access, and destruction

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with - - sc-12_a - - organization-defined requirements for key generation, distribution, storage, access, and destruction - organization-defined requirements for key generation, distribution, storage, access, and destruction - .

-
-
-
-

Supplemental guidance

-

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

- - -
-
-

- SC-12 (1) AVAILABILITY

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

-
-
-
-

Supplemental guidance

-

Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase).

-
-
-

Objective

- - - - - - -
- -

Determine if the organization maintains availability of information in the event of the loss of cryptographic keys by users.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic key establishment, management, and recovery

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for cryptographic key establishment or management

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic key establishment and management

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines requirements for cryptographic key:

-
- - - - - - - -
-

[a]

-
-

generation;

-
-
-
- - - - - - - -
-

[b]

-
-

distribution;

-
-
-
- - - - - - - -
-

[c]

-
-

storage;

-
-
-
- - - - - - - -
-

[d]

-
-

access;

-
-
-
- - - - - - - -
-

[e]

-
-

destruction; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic key establishment and management

-

- information system design documentation

-

- cryptographic mechanisms

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for cryptographic key establishment and/or management

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic key establishment and management

-
-
-

References

-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-
-
-

- SC-13 CRYPTOGRAPHIC PROTECTION

-
-

- Parameter: - sc-13_a organization-defined cryptographic uses and type of cryptography required for each use

-

- Value: organization-defined cryptographic uses and type of cryptography required for each use

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements - - sc-13_a - - organization-defined cryptographic uses and type of cryptography required for each use - organization-defined cryptographic uses and type of cryptography required for each use - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-

Supplemental guidance

-

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

- - - - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines cryptographic uses; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the type of cryptography required for each use; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic protection

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic module validation certificates

-

- list of FIPS validated cryptographic modules

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for cryptographic protection

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic protection

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/cryptval

-
-
-

http://www.cnss.gov

-
-
-
-
-

- SC-15 COLLABORATIVE COMPUTING DEVICES

-
-

- Parameter: - sc-15_a organization-defined exceptions where remote activation is to be allowed

-

- Value: organization-defined exceptions where remote activation is to be allowed

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Prohibits remote activation of collaborative computing devices with the following exceptions: - - sc-15_a - - organization-defined exceptions where remote activation is to be allowed - organization-defined exceptions where remote activation is to be allowed - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Supplemental guidance

-

Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing collaborative computing

-

- access control policy and procedures

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for managing collaborative computing devices

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing management of remote activation of collaborative computing devices

-

- automated mechanisms providing an indication of use of collaborative computing devices

-
-

References: None -

-
-
-

- SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES

-
-

- Parameter: - sc-17_a organization-defined certificate policy

-

- Value: organization-defined certificate policy

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization issues public key certificates under an - - sc-17_a - - organization-defined certificate policy - organization-defined certificate policy - or obtains public key certificates from an approved service provider.

-
-
-
-

Supplemental guidance

-

For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a certificate policy for issuing public key certificates;

-
-
-
- - - - - - - -
-

[2]

-
-

issues public key certificates:

-
- - - - - - - -
-

[a]

-
-

under an organization-defined certificate policy: or

-
-
-
- - - - - - - -
-

[b]

-
-

obtains public key certificates from an approved service provider.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing public key infrastructure certificates

-

- public key certificate policy or policies

-

- public key issuing process

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for issuing public key certificates

-

- service providers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the management of public key infrastructure certificates

-
-
-

References

-
-

OMB Memorandum 05-24

-
-
-

NIST Special Publication 800-32

-
-
-

NIST Special Publication 800-63

-
-
-
-
-

- SC-18 MOBILE CODE

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Defines acceptable and unacceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and

-
-
-
- - - - - - - -
-

c.

-
-

Authorizes, monitors, and controls the use of mobile code within the information system.

-
-
-
-
-
-

Supplemental guidance

-

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

defines acceptable and unacceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

establishes usage restrictions for acceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes implementation guidance for acceptable mobile code and mobile code technologies;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

authorizes the use of mobile code within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the use of mobile code within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls the use of mobile code within the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing mobile code

-

- mobile code usage restrictions, mobile code implementation policy and procedures

-

- list of acceptable mobile code and mobile code technologies

-

- list of unacceptable mobile code and mobile technologies

-

- authorization records

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing mobile code

-
-
-

Assessment: TEST

-

- Organizational process for controlling, authorizing, monitoring, and restricting mobile code

-

- automated mechanisms supporting and/or implementing the management of mobile code

-

- automated mechanisms supporting and/or implementing the monitoring of mobile code

-
-
-

References

-
-

NIST Special Publication 800-28

-
-
-

DoD Instruction 8552.01

-
-
-
-
-

- SC-19 VOICE OVER INTERNET PROTOCOL

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes, monitors, and controls the use of VoIP within the information system.

-
-
-
-
-
-

Supplemental guidance

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

authorizes the use of VoIP within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the use of VoIP within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls the use of VoIP within the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing VoIP

-

- VoIP usage restrictions

-

- VoIP implementation guidance

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing VoIP

-
-
-

Assessment: TEST

-

- Organizational process for authorizing, monitoring, and controlling VoIP

-

- automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling VoIP

-
-
-

References

-
-

NIST Special Publication 800-58

-
-
-
-
-

- SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

-
-
-
-
-
-

Supplemental guidance

-

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-

provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;

-
-
-
- - - - - - - -
-

(b)

-
-

provides the means to, when operating as part of a distributed, hierarchical namespace:

-
- - - - - - - -
-

[1]

-
-

indicate the security status of child zones; and

-
-
-
- - - - - - - -
-

[2]

-
-

enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (authoritative source)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing secure name/address resolution service

-
-
-

References

-
-

OMB Memorandum 08-23

-
-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-

Supplemental guidance

-

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[2]

-
-

requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[3]

-
-

performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and

-
-
-
- - - - - - - -
-

[4]

-
-

performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (recursive or caching resolver)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

-
-
-
-

Supplemental guidance

-

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information systems that collectively provide name/address resolution service for an organization:

-
- - - - - - - -
-

[1]

-
-

are fault tolerant; and

-
-
-
- - - - - - - -
-

[2]

-
-

implement internal/external role separation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing architecture and provisioning for name/address resolution service

-

- access control policy and procedures

-

- information system design documentation

-

- assessment results from independent, testing organizations

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing name/address resolution service for fault tolerance and role separation

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-23 SESSION AUTHENTICITY

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the authenticity of communications sessions.

-
-
-
-

Supplemental guidance

-

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system protects the authenticity of communications sessions.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing session authenticity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing session authenticity

-
-
-

References

-
-

NIST Special Publication 800-52

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-95

-
-
-
-
-

- SC-24 FAIL IN KNOWN STATE

-
-

- Parameter: - sc-24_a organization-defined known-state

-

- Value: organization-defined known-state

-
-
-

- Parameter: - sc-24_b organization-defined types of failures

-

- Value: organization-defined types of failures

-
-
-

- Parameter: - sc-24_c organization-defined system state information

-

- Value: organization-defined system state information

-
-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system fails to a - - sc-24_a - - organization-defined known-state - organization-defined known-state - for - - sc-24_b - - organization-defined types of failures - organization-defined types of failures - preserving - - sc-24_c - - organization-defined system state information - organization-defined system state information - in failure.

-
-
-
-

Supplemental guidance

-

Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines a known-state to which the information system is to fail in the event of a system failure;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines types of failures for which the information system is to fail to an organization-defined known-state;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines system state information to be preserved in the event of a system failure;

-
-
-
- - - - - - - -
-

[4]

-
-

the information system fails to the organization-defined known-state for organization-defined types of failures; and

-
-
-
- - - - - - - -
-

[5]

-
-

the information system preserves the organization-defined system state information in the event of a system failure.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing information system failure to known state

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of failures requiring information system to fail in a known state

-

- state information to be preserved in system failure

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fail-in-known state capability

-

- automated mechanisms preserving system state information in the event of a system failure

-
-

References: None -

-
-
-

- SC-28 PROTECTION OF INFORMATION AT REST

-
-

- Parameter: - sc-28_a organization-defined information at rest

-

- Value: organization-defined information at rest

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the [Selection (one or more): confidentiality; integrity] of - - sc-28_a - - organization-defined information at rest - organization-defined information at rest - .

-
-
-
-

Supplemental guidance

-

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information at rest requiring one or more of the following:

-
- - - - - - - -
-

[a]

-
-

confidentiality protection; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

integrity protection;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects:

-
- - - - - - - -
-

[a]

-
-

the confidentiality of organization-defined information at rest; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

the integrity of organization-defined information at rest.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing protection of information at rest

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic mechanisms and associated configuration documentation

-

- list of information at rest requiring confidentiality and integrity protections

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

-
-
-

References

-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- SC-39 PROCESS ISOLATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system maintains a separate execution domain for each executing process.

-
-
-
-

Supplemental guidance

-

Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.

- - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system maintains a separate execution domain for each executing process.

-
-
-
-

Assessment: EXAMINE

-

- Information system design documentation

-

- information system architecture

-

- independent verification and validation documentation

-

- testing and evaluation documentation, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Information system developers/integrators

-

- information system security architect

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing separate execution domains for each executing process

-
-

References: None -

-
-
-
-

SYSTEM AND INFORMATION INTEGRITY

-
-

- SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES

-
-

- Parameter: - si-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - si-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and information integrity policy - - si-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and information integrity procedures - - si-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and information integrity policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and information integrity policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and information integrity policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and information integrity responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SI-2 FLAW REMEDIATION

-
-

- Parameter: - si-2_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies, reports, and corrects information system flaws;

-
-
-
- - - - - - - -
-

b.

-
-

Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

c.

-
-

Installs security-relevant software and firmware updates within - - si-2_a - - organization-defined time period - organization-defined time period - of the release of the updates; and

-
-
-
- - - - - - - -
-

d.

-
-

Incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Supplemental guidance

-

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - - - - - - - - - -
-
-

- SI-2 (1) CENTRAL MANAGEMENT

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages the flaw remediation process.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages the flaw remediation process.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- automated mechanisms supporting centralized management of flaw remediation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-
-
-

Assessment: TEST

-

- Organizational processes for central management of the flaw remediation process

-

- automated mechanisms supporting and/or implementing central management of the flaw remediation process

-
-

References: None -

-
-
-

- SI-2 (2) AUTOMATED FLAW REMEDIATION STATUS

-
-

- Parameter: - si-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms - - si-2_b - - organization-defined frequency - organization-defined frequency - to determine the state of information system components with regard to flaw remediation.

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- automated mechanisms supporting centralized management of flaw remediation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-
-
-

Assessment: TEST

-

- Automated mechanisms used to determine the state of information system components with regard to flaw remediation

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies information system flaws;

-
-
-
- - - - - - - -
-

[2]

-
-

reports information system flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

corrects information system flaws;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

tests software updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

[2]

-
-

tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which to install security-relevant software updates after the release of the updates;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to install security-relevant firmware updates after the release of the updates;

-
-
-
- - - - - - - -
-

[3]

-
-

installs software updates within the organization-defined time period of the release of the updates;

-
-
-
- - - - - - - -
-

[4]

-
-

installs firmware updates within the organization-defined time period of the release of the updates; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- procedures addressing configuration management

-

- list of flaws and vulnerabilities potentially affecting the information system

-

- list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)

-

- test results from the installation of software and firmware updates to correct information system flaws

-

- installation/change control records for security-relevant software and firmware updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for identifying, reporting, and correcting information system flaws

-

- organizational process for installing software and firmware updates

-

- automated mechanisms supporting and/or implementing reporting, and correcting information system flaws

-

- automated mechanisms supporting and/or implementing testing software and firmware updates

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-128

-
-
-
-
-

- SI-3 MALICIOUS CODE PROTECTION

-
-

- Parameter: - si-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-3_b organization-defined action

-

- Value: organization-defined action

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

-
-
-
- - - - - - - -
-

b.

-
-

Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

-
-
-
- - - - - - - -
-

c.

-
-

Configures malicious code protection mechanisms to:

-
- - - - - - - -
-

1.

-
-

Perform periodic scans of the information system - - si-3_a - - organization-defined frequency - organization-defined frequency - and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and

-
-
-
- - - - - - - -
-

2.

-
-

[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; - - si-3_b - - organization-defined action - organization-defined action - ] in response to malicious code detection; and

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

-
-
-
-
-
-

Supplemental guidance

-

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files.

- - - - - - - - - - - - -
-
-

- SI-3 (1) CENTRAL MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages malicious code protection mechanisms.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages malicious code protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing malicious code protection

-

- automated mechanisms supporting centralized management of malicious code protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-
-
-

Assessment: TEST

-

- Organizational processes for central management of malicious code protection mechanisms

-

- automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms

-
-

References: None -

-
-
-

- SI-3 (2) AUTOMATIC UPDATES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically updates malicious code protection mechanisms.

-
-
-
-

Supplemental guidance

-

Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system automatically updates malicious code protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing malicious code protection

-

- automated mechanisms supporting centralized management of malicious code protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs malicious code protection mechanisms to detect and eradicate malicious code at information system:

-
- - - - - - - -
-

[1]

-
-

entry points;

-
-
-
- - - - - - - -
-

[2]

-
-

exit points;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines action to be initiated by malicious protection mechanisms in response to malicious code detection;

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

(1)

-
-

configures malicious code protection mechanisms to:

-
- - - - - - - -
-

[a]

-
-

perform periodic scans of the information system with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

configures malicious code protection mechanisms to do one or more of the following:

-
- - - - - - - -
-

[a]

-
-

block malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[b]

-
-

quarantine malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[c]

-
-

send alert to administrator in response to malicious code detection; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

initiate organization-defined action in response to malicious code detection;

-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

addresses the receipt of false positives during malicious code detection and eradication; and

-
-
-
- - - - - - - -
-

[2]

-
-

addresses the resulting potential impact on the availability of the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- configuration management policy and procedures

-

- procedures addressing malicious code protection

-

- malicious code protection mechanisms

-

- records of malicious code protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- scan results from malicious code protection mechanisms

-

- record of actions initiated by malicious code protection mechanisms in response to malicious code detection

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for employing, updating, and configuring malicious code protection mechanisms

-

- organizational process for addressing false positives and resulting potential impact

-

- automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms

-

- automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions

-
-
-

References

-
-

NIST Special Publication 800-83

-
-
-
-
-

- SI-4 INFORMATION SYSTEM MONITORING

-
-

- Parameter: - si-4_a organization-defined monitoring objectives

-

- Value: organization-defined monitoring objectives

-
-
-

- Parameter: - si-4_b organization-defined techniques and methods

-

- Value: organization-defined techniques and methods

-
-
-

- Parameter: - si-4_c organization-defined information system monitoring information

-

- Value: organization-defined information system monitoring information

-
-
-

- Parameter: - si-4_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-4_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors the information system to detect:

-
- - - - - - - -
-

1.

-
-

Attacks and indicators of potential attacks in accordance with - - si-4_a - - organization-defined monitoring objectives - organization-defined monitoring objectives - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Unauthorized local, network, and remote connections;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Identifies unauthorized use of the information system through - - si-4_b - - organization-defined techniques and methods - organization-defined techniques and methods - ;

-
-
-
- - - - - - - -
-

c.

-
-

Deploys monitoring devices:

-
- - - - - - - -
-

1.

-
-

Strategically within the information system to collect organization-determined essential information; and

-
-
-
- - - - - - - -
-

2.

-
-

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

-
-
-
- - - - - - - -
-

e.

-
-

Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

f.

-
-

Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

-
-
-
- - - - - - - -
-

g.

-
-

Provides - - si-4_c - - organization-defined information system monitoring information - organization-defined information system monitoring information - to - - si-4_d - - organization-defined personnel or roles - organization-defined personnel or roles - [Selection (one or more): as needed; - - si-4_e - - organization-defined frequency - organization-defined frequency - ].

-
-
-
-
-
-

Supplemental guidance

-

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

- - - - - - - - - - - - - - - - - - -
-
-

- SI-4 (2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated tools to support near real-time analysis of events.

-
-
-
-

Supplemental guidance

-

Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated tools to support near real-time analysis of events.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for incident response/management

-
-
-

Assessment: TEST

-

- Organizational processes for near real-time analysis of events

-

- organizational processes for information system monitoring

-

- automated mechanisms supporting and/or implementing information system monitoring

-

- automated mechanisms/tools supporting and/or implementing analysis of events

-
-

References: None -

-
-
-

- SI-4 (4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC

-
-

- Parameter: - si-4_f organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system monitors inbound and outbound communications traffic - - si-4_f - - organization-defined frequency - organization-defined frequency - for unusual or unauthorized activities or conditions.

-
-
-
-

Supplemental guidance

-

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a frequency to monitor:

-
- - - - - - - -
-

[a]

-
-

inbound communications traffic for unusual or unauthorized activities or conditions;

-
-
-
- - - - - - - -
-

[b]

-
-

outbound communications traffic for unusual or unauthorized activities or conditions;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

monitors, with the organization-defined frequency:

-
- - - - - - - -
-

[a]

-
-

inbound communications traffic for unusual or unauthorized activities or conditions; and

-
-
-
- - - - - - - -
-

[b]

-
-

outbound communications traffic for unusual or unauthorized activities or conditions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- information system protocols

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for the intrusion detection system

-
-
-

Assessment: TEST

-

- Organizational processes for intrusion detection/information system monitoring

-

- automated mechanisms supporting and/or implementing intrusion detection capability/information system monitoring

-

- automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic

-
-

References: None -

-
-
-

- SI-4 (5) SYSTEM-GENERATED ALERTS

-
-

- Parameter: - si-4_g organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-4_h organization-defined compromise indicators

-

- Value: organization-defined compromise indicators

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system alerts - - si-4_g - - organization-defined personnel or roles - organization-defined personnel or roles - when the following indications of compromise or potential compromise occur: - - si-4_h - - organization-defined compromise indicators - organization-defined compromise indicators - .

-
-
-
-

Supplemental guidance

-

Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines compromise indicators for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- alerts/notifications generated based on compromise indicators

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-

- -

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for the intrusion detection system

-
-
-

Assessment: TEST

-

- Organizational processes for intrusion detection/information system monitoring

-

- automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability

-

- automated mechanisms supporting and/or implementing alerts for compromise indicators

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the information system to detect, in accordance with organization-defined monitoring objectives,:

-
- - - - - - - -
-

[a]

-
-

attacks;

-
-
-
- - - - - - - -
-

[b]

-
-

indicators of potential attacks;

-
-
-
-
-
-
-
- - - - - - - -
-

(2)

-
-

monitors the information system to detect unauthorized:

-
- - - - - - - -
-

[1]

-
-

local connections;

-
-
-
- - - - - - - -
-

[2]

-
-

network connections;

-
-
-
- - - - - - - -
-

[3]

-
-

remote connections;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

(1)

-
-

defines techniques and methods to identify unauthorized use of the information system;

-
-
-
- - - - - - - -
-

(2)

-
-

identifies unauthorized use of the information system through organization-defined techniques and methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

deploys monitoring devices:

-
- - - - - - - -
-

[1]

-
-

strategically within the information system to collect organization-determined essential information;

-
-
-
- - - - - - - -
-

[2]

-
-

at ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects information obtained from intrusion-monitoring tools from unauthorized:

-
- - - - - - - -
-

[1]

-
-

access;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
- - - - - - - -
-

[3]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

(f)

-
-

obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;

-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom information system monitoring information is to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines information system monitoring information to be provided to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[4]

-
-

provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:

-
- - - - - - - -
-

[a]

-
-

as needed; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Continuous monitoring strategy

-

- system and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- facility diagram/layout

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- locations within information system where monitoring devices are deployed

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility monitoring the information system

-
-
-

Assessment: TEST

-

- Organizational processes for information system monitoring

-

- automated mechanisms supporting and/or implementing information system monitoring capability

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-92

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

-
-

- Parameter: - si-5_a organization-defined external organizations

-

- Value: organization-defined external organizations

-
-
-

- Parameter: - si-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-5_c organization-defined elements within the organization

-

- Value: organization-defined elements within the organization

-
-
-

- Parameter: - si-5_d organization-defined external organizations

-

- Value: organization-defined external organizations

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Receives information system security alerts, advisories, and directives from - - si-5_a - - organization-defined external organizations - organization-defined external organizations - on an ongoing basis;

-
-
-
- - - - - - - -
-

b.

-
-

Generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

c.

-
-

Disseminates security alerts, advisories, and directives to: [Selection (one or more): - - si-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - ; - - si-5_c - - organization-defined elements within the organization - organization-defined elements within the organization - ; - - si-5_d - - organization-defined external organizations - organization-defined external organizations - ]; and

-
-
-
- - - - - - - -
-

d.

-
-

Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-

Supplemental guidance

-

The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations.

- -
-
-

- SI-5 (1) AUTOMATED ALERTS AND ADVISORIES

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

-
-
-
-

Supplemental guidance

-

The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission/business process/enterprise architecture level, and the information system level.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security alerts, advisories, and directives

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- automated mechanisms supporting the distribution of security alert and advisory information

-

- records of security alerts and advisories

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security alert and advisory responsibilities

-

- organizational personnel implementing, operating, maintaining, and using the information system

-

- organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories

-

- automated mechanisms supporting and/or implementing dissemination of security alerts and advisories

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines external organizations from whom information system security alerts, advisories and directives are to be received;

-
-
-
- - - - - - - -
-

[2]

-
-

receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines elements within the organization to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[3]

-
-

defines external organizations to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[4]

-
-

disseminates security alerts, advisories, and directives to one or more of the following:

-
- - - - - - - -
-

[a]

-
-

organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[b]

-
-

organization-defined elements within the organization; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

organization-defined external organizations; and

-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

implements security directives in accordance with established time frames; or

-
-
-
- - - - - - - -
-

[2]

-
-

notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security alerts, advisories, and directives

-

- records of security alerts and advisories

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security alert and advisory responsibilities

-

- organizational personnel implementing, operating, maintaining, and using the information system

-

- organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing security directives

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-
-
-

- SI-6 SECURITY FUNCTION VERIFICATION

-
-

- Parameter: - si-6_a organization-defined security functions

-

- Value: organization-defined security functions

-
-
-

- Parameter: - si-6_b organization-defined system transitional states

-

- Value: organization-defined system transitional states

-
-
-

- Parameter: - si-6_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-6_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-6_e organization-defined alternative action(s)

-

- Value: organization-defined alternative action(s)

-
-

- priority: P1

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Verifies the correct operation of - - si-6_a - - organization-defined security functions - organization-defined security functions - ;

-
-
-
- - - - - - - -
-

b.

-
-

Performs this verification [Selection (one or more): - - si-6_b - - organization-defined system transitional states - organization-defined system transitional states - ; upon command by user with appropriate privilege; - - si-6_c - - organization-defined frequency - organization-defined frequency - ];

-
-
-
- - - - - - - -
-

c.

-
-

Notifies - - si-6_d - - organization-defined personnel or roles - organization-defined personnel or roles - of failed security verification tests; and

-
-
-
- - - - - - - -
-

d.

-
-

[Selection (one or more): shuts the information system down; restarts the information system; - - si-6_e - - organization-defined alternative action(s) - organization-defined alternative action(s) - ] when anomalies are discovered.

-
-
-
-
-
-

Supplemental guidance

-

Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines security functions to be verified for correct operation;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system verifies the correct operation of organization-defined security functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines system transitional states requiring verification of organization-defined security functions;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines a frequency to verify the correct operation of organization-defined security functions;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system performs this verification one or more of the following:

-
- - - - - - - -
-

[a]

-
-

at organization-defined system transitional states;

-
-
-
- - - - - - - -
-

[b]

-
-

upon command by user with appropriate privilege; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

with the organization-defined frequency;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines personnel or roles to be notified of failed security verification tests;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system notifies organization-defined personnel or roles of failed security verification tests;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines alternative action(s) to be performed when anomalies are discovered;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system performs one or more of the following actions when anomalies are discovered:

-
- - - - - - - -
-

[a]

-
-

shuts the information system down;

-
-
-
- - - - - - - -
-

[b]

-
-

restarts the information system; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

performs organization-defined alternative action(s).

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security function verification

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- alerts/notifications of failed security verification tests

-

- list of system transition states requiring security functionality verification

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security function verification responsibilities

-

- organizational personnel implementing, operating, and maintaining the information system

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for security function verification

-

- automated mechanisms supporting and/or implementing security function verification capability

-
-

References: None -

-
-
-

- SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

-
-

- Parameter: - si-7_a organization-defined software, firmware, and information

-

- Value: organization-defined software, firmware, and information

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs integrity verification tools to detect unauthorized changes to - - si-7_a - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - .

-
-
-
-

Supplemental guidance

-

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.

- - - - -
-
-

- SI-7 (1) INTEGRITY CHECKS

-
-

- Parameter: - si-7_b organization-defined software, firmware, and information

-

- Value: organization-defined software, firmware, and information

-
-
-

- Parameter: - si-7_c organization-defined transitional states or security-relevant events

-

- Value: organization-defined transitional states or security-relevant events

-
-
-

- Parameter: - si-7_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system performs an integrity check of - - si-7_b - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - [Selection (one or more): at startup; at - - si-7_c - - organization-defined transitional states or security-relevant events - organization-defined transitional states or security-relevant events - ; - - si-7_d - - organization-defined frequency - organization-defined frequency - ].

-
-
-
-

Supplemental guidance

-

Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines:

-
- - - - - - - -
-

[a]

-
-

software requiring integrity checks to be performed;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware requiring integrity checks to be performed;

-
-
-
- - - - - - - -
-

[c]

-
-

information requiring integrity checks to be performed;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware;

-
-
-
- - - - - - - -
-

[c]

-
-

information;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines a frequency with which to perform an integrity check of organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware;

-
-
-
- - - - - - - -
-

[c]

-
-

information;

-
-
-
-
-
- - - - - - - -
-

[4]

-
-

the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:

-
- - - - - - - -
-

[a]

-
-

at startup;

-
-
-
- - - - - - - -
-

[b]

-
-

at organization-defined transitional states or security-relevant events; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records of integrity scans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-
-

References: None -

-
-
-

- SI-7 (2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS

-
-

- Parameter: - si-7_e organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated tools that provide notification to - - si-7_e - - organization-defined personnel or roles - organization-defined personnel or roles - upon discovering discrepancies during integrity verification.

-
-
-
-

Supplemental guidance

-

The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records of integrity scans

-

- automated tools supporting alerts and notifications for integrity discrepancies

-

- alerts/notifications provided upon discovering discrepancies during integrity verifications

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-

- automated mechanisms providing integrity discrepancy notifications

-
-

References: None -

-
-
-

- SI-7 (5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS

-
-

- Parameter: - si-7_f organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements - - si-7_f - - organization-defined security safeguards - organization-defined security safeguards - ] when integrity violations are discovered.

-
-
-
-

Supplemental guidance

-

Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines security safeguards to be implemented when integrity violations are discovered;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically performs one or more of the following actions when integrity violations are discovered:

-
- - - - - - - -
-

[a]

-
-

shuts the information system down;

-
-
-
- - - - - - - -
-

[b]

-
-

restarts the information system; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

implements the organization-defined security safeguards.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records of integrity scans

-

- records of integrity checks and responses to integrity violations

-

- information audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-

- automated mechanisms providing an automated response to integrity violations

-

- automated mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered

-
-

References: None -

-
-
-

- SI-7 (7) INTEGRATION OF DETECTION AND RESPONSE

-
-

- Parameter: - si-7_g organization-defined security-relevant changes to the information system

-

- Value: organization-defined security-relevant changes to the information system

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization incorporates the detection of unauthorized - - si-7_g - - organization-defined security-relevant changes to the information system - organization-defined security-relevant changes to the information system - into the organizational incident response capability.

-
-
-
-

Supplemental guidance

-

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines unauthorized security-relevant changes to the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- procedures addressing incident response

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response records

-

- information audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- organizational personnel with incident response responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability

-

- software, firmware, and information integrity verification tools

-

- automated mechanisms supporting and/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability

-
-

References: None -

-
-
-

- SI-7 (14) BINARY OR MACHINE EXECUTABLE CODE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and

-
-
-
- - - - - - - -
-

(b)

-
-

Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

prohibits the use of binary or machine-executable code from sources with limited or no warranty;

-
-
-
- - - - - - - -
-

[2]

-
-

prohibits the use of binary or machine-executable code without the provision of source code;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

provides exceptions to the source code requirement only for compelling mission/operational requirements; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides exceptions to the source code requirement only with the approval of the authorizing official.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- approval records for execution of binary and machine-executable code

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- authorizing official

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing prohibition of the execution of binary or machine-executable code

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines software requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
- - - - - - - -
-

[b]

-
-

defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
- - - - - - - -
-

[c]

-
-

defines information requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs integrity verification tools to detect unauthorized changes to organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware; and

-
-
-
- - - - - - - -
-

[c]

-
-

information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-
-
-

References

-
-

NIST Special Publication 800-147

-
-
-

NIST Special Publication 800-155

-
-
-
-
-

- SI-8 SPAM PROTECTION

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and

-
-
-
- - - - - - - -
-

b.

-
-

Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.

- - - - - -
-
-

- SI-8 (1) CENTRAL MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages spam protection mechanisms.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages spam protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for central management of spam protection

-

- automated mechanisms supporting and/or implementing central management of spam protection

-
-

References: None -

-
-
-

- SI-8 (2) AUTOMATIC UPDATES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically updates spam protection mechanisms.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system automatically updates spam protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- records of spam protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for spam protection

-

- automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs spam protection mechanisms:

-
- - - - - - - -
-

[1]

-
-

at information system entry points to detect unsolicited messages;

-
-
-
- - - - - - - -
-

[2]

-
-

at information system entry points to take action on unsolicited messages;

-
-
-
- - - - - - - -
-

[3]

-
-

at information system exit points to detect unsolicited messages;

-
-
-
- - - - - - - -
-

[4]

-
-

at information system exit points to take action on unsolicited messages; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- configuration management policy and procedures (CM-1)

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- records of spam protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for implementing spam protection

-

- automated mechanisms supporting and/or implementing spam protection

-
-
-

References

-
-

NIST Special Publication 800-45

-
-
-
-
-

- SI-10 INFORMATION INPUT VALIDATION

-
-

- Parameter: - si-10_a organization-defined information inputs

-

- Value: organization-defined information inputs

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system checks the validity of - - si-10_a - - organization-defined information inputs - organization-defined information inputs - .

-
-
-
-

Supplemental guidance

-

Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information inputs requiring validity checks; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system checks the validity of organization-defined information inputs.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- access control policy and procedures

-

- separation of duties policy and procedures

-

- procedures addressing information input validation

-

- documentation for automated tools and applications to verify validity of information

-

- list of information inputs requiring validity checks

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information input validation

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing validity checks on information inputs

-
-

References: None -

-
-
-

- SI-11 ERROR HANDLING

-
-

- Parameter: - si-11_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and

-
-
-
- - - - - - - -
-

b.

-
-

Reveals error messages only to - - si-11_a - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-

the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines personnel or roles to whom error messages are to be revealed; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system reveals error messages only to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system error handling

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- documentation providing structure/content of error messages

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information input validation

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for error handling

-

- automated mechanisms supporting and/or implementing error handling

-

- automated mechanisms supporting and/or implementing management of error messages

-
-

References: None -

-
-
-

- SI-12 INFORMATION HANDLING AND RETENTION

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

-
-
-
-

Supplemental guidance

-

Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:

-
- - - - - - - -
-

[1]

-
-

handles information within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

handles output from the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

retains information within the information system; and

-
-
-
- - - - - - - -
-

[4]

-
-

retains output from the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention

-

- media protection policy and procedures

-

- procedures addressing information system output handling and retention

-

- information retention records, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information handling and retention

-

- organizational personnel with information security responsibilities/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for information handling and retention

-

- automated mechanisms supporting and/or implementing information handling and retention

-
-

References: None -

-
-
-

- SI-16 MEMORY PROTECTION

-
-

- Parameter: - si-16_a organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements - - si-16_a - - organization-defined security safeguards - organization-defined security safeguards - to protect its memory from unauthorized code execution.

-
-
-
-

Supplemental guidance

-

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing memory protection for the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of security safeguards protecting information system memory from unauthorized code execution

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for memory protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing safeguards to protect information system memory from unauthorized code execution

-
-

References: None -

-
-
-
-
-
-
- - diff --git a/examples/SP800-53/pub/SP800-53-LOW-baseline-rendered.html b/examples/SP800-53/pub/SP800-53-LOW-baseline-rendered.html deleted file mode 100644 index eca74e3133..0000000000 --- a/examples/SP800-53/pub/SP800-53-LOW-baseline-rendered.html +++ /dev/null @@ -1,40688 +0,0 @@ - - - - - - SP800-53 LOW BASELINE IMPACT - - - - -
-
-

- NIST SP800-53 rev 4 -

- - - - - - - - - - - - - - - - - -
-
-
-
-

SP800-53 LOW BASELINE IMPACT

-
-
-

SP800-53-rev4-catalog.xml ➭ Included: - - Control ac.1 - - Control ac.2 - - Control ac.3 - - Control ac.7 - - Control ac.8 - - Control ac.14 - - Control ac.17 - - Control ac.18 - - Control ac.19 - - Control ac.20 - - Control ac.22 - - Control at.1 - - Control at.2 - - Control at.3 - - Control at.4 - - Control au.1 - - Control au.2 - - Control au.3 - - Control au.4 - - Control au.5 - - Control au.6 - - Control au.8 - - Control au.9 - - Control au.11 - - Control au.12 - - Control ca.1 - - Control ca.2 - - Control ca.3 - - Control ca.5 - - Control ca.6 - - Control ca.7 - - Control ca.9 - - Control cm.1 - - Control cm.2 - - Control cm.4 - - Control cm.6 - - Control cm.7 - - Control cm.8 - - Control cm.10 - - Control cm.11 - - Control cp.1 - - Control cp.2 - - Control cp.3 - - Control cp.4 - - Control cp.9 - - Control cp.10 - - Control ia.1 - - Control ia.2 - - Subcontrol ia.2.1. - - Subcontrol ia.2.12. - - Control ia.4 - - Control ia.5 - - Subcontrol ia.5.1. - - Subcontrol ia.5.11. - - Control ia.6 - - Control ia.7 - - Control ia.8 - - Subcontrol ia.8.1. - - Subcontrol ia.8.2. - - Subcontrol ia.8.3. - - Subcontrol ia.8.4. - - Control ir.1 - - Control ir.2 - - Control ir.4 - - Control ir.5 - - Control ir.6 - - Control ir.7 - - Control ir.8 - - Control ma.1 - - Control ma.2 - - Control ma.4 - - Control ma.5 - - Control mp.1 - - Control mp.2 - - Control mp.6 - - Control mp.7 - - Control pe.1 - - Control pe.2 - - Control pe.3 - - Control pe.6 - - Control pe.8 - - Control pe.12 - - Control pe.13 - - Control pe.14 - - Control pe.15 - - Control pe.16 - - Control pl.1 - - Control pl.2 - - Control pl.4 - - Control ps.1 - - Control ps.2 - - Control ps.3 - - Control ps.4 - - Control ps.5 - - Control ps.6 - - Control ps.7 - - Control ps.8 - - Control ra.1 - - Control ra.2 - - Control ra.3 - - Control ra.5 - - Control sa.1 - - Control sa.2 - - Control sa.3 - - Control sa.4 - - Subcontrol sa.4.10. - - Control sa.5 - - Control sa.9 - - Control sc.1 - - Control sc.5 - - Control sc.7 - - Control sc.12 - - Control sc.13 - - Control sc.15 - - Control sc.20 - - Control sc.21 - - Control sc.22 - - Control sc.39 - - Control si.1 - - Control si.2 - - Control si.3 - - Control si.4 - - Control si.5 - - Control si.12 -

-
-
-

NIST SP800-53 rev 4

-
-

ACCESS CONTROL

-
-

- AC-1 ACCESS CONTROL POLICY AND PROCEDURES

-
-

- Parameter: - ac-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ac-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ac-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the access control policy and associated access controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Access control policy - - ac-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Access control procedures - - ac-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an access control policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the access control policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the access control policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AC-2 ACCOUNT MANAGEMENT

-
-

- Parameter: - ac-2_a organization-defined information system account types

-

- Value: organization-defined information system account types

-
-
-

- Parameter: - ac-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-2_c organization-defined procedures or conditions

-

- Value: organization-defined procedures or conditions

-
-
-

- Parameter: - ac-2_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies and selects the following types of information system accounts to support organizational missions/business functions: - - ac-2_a - - organization-defined information system account types - organization-defined information system account types - ;

-
-
-
- - - - - - - -
-

b.

-
-

Assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

c.

-
-

Establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

d.

-
-

Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

-
-
-
- - - - - - - -
-

e.

-
-

Requires approvals by - - ac-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - for requests to create information system accounts;

-
-
-
- - - - - - - -
-

f.

-
-

Creates, enables, modifies, disables, and removes information system accounts in accordance with - - ac-2_c - - organization-defined procedures or conditions - organization-defined procedures or conditions - ;

-
-
-
- - - - - - - -
-

g.

-
-

Monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

h.

-
-

Notifies account managers:

-
- - - - - - - -
-

1.

-
-

When accounts are no longer required;

-
-
-
- - - - - - - -
-

2.

-
-

When users are terminated or transferred; and

-
-
-
- - - - - - - -
-

3.

-
-

When individual information system usage or need-to-know changes;

-
-
-
-
-
- - - - - - - -
-

i.

-
-

Authorizes access to the information system based on:

-
- - - - - - - -
-

1.

-
-

A valid access authorization;

-
-
-
- - - - - - - -
-

2.

-
-

Intended system usage; and

-
-
-
- - - - - - - -
-

3.

-
-

Other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

j.

-
-

Reviews accounts for compliance with account management requirements - - ac-2_d - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

k.

-
-

Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Supplemental guidance

-

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

- - - - - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system account types to be identified and selected to support organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies and selects organization-defined information system account types to support organizational missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

(c)

-
-

establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

(d)

-
-

specifies for each account (as required):

-
- - - - - - - -
-

[1]

-
-

authorized users of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

group and role membership;

-
-
-
- - - - - - - -
-

[3]

-
-

access authorizations (i.e., privileges);

-
-
-
- - - - - - - -
-

[4]

-
-

other attributes;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to approve requests to create information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

requires approvals by organization-defined personnel or roles for requests to create information system accounts;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines procedures or conditions to:

-
- - - - - - - -
-

[a]

-
-

create information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enable information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modify information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disable information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

remove information system accounts;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined procedures or conditions:

-
- - - - - - - -
-

[a]

-
-

creates information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enables information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modifies information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disables information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

removes information system accounts;

-
-
-
-
-
-
-
- - - - - - - -
-

(g)

-
-

monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

(h)

-
-

notifies account managers:

-
- - - - - - - -
-

(1)

-
-

when accounts are no longer required;

-
-
-
- - - - - - - -
-

(2)

-
-

when users are terminated or transferred;

-
-
-
- - - - - - - -
-

(3)

-
-

when individual information system usage or need to know changes;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-

authorizes access to the information system based on;

-
- - - - - - - -
-

(1)

-
-

a valid access authorization;

-
-
-
- - - - - - - -
-

(2)

-
-

intended system usage;

-
-
-
- - - - - - - -
-

(3)

-
-

other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(j)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review accounts for compliance with account management requirements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews accounts for compliance with account management requirements with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(k)

-
-

establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of active system accounts along with the name of the individual associated with each account

-

- list of conditions for group and role membership

-

- notifications or records of recently transferred, separated, or terminated employees

-

- list of recently disabled information system accounts along with the name of the individual associated with each account

-

- access authorization records

-

- account management compliance reviews

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes account management on the information system

-

- automated mechanisms for implementing account management

-
-

References: None -

-
-
-

- AC-3 ACCESS ENFORCEMENT

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Supplemental guidance

-

Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

- - - - - - - - - - - - - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access enforcement

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of approved authorizations (user privileges)

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access enforcement responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy

-
-

References: None -

-
-
-

- AC-7 UNSUCCESSFUL LOGON ATTEMPTS

-
-

- Parameter: - ac-7_a organization-defined number

-

- Value: organization-defined number

-
-
-

- Parameter: - ac-7_b organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ac-7_c organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ac-7_d organization-defined delay algorithm

-

- Value: organization-defined delay algorithm

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Enforces a limit of - - ac-7_a - - organization-defined number - organization-defined number - consecutive invalid logon attempts by a user during a - - ac-7_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Automatically [Selection: locks the account/node for an - - ac-7_c - - organization-defined time period - organization-defined time period - ; locks the account/node until released by an administrator; delays next logon prompt according to - - ac-7_d - - organization-defined delay algorithm - organization-defined delay algorithm - ] when the maximum number of unsuccessful attempts is exceeded.

-
-
-
-
-
-

Supplemental guidance

-

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:

-
- - - - - - - -
-

[a]

-
-

locks the account/node for the organization-defined time period;

-
-
-
- - - - - - - -
-

[b]

-
-

locks the account/node until released by an administrator; or

-
-
-
- - - - - - - -
-

[c]

-
-

delays next logon prompt according to the organization-defined delay algorithm.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing unsuccessful logon attempts

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system developers

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for unsuccessful logon attempts

-
-

References: None -

-
-
-

- AC-8 SYSTEM USE NOTIFICATION

-
-

- Parameter: - ac-8_a organization-defined system use notification message or banner

-

- Value: organization-defined system use notification message or banner

-
-
-

- Parameter: - ac-8_b organization-defined conditions

-

- Value: organization-defined conditions

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Displays to users - - ac-8_a - - organization-defined system use notification message or banner - organization-defined system use notification message or banner - before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

-
- - - - - - - -
-

1.

-
-

Users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

2.

-
-

Information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

3.

-
-

Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

-
-
-
- - - - - - - -
-

4.

-
-

Use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

For publicly accessible systems:

-
- - - - - - - -
-

1.

-
-

Displays system use information - - ac-8_b - - organization-defined conditions - organization-defined conditions - , before granting further access;

-
-
-
- - - - - - - -
-

2.

-
-

Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

3.

-
-

Includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Supplemental guidance

-

System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:

-
- - - - - - - -
-

(1)

-
-

users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

(2)

-
-

information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

(3)

-
-

unauthorized use of the information system is prohibited and subject to criminal and civil penalties;

-
-
-
- - - - - - - -
-

(4)

-
-

use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;

-
-
-
- - - - - - - -
-

(c)

-
-

for publicly accessible systems:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines conditions for system use to be displayed by the information system before granting further access;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays organization-defined conditions before granting further access;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

(3)

-
-

the information system includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- privacy and security policies, procedures addressing system use notification

-

- documented approval of information system use notification messages or banners

-

- information system audit records

-

- user acknowledgements of notification message or banner

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system use notification messages

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for providing legal advice

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing system use notification

-
-

References: None -

-
-
-

- AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION

-
-

- Parameter: - ac-14_a organization-defined user actions

-

- Value: organization-defined user actions

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies - - ac-14_a - - organization-defined user actions - organization-defined user actions - that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing permitted actions without identification or authentication

-

- information system configuration settings and associated documentation

-

- security plan

-

- list of user actions that can be performed without identification or authentication

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- AC-17 REMOTE ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

- - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies the types of remote access allowed to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance; and

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system configuration settings and associated documentation

-

- remote access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing remote access connections

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Remote access management capability for the information system

-
-
-

References

-
-

NIST Special Publication 800-46

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-113

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-121

-
-
-
-
-

- AC-18 WIRELESS ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

- - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for wireless access:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- wireless access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing wireless access connections

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Wireless access management capability for the information system

-
-
-

References

-
-

NIST Special Publication 800-48

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-97

-
-
-
-
-

- AC-19 ACCESS CONTROL FOR MOBILE DEVICES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Supplemental guidance

-

A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

- - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for organization-controlled mobile devices:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access control for mobile device usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- authorizations for mobile device connections to organizational information systems

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel using mobile devices to access organizational information systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Access control capability authorizing mobile device connections to organizational information systems

-
-
-

References

-
-

OMB Memorandum 06-16

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-124

-
-
-

NIST Special Publication 800-164

-
-
-
-
-

- AC-20 USE OF EXTERNAL INFORMATION SYSTEMS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

a.

-
-

Access the information system from external information systems; and

-
-
-
- - - - - - - -
-

b.

-
-

Process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Supplemental guidance

-

External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. -For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. -This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

(a)

-
-

access the information system from the external information systems; and

-
-
-
- - - - - - - -
-

(b)

-
-

process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- external information systems terms and conditions

-

- list of types of applications accessible from external information systems

-

- maximum security categorization for information processed, stored, or transmitted on external information systems

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing terms and conditions on use of external information systems

-
-
-

References

-
-

FIPS Publication 199

-
-
-
-
-

- AC-22 PUBLICLY ACCESSIBLE CONTENT

-
-

- Parameter: - ac-22_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

b.

-
-

Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the content on the publicly accessible information system for nonpublic information - - ac-22_a - - organization-defined frequency - organization-defined frequency - and removes such information, if discovered.

-
-
-
-
-
-

Supplemental guidance

-

In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

(b)

-
-

trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

(c)

-
-

reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the content on the publicly accessible information system for nonpublic information;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[3]

-
-

removes nonpublic information from the publicly accessible information system, if discovered.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing publicly accessible content

-

- list of users authorized to post publicly accessible content on organizational information systems

-

- training materials and/or records

-

- records of publicly accessible information reviews

-

- records of response to nonpublic information on public websites

-

- system audit logs

-

- security awareness training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing management of publicly accessible content

-
-

References: None -

-
-
-
-

AWARENESS AND TRAINING

-
-

- AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

-
-

- Parameter: - at-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - at-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - at-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - at-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security awareness and training policy - - at-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security awareness and training procedures - - at-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an security awareness and training policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security awareness and training policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security awareness and training policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security awareness and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AT-2 SECURITY AWARENESS TRAINING

-
-

- Parameter: - at-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

-
- - - - - - - -
-

a.

-
-

As part of initial training for new users;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-2_a - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;

-
-
-
- - - - - - - -
-

(b)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security awareness training implementation

-

- appropriate codes of federal regulations

-

- security awareness training curriculum

-

- security awareness training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for security awareness training

-

- organizational personnel with information security responsibilities

-

- organizational personnel comprising the general information system user community

-
-
-

Assessment: TEST

-

- Automated mechanisms managing security awareness training

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-3 ROLE-BASED SECURITY TRAINING

-
-

- Parameter: - at-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-3_a - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

(b)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training implementation

-

- codes of federal regulations

-

- security training curriculum

-

- security training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for role-based security training

-

- organizational personnel with assigned information system security roles and responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms managing role-based security training

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-4 SECURITY TRAINING RECORDS

-
-

- Parameter: - at-4_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

-
-
-
- - - - - - - -
-

b.

-
-

Retains individual training records for - - at-4_a - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

Documentation for specialized training may be maintained by individual supervisors at the option of the organization.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

documents individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

monitors individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period to retain individual training records; and

-
-
-
- - - - - - - -
-

[2]

-
-

retains individual training records for the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training records

-

- security awareness and training records

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security training record retention responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting management of security training records

-
-

References: None -

-
-
-
-

AUDIT AND ACCOUNTABILITY

-
-

- AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

-
-

- Parameter: - au-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - au-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Audit and accountability policy - - au-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Audit and accountability procedures - - au-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an audit and accountability policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the audit and accountability policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the audit and accountability policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AU-2 AUDIT EVENTS

-
-

- Parameter: - au-2_a organization-defined auditable events

-

- Value: organization-defined auditable events

-
-
-

- Parameter: - au-2_b organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event

-

- Value: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines that the information system is capable of auditing the following events: - - au-2_a - - organization-defined auditable events - organization-defined auditable events - ;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

c.

-
-

Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

d.

-
-

Determines that the following events are to be audited within the information system: - - au-2_b - - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - .

-
-
-
-
-
-

Supplemental guidance

-

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the auditable events that the information system must be capable of auditing;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the information system is capable of auditing organization-defined auditable events;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

(c)

-
-

provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the subset of auditable events defined in AU-2a that are to be audited within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

determines the frequency of (or situation requiring) auditing for each identified event.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing auditable events

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- information system auditable events

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing

-
-
-

References

-
-

NIST Special Publication 800-92

-
-
-

http://idmanagement.gov

-
-
-
-
-

- AU-3 CONTENT OF AUDIT RECORDS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

-
-
-
-

Supplemental guidance

-

Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system generates audit records containing information that establishes:

-
- - - - - - - -
-

[1]

-
-

what type of event occurred;

-
-
-
- - - - - - - -
-

[2]

-
-

when the event occurred;

-
-
-
- - - - - - - -
-

[3]

-
-

where the event occurred;

-
-
-
- - - - - - - -
-

[4]

-
-

the source of the event;

-
-
-
- - - - - - - -
-

[5]

-
-

the outcome of the event; and

-
-
-
- - - - - - - -
-

[6]

-
-

the identity of any individuals or subjects associated with the event.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- information system incident reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing of auditable events

-
-

References: None -

-
-
-

- AU-4 AUDIT STORAGE CAPACITY

-
-

- Parameter: - au-4_a organization-defined audit record storage requirements

-

- Value: organization-defined audit record storage requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization allocates audit record storage capacity in accordance with - - au-4_a - - organization-defined audit record storage requirements - organization-defined audit record storage requirements - .

-
-
-
-

Supplemental guidance

-

Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines audit record storage requirements; and

-
-
-
- - - - - - - -
-

[2]

-
-

allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit storage capacity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit record storage requirements

-

- audit record storage capability for information system components

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Audit record storage capacity and related configuration settings

-
-

References: None -

-
-
-

- AU-5 RESPONSE TO AUDIT PROCESSING FAILURES

-
-

- Parameter: - au-5_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-5_b organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)

-

- Value: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Alerts - - au-5_a - - organization-defined personnel or roles - organization-defined personnel or roles - in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

b.

-
-

Takes the following additional actions: - - au-5_b - - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - .

-
-
-
-
-
-

Supplemental guidance

-

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles to be alerted in the event of an audit processing failure;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system takes the additional organization-defined actions in the event of an audit processing failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- list of personnel to be notified in case of an audit processing failure

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system response to audit processing failures

-
-

References: None -

-
-
-

- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING

-
-

- Parameter: - au-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-6_b organization-defined inappropriate or unusual activity

-

- Value: organization-defined inappropriate or unusual activity

-
-
-

- Parameter: - au-6_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and analyzes information system audit records - - au-6_a - - organization-defined frequency - organization-defined frequency - for indications of - - au-6_b - - organization-defined inappropriate or unusual activity - organization-defined inappropriate or unusual activity - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports findings to - - au-6_c - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports findings to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- reports of audit findings

-

- records of actions taken in response to reviews/analyses of audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- AU-8 TIME STAMPS

-
-

- Parameter: - au-8_a organization-defined granularity of time measurement

-

- Value: organization-defined granularity of time measurement

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Uses internal system clocks to generate time stamps for audit records; and

-
-
-
- - - - - - - -
-

b.

-
-

Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets - - au-8_a - - organization-defined granularity of time measurement - organization-defined granularity of time measurement - .

-
-
-
-
-
-

Supplemental guidance

-

Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-

the information system uses internal system clocks to generate time stamps for audit records;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and

-
-
-
- - - - - - - -
-

[3]

-
-

the organization records time stamps for audit records that meet the organization-defined granularity of time measurement.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing time stamp generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing time stamp generation

-
-

References: None -

-
-
-

- AU-9 PROTECTION OF AUDIT INFORMATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

-
-
-
-

Supplemental guidance

-

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system protects audit information from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects audit tools from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification; and

-
-
-
- - - - - - - -
-

[c]

-
-

deletion.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, information system audit records

-

- audit tools

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit information protection

-
-

References: None -

-
-
-

- AU-11 AUDIT RECORD RETENTION

-
-

- Parameter: - au-11_a organization-defined time period consistent with records retention policy

-

- Value: organization-defined time period consistent with records retention policy

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization retains audit records for - - au-11_a - - organization-defined time period consistent with records retention policy - organization-defined time period consistent with records retention policy - to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

-
-
-
-

Supplemental guidance

-

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period to retain audit records that is consistent with records retention policy;

-
-
-
- - - - - - - -
-

[2]

-
-

retains audit records for the organization-defined time period consistent with records retention policy to:

-
- - - - - - - -
-

[a]

-
-

provide support for after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

[b]

-
-

meet regulatory and organizational information retention requirements.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- audit record retention policy and procedures

-

- security plan

-

- organization-defined retention period for audit records

-

- audit record archives

-

- audit logs

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record retention responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-

References: None -

-
-
-

- AU-12 AUDIT GENERATION

-
-

- Parameter: - au-12_a organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - au-12_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides audit record generation capability for the auditable events defined in AU-2 a. at - - au-12_a - - organization-defined information system components - organization-defined information system components - ;

-
-
-
- - - - - - - -
-

b.

-
-

Allows - - au-12_b - - organization-defined personnel or roles - organization-defined personnel or roles - to select which auditable events are to be audited by specific components of the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

-
-
-
-
-
-

Supplemental guidance

-

Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-

References: None -

-
-
-
-

SECURITY ASSESSMENT AND AUTHORIZATION

-
-

- CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES

-
-

- Parameter: - ca-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ca-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security assessment and authorization policy - - ca-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security assessment and authorization procedures - - ca-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a security assessment and authorization policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security assessment and authorization policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment and authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CA-2 SECURITY ASSESSMENTS

-
-

- Parameter: - ca-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-2_b organization-defined individuals or roles

-

- Value: organization-defined individuals or roles

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

1.

-
-

Security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

2.

-
-

Assessment procedures to be used to determine security control effectiveness; and

-
-
-
- - - - - - - -
-

3.

-
-

Assessment environment, assessment team, and assessment roles and responsibilities;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Assesses the security controls in the information system and its environment of operation - - ca-2_a - - organization-defined frequency - organization-defined frequency - to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Produces a security assessment report that documents the results of the assessment; and

-
-
-
- - - - - - - -
-

d.

-
-

Provides the results of the security control assessment to - - ca-2_b - - organization-defined individuals or roles - organization-defined individuals or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

(1)

-
-

security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

(2)

-
-

assessment procedures to be used to determine security control effectiveness;

-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

assessment environment;

-
-
-
- - - - - - - -
-

[2]

-
-

assessment team;

-
-
-
- - - - - - - -
-

[3]

-
-

assessment roles and responsibilities;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to assess the security controls in the information system and its environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

produces a security assessment report that documents the results of the assessment;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines individuals or roles to whom the results of the security control assessment are to be provided; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides the results of the security control assessment to organization-defined individuals or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessment planning

-

- procedures addressing security assessments

-

- security assessment plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting

-
-
-

References

-
-

Executive Order 13587

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-3 SYSTEM INTERCONNECTIONS

-
-

- Parameter: - ca-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates Interconnection Security Agreements - - ca-3_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each interconnection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update Interconnection Security Agreements; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates Interconnection Security Agreements with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- information system Interconnection Security Agreements

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements

-

- organizational personnel with information security responsibilities

-

- personnel managing the system(s) to which the Interconnection Security Agreement applies

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-47

-
-
-
-
-

- CA-5 PLAN OF ACTION AND MILESTONES

-
-

- Parameter: - ca-5_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

-
-
-
- - - - - - - -
-

b.

-
-

Updates existing plan of action and milestones - - ca-5_a - - organization-defined frequency - organization-defined frequency - based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

-
-
-
-
-
-

Supplemental guidance

-

Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a plan of action and milestones for the information system to:

-
- - - - - - - -
-

[1]

-
-

document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

reduce or eliminate known vulnerabilities in the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the existing plan of action and milestones;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:

-
- - - - - - - -
-

[a]

-
-

security controls assessments;

-
-
-
- - - - - - - -
-

[b]

-
-

security impact analyses; and

-
-
-
- - - - - - - -
-

[c]

-
-

continuous monitoring activities.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing plan of action and milestones

-

- security plan

-

- security assessment plan

-

- security assessment report

-

- security assessment evidence

-

- plan of action and milestones

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with plan of action and milestones development and implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms for developing, implementing, and maintaining plan of action and milestones

-
-
-

References

-
-

OMB Memorandum 02-01

-
-
-

NIST Special Publication 800-37

-
-
-
-
-

- CA-6 SECURITY AUTHORIZATION

-
-

- Parameter: - ca-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

-
-
-
- - - - - - - -
-

c.

-
-

Updates the security authorization - - ca-6_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

ensures that the authorizing official authorizes the information system for processing before commencing operations;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the security authorization; and

-
-
-
- - - - - - - -
-

[2]

-
-

updates the security authorization with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security authorization

-

- security authorization package (including security plan

-

- security assessment report

-

- plan of action and milestones

-

- authorization statement)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that facilitate security authorizations and updates

-
-
-

References

-
-

OMB Circular A-130

-
-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-7 CONTINUOUS MONITORING

-
-

- Parameter: - ca-7_a organization-defined metrics

-

- Value: organization-defined metrics

-
-
-

- Parameter: - ca-7_b organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_c organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-7_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

-
- - - - - - - -
-

a.

-
-

Establishment of - - ca-7_a - - organization-defined metrics - organization-defined metrics - to be monitored;

-
-
-
- - - - - - - -
-

b.

-
-

Establishment of - - ca-7_b - - organization-defined frequencies - organization-defined frequencies - for monitoring and - - ca-7_c - - organization-defined frequencies - organization-defined frequencies - for assessments supporting such monitoring;

-
-
-
- - - - - - - -
-

c.

-
-

Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

d.

-
-

Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

e.

-
-

Correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

f.

-
-

Response actions to address results of the analysis of security-related information; and

-
-
-
- - - - - - - -
-

g.

-
-

Reporting the security status of organization and the information system to - - ca-7_d - - organization-defined personnel or roles - organization-defined personnel or roles - - - - ca-7_e - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.

- - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines metrics to be monitored;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[3]

-
-

implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines frequencies for monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

defines frequencies for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security control assessments;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing continuous monitoring of information system security controls

-

- procedures addressing configuration management

-

- security plan

-

- security assessment report

-

- plan of action and milestones

-

- information system monitoring records

-

- configuration management records, security impact analyses

-

- status reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with continuous monitoring responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Mechanisms implementing continuous monitoring

-
-
-

References

-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-

US-CERT Technical Cyber Security Alerts

-
-
-

DoD Information Assurance Vulnerability Alerts

-
-
-
-
-

- CA-9 INTERNAL SYSTEM CONNECTIONS

-
-

- Parameter: - ca-9_a organization-defined information system components or classes of components

-

- Value: organization-defined information system components or classes of components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes internal connections of - - ca-9_a - - organization-defined information system components or classes of components - organization-defined information system components or classes of components - to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components or classes of components to be authorized as internal connections to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes internal connections of organization-defined information system components or classes of components to the information system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each internal connection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements; and

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of components or classes of components authorized as internal system connections

-

- security assessment report

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-
-

CONFIGURATION MANAGEMENT

-
-

- CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES

-
-

- Parameter: - cm-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cm-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cm-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Configuration management policy - - cm-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Configuration management procedures - - cm-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a configuration management policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the configuration management policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the configuration management policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CM-2 BASELINE CONFIGURATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

-
-
-
-

Supplemental guidance

-

This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

develops and documents a current baseline configuration of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains, under configuration control, a current baseline configuration of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- enterprise architecture documentation

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms supporting configuration control of the baseline configuration

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-4 SECURITY IMPACT ANALYSIS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Supplemental guidance

-

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

- - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing security impact analysis for changes to the information system

-

- configuration management plan

-

- security impact analysis documentation

-

- analysis tools and associated outputs

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for conducting security impact analysis

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for security impact analysis

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-6 CONFIGURATION SETTINGS

-
-

- Parameter: - cm-6_a organization-defined security configuration checklists

-

- Value: organization-defined security configuration checklists

-
-
-

- Parameter: - cm-6_b organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - cm-6_c organization-defined operational requirements

-

- Value: organization-defined operational requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents configuration settings for information technology products employed within the information system using - - cm-6_a - - organization-defined security configuration checklists - organization-defined security configuration checklists - that reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Implements the configuration settings;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies, documents, and approves any deviations from established configuration settings for - - cm-6_b - - organization-defined information system components - organization-defined information system components - based on - - cm-6_c - - organization-defined operational requirements - organization-defined operational requirements - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. -Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements the configuration settings established/documented in CM-6(a);;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components for which any deviations from established configuration settings must be:

-
- - - - - - - -
-

[a]

-
-

identified;

-
-
-
- - - - - - - -
-

[b]

-
-

documented;

-
-
-
- - - - - - - -
-

[c]

-
-

approved;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines operational requirements to support:

-
- - - - - - - -
-

[a]

-
-

the identification of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[b]

-
-

the documentation of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[c]

-
-

the approval of any deviations from established configuration settings;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[4]

-
-

documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[5]

-
-

approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

monitors changes to the configuration settings in accordance with organizational policies and procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- evidence supporting approved deviations from established configuration settings

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing configuration settings

-

- automated mechanisms that implement, monitor, and/or control information system configuration settings

-

- automated mechanisms that identify and/or document deviations from established configuration settings

-
-
-

References

-
-

OMB Memorandum 07-11

-
-
-

OMB Memorandum 07-18

-
-
-

OMB Memorandum 08-22

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-128

-
-
-

http://nvd.nist.gov

-
-
-

http://checklists.nist.gov

-
-
-

http://www.nsa.gov

-
-
-
-
-

- CM-7 LEAST FUNCTIONALITY

-
-

- Parameter: - cm-7_a organization-defined prohibited or restricted functions, ports, protocols, and/or services

-

- Value: organization-defined prohibited or restricted functions, ports, protocols, and/or services

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Configures the information system to provide only essential capabilities; and

-
-
-
- - - - - - - -
-

b.

-
-

Prohibits or restricts the use of the following functions, ports, protocols, and/or services: - - cm-7_a - - organization-defined prohibited or restricted functions, ports, protocols, and/or services - organization-defined prohibited or restricted functions, ports, protocols, and/or services - .

-
-
-
-
-
-

Supplemental guidance

-

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

configures the information system to provide only essential capabilities;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines prohibited or restricted:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

prohibits or restricts the use of organization-defined:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing least functionality in the information system

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes prohibiting or restricting functions, ports, protocols, and/or services

-

- automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services

-
-
-

References

-
-

DoD Instruction 8551.01

-
-
-
-
-

- CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

-
-

- Parameter: - cm-8_a organization-defined information deemed necessary to achieve effective information system component accountability

-

- Value: organization-defined information deemed necessary to achieve effective information system component accountability

-
-
-

- Parameter: - cm-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents an inventory of information system components that:

-
- - - - - - - -
-

1.

-
-

Accurately reflects the current information system;

-
-
-
- - - - - - - -
-

2.

-
-

Includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

3.

-
-

Is at the level of granularity deemed necessary for tracking and reporting; and

-
-
-
- - - - - - - -
-

4.

-
-

Includes - - cm-8_a - - organization-defined information deemed necessary to achieve effective information system component accountability - organization-defined information deemed necessary to achieve effective information system component accountability - ; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the information system component inventory - - cm-8_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-

develops and documents an inventory of information system components that accurately reflects the current information system;

-
-
-
- - - - - - - -
-

(2)

-
-

develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

(3)

-
-

develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;

-
-
-
- - - - - - - -
-

(4)

-
-
- - - - - - - -
-

[1]

-
-

defines the information deemed necessary to achieve effective information system component accountability;

-
-
-
- - - - - - - -
-

[2]

-
-

develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the information system component inventory; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the information system component inventory with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- inventory reviews and update records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for developing and documenting an inventory of information system components

-

- automated mechanisms supporting and/or implementing the information system component inventory

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-10 SOFTWARE USAGE RESTRICTIONS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

b.

-
-

Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

c.

-
-

Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Supplemental guidance

-

Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

(b)

-
-

tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

(c)

-
-

controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing software usage restrictions

-

- configuration management plan

-

- security plan

-

- software contract agreements and copyright laws

-

- site license documentation

-

- list of software usage restrictions

-

- software license tracking reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel with software license management responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for tracking the use of software protected by quantity licenses

-

- organization process for controlling/documenting the use of peer-to-peer file sharing technology

-

- automated mechanisms implementing software license tracking

-

- automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology

-
-

References: None -

-
-
-

- CM-11 USER-INSTALLED SOFTWARE

-
-

- Parameter: - cm-11_a organization-defined policies

-

- Value: organization-defined policies

-
-
-

- Parameter: - cm-11_b organization-defined methods

-

- Value: organization-defined methods

-
-
-

- Parameter: - cm-11_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes - - cm-11_a - - organization-defined policies - organization-defined policies - governing the installation of software by users;

-
-
-
- - - - - - - -
-

b.

-
-

Enforces software installation policies through - - cm-11_b - - organization-defined methods - organization-defined methods - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Monitors policy compliance at - - cm-11_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved �app stores.� Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines policies to govern the installation of software by users;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes organization-defined policies governing the installation of software by users;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines methods to enforce software installation policies;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces software installation policies through organization-defined methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines frequency to monitor policy compliance; and

-
-
-
- - - - - - - -
-

[2]

-
-

monitors policy compliance at organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing user installed software

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of rules governing user installed software

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-

- continuous monitoring strategy

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for governing user-installed software

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel monitoring compliance with user-installed software policy

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes governing user-installed software on the information system

-

- automated mechanisms enforcing rules/methods for governing the installation of software by users

-

- automated mechanisms monitoring policy compliance

-
-

References: None -

-
-
-
-

CONTINGENCY PLANNING

-
-

- CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - cp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Contingency planning policy - - cp-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Contingency planning procedures - - cp-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents a contingency planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the contingency planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CP-2 CONTINGENCY PLAN

-
-

- Parameter: - cp-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-2_b organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - cp-2_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-2_d organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a contingency plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

2.

-
-

Provides recovery objectives, restoration priorities, and metrics;

-
-
-
- - - - - - - -
-

3.

-
-

Addresses contingency roles, responsibilities, assigned individuals with contact information;

-
-
-
- - - - - - - -
-

4.

-
-

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

5.

-
-

Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

-
-
-
- - - - - - - -
-

6.

-
-

Is reviewed and approved by - - cp-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the contingency plan to - - cp-2_b - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the contingency plan for the information system - - cp-2_c - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

e.

-
-

Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

f.

-
-

Communicates contingency plan changes to - - cp-2_d - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

- - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents a contingency plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

provides recovery objectives;

-
-
-
- - - - - - - -
-

[2]

-
-

provides restoration priorities;

-
-
-
- - - - - - - -
-

[3]

-
-

provides metrics;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

addresses contingency roles;

-
-
-
- - - - - - - -
-

[2]

-
-

addresses contingency responsibilities;

-
-
-
- - - - - - - -
-

[3]

-
-

addresses assigned individuals with contact information;

-
-
-
-
-
- - - - - - - -
-

(4)

-
-

addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

(5)

-
-

addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;

-
-
-
- - - - - - - -
-

(6)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the contingency plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

updates the contingency plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the organization, information system, or environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems encountered during plan implementation, execution, and testing;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- evidence of contingency plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan development, review, update, and protection

-

- automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-3 CONTINGENCY TRAINING

-
-

- Parameter: - cp-3_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - cp-3_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - cp-3_a - - organization-defined time period - organization-defined time period - of assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - cp-3_b - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency for contingency training thereafter; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency training

-

- contingency plan

-

- contingency training curriculum

-

- contingency training material

-

- security plan

-

- contingency training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency training

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- CP-4 CONTINGENCY PLAN TESTING

-
-

- Parameter: - cp-4_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-4_b organization-defined tests

-

- Value: organization-defined tests

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Tests the contingency plan for the information system - - cp-4_a - - organization-defined frequency - organization-defined frequency - using - - cp-4_b - - organization-defined tests - organization-defined tests - to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

c.

-
-

Initiates corrective actions, if needed.

-
-
-
-
-
-

Supplemental guidance

-

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

[2]

-
-

defines a frequency to test the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

(c)

-
-

initiates corrective actions, if needed.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency plan testing

-

- contingency plan

-

- security plan

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting the contingency plan and/or contingency plan testing

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-84

-
-
-
-
-

- CP-9 INFORMATION SYSTEM BACKUP

-
-

- Parameter: - cp-9_a organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_b organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_c organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts backups of user-level information contained in the information system - - cp-9_a - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

b.

-
-

Conducts backups of system-level information contained in the information system - - cp-9_b - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts backups of information system documentation including security-related documentation - - cp-9_c - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Supplemental guidance

-

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of user-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of system-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- backup storage location(s)

-

- information system backup logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

-
-
-
-

Supplemental guidance

-

Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides for:

-
- - - - - - - -
-

[1]

-
-

the recovery of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the reconstitution of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test results

-

- contingency plan test documentation

-

- redundant secondary system for information system backups

-

- location(s) of redundant secondary backup system(s)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes implementing information system recovery and reconstitution operations

-

- automated mechanisms supporting and/or implementing information system recovery and reconstitution operations

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-
-

IDENTIFICATION AND AUTHENTICATION

-
-

- IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES

-
-

- Parameter: - ia-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ia-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ia-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Identification and authentication policy - - ia-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Identification and authentication procedures - - ia-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an identification and authentication policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the identification and authentication policy is to be disseminated; and

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the identification and authentication policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication policy with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identification and authentication responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Supplemental guidance

-

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. -Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

- - - - - - - - -
-
-

- IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for uniquely identifying and authenticating users

-

- automated mechanisms supporting and/or implementing identification and authentication capability

-
-
-

References

-
-

HSPD-12

-
-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 06-16

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-4 IDENTIFIER MANAGEMENT

-
-

- Parameter: - ia-4_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-4_b organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ia-4_c organization-defined time period of inactivity

-

- Value: organization-defined time period of inactivity

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system identifiers by:

-
- - - - - - - -
-

a.

-
-

Receiving authorization from - - ia-4_a - - organization-defined personnel or roles - organization-defined personnel or roles - to assign an individual, group, role, or device identifier;

-
-
-
- - - - - - - -
-

b.

-
-

Selecting an identifier that identifies an individual, group, role, or device;

-
-
-
- - - - - - - -
-

c.

-
-

Assigning the identifier to the intended individual, group, role, or device;

-
-
-
- - - - - - - -
-

d.

-
-

Preventing reuse of identifiers for - - ia-4_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Disabling the identifier after - - ia-4_c - - organization-defined time period of inactivity - organization-defined time period of inactivity - .

-
-
-
-
-
-

Supplemental guidance

-

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system identifiers by:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defining personnel or roles from whom authorization must be received to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

receiving authorization from organization-defined personnel or roles to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

selecting an identifier that identifies:

-
- - - - - - - -
-

[1]

-
-

an individual;

-
-
-
- - - - - - - -
-

[2]

-
-

a group;

-
-
-
- - - - - - - -
-

[3]

-
-

a role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

a device;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

assigning the identifier to the intended:

-
- - - - - - - -
-

[1]

-
-

individual;

-
-
-
- - - - - - - -
-

[2]

-
-

group;

-
-
-
- - - - - - - -
-

[3]

-
-

role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

device;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period for preventing reuse of identifiers;

-
-
-
- - - - - - - -
-

[2]

-
-

preventing reuse of identifiers for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period of inactivity to disable the identifier; and

-
-
-
- - - - - - - -
-

[2]

-
-

disabling the identifier after the organization-defined time period of inactivity.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing identifier management

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system accounts

-

- list of identifiers generated from physical access control devices

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identifier management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identifier management

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-
-
-

- IA-5 AUTHENTICATOR MANAGEMENT

-
-

- Parameter: - ia-5_a organization-defined time period by authenticator type

-

- Value: organization-defined time period by authenticator type

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system authenticators by:

-
- - - - - - - -
-

a.

-
-

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

-
-
-
- - - - - - - -
-

b.

-
-

Establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

d.

-
-

Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

-
-
-
- - - - - - - -
-

e.

-
-

Changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

f.

-
-

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

-
-
-
- - - - - - - -
-

g.

-
-

Changing/refreshing authenticators - - ia-5_a - - organization-defined time period by authenticator type - organization-defined time period by authenticator type - ;

-
-
-
- - - - - - - -
-

h.

-
-

Protecting authenticator content from unauthorized disclosure and modification;

-
-
-
- - - - - - - -
-

i.

-
-

Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

-
-
-
- - - - - - - -
-

j.

-
-

Changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Supplemental guidance

-

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

- - - - - - - - - - - - - - -
-
-

- IA-5 (1) PASSWORD-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_b organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-

- Value: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-
-
-

- Parameter: - ia-5_c organization-defined number

-

- Value: organization-defined number

-
-
-

- Parameter: - ia-5_d organization-defined numbers for lifetime minimum, lifetime maximum

-

- Value: organization-defined numbers for lifetime minimum, lifetime maximum

-
-
-

- Parameter: - ia-5_e organization-defined number

-

- Value: organization-defined number

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-

Enforces minimum password complexity of - - ia-5_b - - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - ;

-
-
-
- - - - - - - -
-

(b)

-
-

Enforces at least the following number of changed characters when new passwords are created: - - ia-5_c - - organization-defined number - organization-defined number - ;

-
-
-
- - - - - - - -
-

(c)

-
-

Stores and transmits only cryptographically-protected passwords;

-
-
-
- - - - - - - -
-

(d)

-
-

Enforces password minimum and maximum lifetime restrictions of - - ia-5_d - - organization-defined numbers for lifetime minimum, lifetime maximum - organization-defined numbers for lifetime minimum, lifetime maximum - ;

-
-
-
- - - - - - - -
-

(e)

-
-

Prohibits password reuse for - - ia-5_e - - organization-defined number - organization-defined number - generations; and

-
-
-
- - - - - - - -
-

(f)

-
-

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

- -
-
-

Objectives

- - - - - - -
- -

Determine if, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines requirements for case sensitivity;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines requirements for number of characters;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines minimum requirements for each type of character;

-
-
-
- - - - - - - -
-

[5]

-
-

the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a minimum number of changed characters to be enforced when new passwords are created;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system stores and transmits only encrypted representations of passwords;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;

-
-
-
- - - - - - - -
-

[4]

-
-

the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of password generations to be prohibited from password reuse;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits password reuse for the organization-defined number of generations; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- password policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- password configurations and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing password-based authenticator management capability

-
-

References: None -

-
-
-

- IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_l organization-defined token quality requirements

-

- Value: organization-defined token quality requirements

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for hardware token-based authentication, employs mechanisms that satisfy - - ia-5_l - - organization-defined token quality requirements - organization-defined token quality requirements - .

-
-
-
-

Supplemental guidance

-

Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

-
-
-

Objectives

- - - - - - -
- -

Determine if, for hardware token-based authentication:

-
- - - - - - - -
-

[1]

-
-

the organization defines token quality requirements to be satisfied; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system employs mechanisms that satisfy organization-defined token quality requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- automated mechanisms employing hardware token-based authentication for the information system

-

- list of token quality requirements

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system authenticators by:

-
- - - - - - - -
-

(a)

-
-

verifying, as part of the initial authenticator distribution, the identity of:

-
- - - - - - - -
-

[1]

-
-

the individual receiving the authenticator;

-
-
-
- - - - - - - -
-

[2]

-
-

the group receiving the authenticator;

-
-
-
- - - - - - - -
-

[3]

-
-

the role receiving the authenticator; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

the device receiving the authenticator;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

establishing and implementing administrative procedures for initial authenticator distribution;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing and implementing administrative procedures for lost/compromised or damaged authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing and implementing administrative procedures for revoking authenticators;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

establishing minimum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing maximum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing reuse conditions for authenticators;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period (by authenticator type) for changing/refreshing authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

changing/refreshing authenticators with the organization-defined time period by authenticator type;

-
-
-
-
-
- - - - - - - -
-

(h)

-
-

protecting authenticator content from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-
- - - - - - - -
-

[1]

-
-

requiring individuals to take specific security safeguards to protect authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

having devices implement specific security safeguards to protect authenticators; and

-
-
-
-
-
- - - - - - - -
-

(j)

-
-

changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system authenticator types

-

- change control records associated with managing information system authenticators

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing authenticator management capability

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-6 AUTHENTICATOR FEEDBACK

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Supplemental guidance

-

The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator feedback

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

-
-

References: None -

-
-
-

- IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Supplemental guidance

-

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing cryptographic module authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for cryptographic module authentication

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic module authentication

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/groups/STM/cmvp/index.html

-
-
-
-
-

- IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Supplemental guidance

-

Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

- - - - - - - - - - - -
-
-

- IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials from other agencies; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials from other agencies.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept and verify PIV credentials

-
-

References: None -

-
-
-

- IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization

-

- third-party credential verification records

-

- evidence of FICAM-approved third-party credentials

-

- third-party credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept FICAM-approved credentials

-
-

References: None -

-
-
-

- IA-8 (3) USE OF FICAM-APPROVED PRODUCTS

-
-

- Parameter: - ia-8_a organization-defined information systems

-

- Value: organization-defined information systems

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only FICAM-approved information system components in - - ia-8_a - - organization-defined information systems - organization-defined information systems - to accept third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- third-party credential validations

-

- third-party credential authorizations

-

- third-party credential records

-

- list of FICAM-approved information system components procured and implemented by organization

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information system security, acquisition, and contracting responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-

References: None -

-
-
-

- IA-8 (4) USE OF FICAM-ISSUED PROFILES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system conforms to FICAM-issued profiles.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system conforms to FICAM-issued profiles.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-issued profiles and associated, approved protocols

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

OMB Memorandum 10-06-2011

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-116

-
-
-

National Strategy for Trusted Identities in Cyberspace

-
-
-

http://idmanagement.gov

-
-
-
-
-
-

INCIDENT RESPONSE

-
-

- IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES

-
-

- Parameter: - ir-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ir-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Incident response policy - - ir-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Incident response procedures - - ir-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an incident response policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the incident response policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the incident response policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IR-2 INCIDENT RESPONSE TRAINING

-
-

- Parameter: - ir-2_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - ir-2_a - - organization-defined time period - organization-defined time period - of assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - ir-2_b - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- security plan

-

- incident response plan

-

- security plan

-

- incident response training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- IR-4 INCIDENT HANDLING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates incident handling activities with contingency planning activities; and

-
-
-
- - - - - - - -
-

c.

-
-

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

-
-
-
-
-
-

Supplemental guidance

-

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

- - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements an incident handling capability for security incidents that includes:

-
- - - - - - - -
-

[1]

-
-

preparation;

-
-
-
- - - - - - - -
-

[2]

-
-

detection and analysis;

-
-
-
- - - - - - - -
-

[3]

-
-

containment;

-
-
-
- - - - - - - -
-

[4]

-
-

eradication;

-
-
-
- - - - - - - -
-

[5]

-
-

recovery;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates incident handling activities with contingency planning activities;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

incorporates lessons learned from ongoing incident handling activities into:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training;

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

implements the resulting changes accordingly to:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training; and

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident handling

-

- incident response plan

-

- contingency plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident handling capability for the organization

-
-
-

References

-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-5 INCIDENT MONITORING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tracks and documents information system security incidents.

-
-
-
-

Supplemental guidance

-

Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

tracks information system security incidents; and

-
-
-
- - - - - - - -
-

[2]

-
-

documents information system security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident monitoring

-

- incident response records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident monitoring capability for the organization

-

- automated mechanisms supporting and/or implementing tracking and documenting of system security incidents

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-6 INCIDENT REPORTING

-
-

- Parameter: - ir-6_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-6_b organization-defined authorities

-

- Value: organization-defined authorities

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires personnel to report suspected security incidents to the organizational incident response capability within - - ir-6_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports security incident information to - - ir-6_b - - organization-defined authorities - organization-defined authorities - .

-
-
-
-
-
-

Supplemental guidance

-

The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which personnel report suspected security incidents to the organizational incident response capability;

-
-
-
- - - - - - - -
-

[2]

-
-

requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines authorities to whom security incident information is to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports security incident information to organization-defined authorities.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident reporting

-

- incident reporting records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident reporting responsibilities

-

- organizational personnel with information security responsibilities

-

- personnel who have/should have reported incidents

-

- personnel (authorities) to whom incident information is to be reported

-
-
-

Assessment: TEST

-

- Organizational processes for incident reporting

-

- automated mechanisms supporting and/or implementing incident reporting

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

http://www.us-cert.gov

-
-
-
-
-

- IR-7 INCIDENT RESPONSE ASSISTANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-

Supplemental guidance

-

Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides an incident response support resource:

-
- - - - - - - -
-

[1]

-
-

that is integral to the organizational incident response capability; and

-
-
-
- - - - - - - -
-

[2]

-
-

that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response assistance

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response assistance and support responsibilities

-

- organizational personnel with access to incident response support and assistance capability

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident response assistance

-

- automated mechanisms supporting and/or implementing incident response assistance

-
-

References: None -

-
-
-

- IR-8 INCIDENT RESPONSE PLAN

-
-

- Parameter: - ir-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-8_b organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - ir-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-8_d organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops an incident response plan that:

-
- - - - - - - -
-

1.

-
-

Provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

2.

-
-

Describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

3.

-
-

Provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

4.

-
-

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

-
-
-
- - - - - - - -
-

5.

-
-

Defines reportable incidents;

-
-
-
- - - - - - - -
-

6.

-
-

Provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

7.

-
-

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

-
-
-
- - - - - - - -
-

8.

-
-

Is reviewed and approved by - - ir-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the incident response plan to - - ir-8_b - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the incident response plan - - ir-8_c - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

e.

-
-

Communicates incident response plan changes to - - ir-8_d - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

f.

-
-

Protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops an incident response plan that:

-
- - - - - - - -
-

(1)

-
-

provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

(2)

-
-

describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

(3)

-
-

provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

(4)

-
-

meets the unique requirements of the organization, which relate to:

-
- - - - - - - -
-

[1]

-
-

mission;

-
-
-
- - - - - - - -
-

[2]

-
-

size;

-
-
-
- - - - - - - -
-

[3]

-
-

structure;

-
-
-
- - - - - - - -
-

[4]

-
-

functions;

-
-
-
-
-
- - - - - - - -
-

(5)

-
-

defines reportable incidents;

-
-
-
- - - - - - - -
-

(6)

-
-

provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

(7)

-
-

defines the resources and management support needed to effectively maintain and mature an incident response capability;

-
-
-
- - - - - - - -
-

(8)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom copies of the incident response plan are to be distributed;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the incident response plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the incident response plan to address system/organizational changes or problems encountered during plan:

-
- - - - - - - -
-

[1]

-
-

implementation;

-
-
-
- - - - - - - -
-

[2]

-
-

execution; or

-
-
-
- - - - - - - -
-

[3]

-
-

testing;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom incident response plan changes are to be communicated;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response planning

-

- incident response plan

-

- records of incident response plan reviews and approvals

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational incident response plan and related organizational processes

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-
-

MAINTENANCE

-
-

- MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES

-
-

- Parameter: - ma-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ma-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ma-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System maintenance policy - - ma-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System maintenance procedures - - ma-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system maintenance policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system maintenance policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system maintenance policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Maintenance policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MA-2 CONTROLLED MAINTENANCE

-
-

- Parameter: - ma-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-2_b organization-defined maintenance-related information

-

- Value: organization-defined maintenance-related information

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

c.

-
-

Requires that - - ma-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

d.

-
-

Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

e.

-
-

Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and

-
-
-
- - - - - - - -
-

f.

-
-

Includes - - ma-2_b - - organization-defined maintenance-related information - organization-defined maintenance-related information - in organizational maintenance records.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

schedules maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

performs maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[4]

-
-

reviews records of maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

(e)

-
-

checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines maintenance-related information to be included in organizational maintenance records; and

-
-
-
- - - - - - - -
-

[2]

-
-

includes organization-defined maintenance-related information in organizational maintenance records.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing controlled information system maintenance

-

- maintenance records

-

- manufacturer/vendor maintenance specifications

-

- equipment sanitization records

-

- media sanitization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system

-

- organizational processes for sanitizing information system components

-

- automated mechanisms supporting and/or implementing controlled maintenance

-

- automated mechanisms implementing sanitization of information system components

-
-

References: None -

-
-
-

- MA-4 NONLOCAL MAINTENANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Approves and monitors nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

b.

-
-

Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

d.

-
-

Maintains records for nonlocal maintenance and diagnostic activities; and

-
-
-
- - - - - - - -
-

e.

-
-

Terminates session and network connections when nonlocal maintenance is completed.

-
-
-
-
-
-

Supplemental guidance

-

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

- - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

approves nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors nonlocal maintenance and diagnostic activities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

allows the use of nonlocal maintenance and diagnostic tools only:

-
- - - - - - - -
-

[1]

-
-

as consistent with organizational policy;

-
-
-
- - - - - - - -
-

[2]

-
-

as documented in the security plan for the information system;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

(d)

-
-

maintains records for nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

terminates sessions when nonlocal maintenance or diagnostics is completed; and

-
-
-
- - - - - - - -
-

[2]

-
-

terminates network connections when nonlocal maintenance or diagnostics is completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing nonlocal information system maintenance

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- maintenance records

-

- diagnostic records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing nonlocal maintenance

-

- automated mechanisms implementing, supporting, and/or managing nonlocal maintenance

-

- automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

-

- automated mechanisms for terminating nonlocal maintenance sessions and network connections

-
-
-

References

-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 197

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-88

-
-
-

CNSS Policy 15

-
-
-
-
-

- MA-5 MAINTENANCE PERSONNEL

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

c.

-
-

Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes a process for maintenance personnel authorization;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains a list of authorized maintenance organizations or personnel;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

(c)

-
-

designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing maintenance personnel

-

- service provider contracts

-

- service-level agreements

-

- list of authorized personnel

-

- maintenance records

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for authorizing and managing maintenance personnel

-

- automated mechanisms supporting and/or implementing authorization of maintenance personnel

-
-

References: None -

-
-
-
-

MEDIA PROTECTION

-
-

- MP-1 MEDIA PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - mp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - mp-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - mp-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - mp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Media protection policy - - mp-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Media protection procedures - - mp-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a media protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the media protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the media protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Media protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MP-2 MEDIA ACCESS

-
-

- Parameter: - mp-2_a organization-defined types of digital and/or non-digital media

-

- Value: organization-defined types of digital and/or non-digital media

-
-
-

- Parameter: - mp-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization restricts access to - - mp-2_a - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - to - - mp-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of digital and/or non-digital media requiring restricted access;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and

-
-
-
- - - - - - - -
-

[3]

-
-

restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media access restrictions

-

- access control policy and procedures

-

- physical and environmental protection policy and procedures

-

- media storage facilities

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for restricting information media

-

- automated mechanisms supporting and/or implementing media access restrictions

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- MP-6 MEDIA SANITIZATION

-
-

- Parameter: - mp-6_a organization-defined information system media

-

- Value: organization-defined information system media

-
-
-

- Parameter: - mp-6_b organization-defined sanitization techniques and procedures

-

- Value: organization-defined sanitization techniques and procedures

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Sanitizes - - mp-6_a - - organization-defined information system media - organization-defined information system media - prior to disposal, release out of organizational control, or release for reuse using - - mp-6_b - - organization-defined sanitization techniques and procedures - organization-defined sanitization techniques and procedures - in accordance with applicable federal and organizational standards and policies; and

-
-
-
- - - - - - - -
-

b.

-
-

Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system media to be sanitized prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- applicable federal standards and policies addressing media sanitization

-

- media sanitization records

-

- audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-88

-
-
-

http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml

-
-
-
-
-

- MP-7 MEDIA USE

-
-

- Parameter: - mp-7_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-7_b organization-defined information systems or system components

-

- Value: organization-defined information systems or system components

-
-
-

- Parameter: - mp-7_c organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization [Selection: restricts; prohibits] the use of - - mp-7_a - - organization-defined types of information system media - organization-defined types of information system media - on - - mp-7_b - - organization-defined information systems or system components - organization-defined information systems or system components - using - - mp-7_c - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be:

-
- - - - - - - -
-

[a]

-
-

restricted on information systems or system components; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited from use on information systems or system components;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:

-
- - - - - - - -
-

[a]

-
-

restricted; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and

-
-
-
- - - - - - - -
-

[4]

-
-

restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- system use policy

-

- procedures addressing media usage restrictions

-

- security plan

-

- rules of behavior

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media use responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media use

-

- automated mechanisms restricting or prohibiting use of information system media on information systems or system components

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-
-

PHYSICAL AND ENVIRONMENTAL PROTECTION

-
-

- PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - pe-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pe-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pe-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Physical and environmental protection policy - - pe-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Physical and environmental protection procedures - - pe-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a physical and environmental protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the physical and environmental protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical and environmental protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PE-2 PHYSICAL ACCESS AUTHORIZATIONS

-
-

- Parameter: - pe-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

b.

-
-

Issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the access list detailing authorized facility access by individuals - - pe-2_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

approves a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the access list detailing authorized facility access by individuals;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access authorizations

-

- security plan

-

- authorized personnel access list

-

- authorization credentials

-

- physical access list reviews

-

- physical access termination records and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access authorization responsibilities

-

- organizational personnel with physical access to information system facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access authorizations

-

- automated mechanisms supporting and/or implementing physical access authorizations

-
-

References: None -

-
-
-

- PE-3 PHYSICAL ACCESS CONTROL

-
-

- Parameter: - pe-3_a organization-defined entry/exit points to the facility where the information system resides

-

- Value: organization-defined entry/exit points to the facility where the information system resides

-
-
-

- Parameter: - pe-3_b organization-defined physical access control systems/devices

-

- Value: organization-defined physical access control systems/devices

-
-
-

- Parameter: - pe-3_c organization-defined entry/exit points

-

- Value: organization-defined entry/exit points

-
-
-

- Parameter: - pe-3_d organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-
-

- Parameter: - pe-3_e organization-defined circumstances requiring visitor escorts and monitoring

-

- Value: organization-defined circumstances requiring visitor escorts and monitoring

-
-
-

- Parameter: - pe-3_f organization-defined physical access devices

-

- Value: organization-defined physical access devices

-
-
-

- Parameter: - pe-3_g organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-3_h organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Enforces physical access authorizations at - - pe-3_a - - organization-defined entry/exit points to the facility where the information system resides - organization-defined entry/exit points to the facility where the information system resides - by;

-
- - - - - - - -
-

1.

-
-

Verifying individual access authorizations before granting access to the facility; and

-
-
-
- - - - - - - -
-

2.

-
-

Controlling ingress/egress to the facility using [Selection (one or more): - - pe-3_b - - organization-defined physical access control systems/devices - organization-defined physical access control systems/devices - ; guards];

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Maintains physical access audit logs for - - pe-3_c - - organization-defined entry/exit points - organization-defined entry/exit points - ;

-
-
-
- - - - - - - -
-

c.

-
-

Provides - - pe-3_d - - organization-defined security safeguards - organization-defined security safeguards - to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

d.

-
-

Escorts visitors and monitors visitor activity - - pe-3_e - - organization-defined circumstances requiring visitor escorts and monitoring - organization-defined circumstances requiring visitor escorts and monitoring - ;

-
-
-
- - - - - - - -
-

e.

-
-

Secures keys, combinations, and other physical access devices;

-
-
-
- - - - - - - -
-

f.

-
-

Inventories - - pe-3_f - - organization-defined physical access devices - organization-defined physical access devices - every - - pe-3_g - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Changes combinations and keys - - pe-3_h - - organization-defined frequency - organization-defined frequency - and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

- - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:

-
- - - - - - - -
-

(1)

-
-

verifying individual access authorizations before granting access to the facility;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[a]

-
-

defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[b]

-
-

using one or more of the following ways to control ingress/egress to the facility:

-
- - - - - - - -
-

[1]

-
-

organization-defined physical access control systems/devices; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

guards;

-
-
-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points for which physical access audit logs are to be maintained;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains physical access audit logs for organization-defined entry/exit points;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines circumstances requiring visitor:

-
- - - - - - - -
-

[a]

-
-

escorts;

-
-
-
- - - - - - - -
-

[b]

-
-

monitoring;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined circumstances requiring visitor escorts and monitoring:

-
- - - - - - - -
-

[a]

-
-

escorts visitors;

-
-
-
- - - - - - - -
-

[b]

-
-

monitors visitor activities;

-
-
-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

secures keys;

-
-
-
- - - - - - - -
-

[2]

-
-

secures combinations;

-
-
-
- - - - - - - -
-

[3]

-
-

secures other physical access devices;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines physical access devices to be inventoried;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to inventory organization-defined physical access devices;

-
-
-
- - - - - - - -
-

[3]

-
-

inventories the organization-defined physical access devices with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to change combinations and keys; and

-
-
-
- - - - - - - -
-

[2]

-
-

changes combinations and keys with the organization-defined frequency and/or when:

-
- - - - - - - -
-

[a]

-
-

keys are lost;

-
-
-
- - - - - - - -
-

[b]

-
-

combinations are compromised;

-
-
-
- - - - - - - -
-

[c]

-
-

individuals are transferred or terminated.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access control

-

- security plan

-

- physical access control logs or records

-

- inventory records of physical access control devices

-

- information system entry and exit points

-

- records of key and lock combination changes

-

- storage locations for physical access control devices

-

- physical access control devices

-

- list of security safeguards controlling access to designated publicly accessible areas within facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access control

-

- automated mechanisms supporting and/or implementing physical access control

-

- physical access control devices

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-116

-
-
-

ICD 704

-
-
-

ICD 705

-
-
-

DoD Instruction 5200.39

-
-
-

Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)

-
-
-

http://idmanagement.gov

-
-
-

http://fips201ep.cio.gov

-
-
-
-
-

- PE-6 MONITORING PHYSICAL ACCESS

-
-

- Parameter: - pe-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-6_b organization-defined events or potential indications of events

-

- Value: organization-defined events or potential indications of events

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews physical access logs - - pe-6_a - - organization-defined frequency - organization-defined frequency - and upon occurrence of - - pe-6_b - - organization-defined events or potential indications of events - organization-defined events or potential indications of events - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Supplemental guidance

-

Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review physical access logs;

-
-
-
- - - - - - - -
-

[2]

-
-

defines events or potential indication of events requiring physical access logs to be reviewed;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- security plan

-

- physical access logs or records

-

- physical access monitoring records

-

- physical access log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical access

-

- automated mechanisms supporting and/or implementing physical access monitoring

-

- automated mechanisms supporting and/or implementing reviewing of physical access logs

-
-

References: None -

-
-
-

- PE-8 VISITOR ACCESS RECORDS

-
-

- Parameter: - pe-8_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - pe-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains visitor access records to the facility where the information system resides for - - pe-8_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reviews visitor access records - - pe-8_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period to maintain visitor access records to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains visitor access records to the facility where the information system resides for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review visitor access records; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews visitor access records with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing visitor access records

-

- security plan

-

- visitor access control logs or records

-

- visitor access record or log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with visitor access records responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining and reviewing visitor access records

-

- automated mechanisms supporting and/or implementing maintenance and review of visitor access records

-
-

References: None -

-
-
-

- PE-12 EMERGENCY LIGHTING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs and maintains automatic emergency lighting for the information system that:

-
- - - - - - - -
-

[1]

-
-

activates in the event of a power outage or disruption; and

-
-
-
- - - - - - - -
-

[2]

-
-

covers emergency exits and evacuation routes within the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency lighting

-

- emergency lighting documentation

-

- emergency lighting test records

-

- emergency exits and evacuation routes

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency lighting and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing emergency lighting capability

-
-

References: None -

-
-
-

- PE-13 FIRE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems

-

- fire suppression and detection devices/systems documentation

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems

-
-

References: None -

-
-
-

- PE-14 TEMPERATURE AND HUMIDITY CONTROLS

-
-

- Parameter: - pe-14_a organization-defined acceptable levels

-

- Value: organization-defined acceptable levels

-
-
-

- Parameter: - pe-14_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains temperature and humidity levels within the facility where the information system resides at - - pe-14_a - - organization-defined acceptable levels - organization-defined acceptable levels - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Monitors temperature and humidity levels - - pe-14_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines acceptable temperature levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

defines acceptable humidity levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains temperature levels within the facility where the information system resides at the organization-defined levels;

-
-
-
- - - - - - - -
-

[4]

-
-

maintains humidity levels within the facility where the information system resides at the organization-defined levels;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to monitor temperature levels;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to monitor humidity levels;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors temperature levels with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

monitors humidity levels with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing temperature and humidity control

-

- security plan

-

- temperature and humidity controls

-

- facility housing the information system

-

- temperature and humidity controls documentation

-

- temperature and humidity records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels

-
-

References: None -

-
-
-

- PE-15 WATER DAMAGE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:

-
- - - - - - - -
-

[1]

-
-

accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

working properly; and

-
-
-
- - - - - - - -
-

[3]

-
-

known to key personnel.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing water damage protection

-

- facility housing the information system

-

- master shutoff valves

-

- list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

-

- master shutoff valve documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Master water-shutoff valves

-

- organizational process for activating master water-shutoff

-
-

References: None -

-
-
-

- PE-16 DELIVERY AND REMOVAL

-
-

- Parameter: - pe-16_a organization-defined types of information system components

-

- Value: organization-defined types of information system components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes, monitors, and controls - - pe-16_a - - organization-defined types of information system components - organization-defined types of information system components - entering and exiting the facility and maintains records of those items.

-
-
-
-

Supplemental guidance

-

Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[4]

-
-

controls organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[5]

-
-

authorizes organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[6]

-
-

monitors organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[7]

-
-

controls organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[8]

-
-

maintains records of information system components entering the facility; and

-
-
-
- - - - - - - -
-

[9]

-
-

maintains records of information system components exiting the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing delivery and removal of information system components from the facility

-

- security plan

-

- facility housing the information system

-

- records of items entering and exiting the facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for controlling information system components entering and exiting the facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-

- automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-
-

References: None -

-
-
-
-

PLANNING

-
-

- PL-1 SECURITY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - pl-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pl-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pl-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security planning policy - - pl-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security planning procedures - - pl-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-18

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PL-2 SYSTEM SECURITY PLAN

-
-

- Parameter: - pl-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Is consistent with the organization�s enterprise architecture;

-
-
-
- - - - - - - -
-

2.

-
-

Explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

3.

-
-

Describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

4.

-
-

Provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

5.

-
-

Describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

6.

-
-

Provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

7.

-
-

Identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

8.

-
-

Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and

-
-
-
- - - - - - - -
-

9.

-
-

Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the security plan and communicates subsequent changes to the plan to - - pl-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the security plan for the information system - - pl-2_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

-
-
-
- - - - - - - -
-

e.

-
-

Protects the security plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. -Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.

- - - - - - - - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

is consistent with the organization’s enterprise architecture;

-
-
-
- - - - - - - -
-

(2)

-
-

explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

(3)

-
-

describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

(4)

-
-

provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

(5)

-
-

describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

(6)

-
-

provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

(7)

-
-

identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

(8)

-
-

describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;

-
-
-
- - - - - - - -
-

(9)

-
-

is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the security plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the security plan for the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the information system/environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems identified during plan implementation;

-
-
-
- - - - - - - -
-

[3]

-
-

problems identified during security control assessments;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

protects the security plan from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure; and

-
-
-
- - - - - - - -
-

[2]

-
-

modification.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing security plan development and implementation

-

- procedures addressing security plan reviews and updates

-

- enterprise architecture documentation

-

- security plan for the information system

-

- records of security plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security plan development/review/update/approval

-

- automated mechanisms supporting the information system security plan

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-

- PL-4 RULES OF BEHAVIOR

-
-

- Parameter: - pl-4_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

b.

-
-

Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates the rules of behavior - - pl-4_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.

- - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

[2]

-
-

makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the rules of behavior;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the rules of behavior with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing rules of behavior for information system users

-

- rules of behavior

-

- signed acknowledgements

-

- records for rules of behavior reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

-

- organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

-

- automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-
-

PERSONNEL SECURITY

-
-

- PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES

-
-

- Parameter: - ps-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ps-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Personnel security policy - - ps-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Personnel security procedures - - ps-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an personnel security policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the personnel security policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the personnel security policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PS-2 POSITION RISK DESIGNATION

-
-

- Parameter: - ps-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes screening criteria for individuals filling those positions; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates position risk designations - - ps-2_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

(b)

-
-

establishes screening criteria for individuals filling those positions;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update position risk designations; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates position risk designations with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing position categorization

-

- appropriate codes of federal regulations

-

- list of risk designations for organizational positions

-

- security plan

-

- records of position risk designation reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for assigning, reviewing, and updating position risk designations

-

- organizational processes for establishing screening criteria

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-
-
-

- PS-3 PERSONNEL SCREENING

-
-

- Parameter: - ps-3_a organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-

- Value: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Screens individuals prior to authorizing access to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Rescreens individuals according to - - ps-3_a - - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - .

-
-
-
-
-
-

Supplemental guidance

-

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

screens individuals prior to authorizing access to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines conditions requiring re-screening;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency of re-screening where it is so indicated; and

-
-
-
- - - - - - - -
-

[3]

-
-

re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel screening

-

- records of screened personnel

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel screening

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-

FIPS Publication 199

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

ICD 704

-
-
-
-
-

- PS-4 PERSONNEL TERMINATION

-
-

- Parameter: - ps-4_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ps-4_b organization-defined information security topics

-

- Value: organization-defined information security topics

-
-
-

- Parameter: - ps-4_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-4_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization, upon termination of individual employment:

-
- - - - - - - -
-

a.

-
-

Disables information system access within - - ps-4_a - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

b.

-
-

Terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts exit interviews that include a discussion of - - ps-4_b - - organization-defined information security topics - organization-defined information security topics - ;

-
-
-
- - - - - - - -
-

d.

-
-

Retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

e.

-
-

Retains access to organizational information and information systems formerly controlled by terminated individual; and

-
-
-
- - - - - - - -
-

f.

-
-

Notifies - - ps-4_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-4_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, upon termination of individual employment,:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which to disable information system access;

-
-
-
- - - - - - - -
-

[2]

-
-

disables information system access within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information security topics to be discussed when conducting exit interviews;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts exit interviews that include a discussion of organization-defined information security topics;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

(e)

-
-

retains access to organizational information and information systems formerly controlled by the terminated individual;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of the termination;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel termination

-

- records of personnel termination actions

-

- list of information system accounts

-

- records of terminated or revoked authenticators/credentials

-

- records of exit interviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel termination

-

- automated mechanisms supporting and/or implementing personnel termination notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-

References: None -

-
-
-

- PS-5 PERSONNEL TRANSFER

-
-

- Parameter: - ps-5_a organization-defined transfer or reassignment actions

-

- Value: organization-defined transfer or reassignment actions

-
-
-

- Parameter: - ps-5_b organization-defined time period following the formal transfer action

-

- Value: organization-defined time period following the formal transfer action

-
-
-

- Parameter: - ps-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-5_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

b.

-
-

Initiates - - ps-5_a - - organization-defined transfer or reassignment actions - organization-defined transfer or reassignment actions - within - - ps-5_b - - organization-defined time period following the formal transfer action - organization-defined time period following the formal transfer action - ;

-
-
-
- - - - - - - -
-

c.

-
-

Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

-
-
-
- - - - - - - -
-

d.

-
-

Notifies - - ps-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-5_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:

-
- - - - - - - -
-

[1]

-
-

logical access authorizations to information systems;

-
-
-
- - - - - - - -
-

[2]

-
-

physical access authorizations to information systems and facilities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines transfer or reassignment actions to be initiated following transfer or reassignment;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;

-
-
-
- - - - - - - -
-

[3]

-
-

initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel transfer

-

- security plan

-

- records of personnel transfer actions

-

- list of information system and facility access authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel transfer

-

- automated mechanisms supporting and/or implementing personnel transfer notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-

References: None -

-
-
-

- PS-6 ACCESS AGREEMENTS

-
-

- Parameter: - ps-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-6_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the access agreements - - ps-6_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that individuals requiring access to organizational information and information systems:

-
- - - - - - - -
-

1.

-
-

Sign appropriate access agreements prior to being granted access; and

-
-
-
- - - - - - - -
-

2.

-
-

Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or - - ps-6_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the access agreements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the access agreements with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

(1)

-
-

ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing access agreements for organizational information and information systems

-

- security plan

-

- access agreements

-

- records of access agreement reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel who have signed/resigned access agreements

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access agreements

-

- automated mechanisms supporting access agreements

-
-

References: None -

-
-
-

- PS-7 THIRD-PARTY PERSONNEL SECURITY

-
-

- Parameter: - ps-7_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-7_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes personnel security requirements including security roles and responsibilities for third-party providers;

-
-
-
- - - - - - - -
-

b.

-
-

Requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Documents personnel security requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Requires third-party providers to notify - - ps-7_a - - organization-defined personnel or roles - organization-defined personnel or roles - of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within - - ps-7_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Monitors provider compliance.

-
-
-
-
-
-

Supplemental guidance

-

Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes personnel security requirements, including security roles and responsibilities, for third-party providers;

-
-
-
- - - - - - - -
-

(b)

-
-

requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

documents personnel security requirements;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[3]

-
-

requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

monitors provider compliance.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing third-party personnel security

-

- list of personnel security requirements

-

- acquisition documents

-

- service-level agreements

-

- compliance monitoring process

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- third-party providers

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing and monitoring third-party personnel security

-

- automated mechanisms supporting and/or implementing monitoring of provider compliance

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-

- PS-8 PERSONNEL SANCTIONS

-
-

- Parameter: - ps-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-8_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

-
-
-
- - - - - - - -
-

b.

-
-

Notifies - - ps-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-8_b - - organization-defined time period - organization-defined time period - when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-

Supplemental guidance

-

Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when a formal employee sanctions process is initiated;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel sanctions

-

- rules of behavior

-

- records of formal sanctions

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing personnel sanctions

-

- automated mechanisms supporting and/or implementing notifications

-
-

References: None -

-
-
-
-

RISK ASSESSMENT

-
-

- RA-1 RISK ASSESSMENT POLICY AND PROCEDURES

-
-

- Parameter: - ra-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ra-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Risk assessment policy - - ra-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Risk assessment procedures - - ra-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a risk assessment policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the risk assessment policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the risk assessment policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- risk assessment policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- RA-2 SECURITY CATEGORIZATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

(b)

-
-

documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

(c)

-
-

ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing security categorization of organizational information and information systems

-

- security plan

-

- security categorization documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security categorization and risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security categorization

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-60

-
-
-
-
-

- RA-3 RISK ASSESSMENT

-
-

- Parameter: - ra-3_a organization-defined document

-

- Value: organization-defined document

-
-
-

- Parameter: - ra-3_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-3_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-3_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

-
-
-
- - - - - - - -
-

b.

-
-

Documents risk assessment results in [Selection: security plan; risk assessment report; - - ra-3_a - - organization-defined document - organization-defined document - ];

-
-
-
- - - - - - - -
-

c.

-
-

Reviews risk assessment results - - ra-3_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Disseminates risk assessment results to - - ra-3_c - - organization-defined personnel or roles - organization-defined personnel or roles - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Updates the risk assessment - - ra-3_d - - organization-defined frequency - organization-defined frequency - or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. -Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:

-
- - - - - - - -
-

[1]

-
-

the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information the system processes, stores, or transmits;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);

-
-
-
- - - - - - - -
-

[2]

-
-

documents risk assessment results in one of the following:

-
- - - - - - - -
-

[a]

-
-

the security plan;

-
-
-
- - - - - - - -
-

[b]

-
-

the risk assessment report; or

-
-
-
- - - - - - - -
-

[c]

-
-

the organization-defined document;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review risk assessment results;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews risk assessment results with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom risk assessment results are to be disseminated;

-
-
-
- - - - - - - -
-

[2]

-
-

disseminates risk assessment results to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the risk assessment;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the risk assessment:

-
- - - - - - - -
-

[a]

-
-

with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and

-
-
-
- - - - - - - -
-

[c]

-
-

whenever there are other conditions that may impact the security state of the system.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing organizational assessments of risk

-

- security plan

-

- risk assessment

-

- risk assessment results

-

- risk assessment reviews

-

- risk assessment updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for risk assessment

-

- automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

http://idmanagement.gov

-
-
-
-
-

- RA-5 VULNERABILITY SCANNING

-
-

- Parameter: - ra-5_a organization-defined frequency and/or randomly in accordance with organization-defined process

-

- Value: organization-defined frequency and/or randomly in accordance with organization-defined process

-
-
-

- Parameter: - ra-5_b organization-defined response times

-

- Value: organization-defined response times

-
-
-

- Parameter: - ra-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Scans for vulnerabilities in the information system and hosted applications - - ra-5_a - - organization-defined frequency and/or randomly in accordance with organization-defined process - organization-defined frequency and/or randomly in accordance with organization-defined process - and when new vulnerabilities potentially affecting the system/applications are identified and reported;

-
-
-
- - - - - - - -
-

b.

-
-

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

1.

-
-

Enumerating platforms, software flaws, and improper configurations;

-
-
-
- - - - - - - -
-

2.

-
-

Formatting checklists and test procedures; and

-
-
-
- - - - - - - -
-

3.

-
-

Measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Analyzes vulnerability scan reports and results from security control assessments;

-
-
-
- - - - - - - -
-

d.

-
-

Remediates legitimate vulnerabilities - - ra-5_b - - organization-defined response times - organization-defined response times - in accordance with an organizational assessment of risk; and

-
-
-
- - - - - - - -
-

e.

-
-

Shares information obtained from the vulnerability scanning process and security control assessments with - - ra-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-

Supplemental guidance

-

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

defines the process for conducting random vulnerability scans on the information system and hosted applications;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

enumerating platforms;

-
-
-
- - - - - - - -
-

[2]

-
-

enumerating software flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

enumerating improper configurations;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

formatting checklists;

-
-
-
- - - - - - - -
-

[2]

-
-

formatting test procedures;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

analyzes vulnerability scan reports;

-
-
-
- - - - - - - -
-

[2]

-
-

analyzes results from security control assessments;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

-
-
-
- - - - - - - -
-

[2]

-
-

remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;

-
-
-
- - - - - - - -
-

[2]

-
-

shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and

-
-
-
- - - - - - - -
-

[3]

-
-

shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- procedures addressing vulnerability scanning

-

- risk assessment

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel with vulnerability remediation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

-

- automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-115

-
-
-

http://cwe.mitre.org

-
-
-

http://nvd.nist.gov

-
-
-
-
-
-

SYSTEM AND SERVICES ACQUISITION

-
-

- SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES

-
-

- Parameter: - sa-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sa-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sa-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sa-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and services acquisition policy - - sa-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and services acquisition procedures - - sa-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and services acquisition policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and services acquisition policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and services acquisition policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SA-2 ALLOCATION OF RESOURCES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

b.

-
-

Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and

-
-
-
- - - - - - - -
-

c.

-
-

Establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Supplemental guidance

-

Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

(b)

-
-

to protect the information system or information system service as part of its capital planning and investment control process:

-
- - - - - - - -
-

[1]

-
-

determines the resources required;

-
-
-
- - - - - - - -
-

[2]

-
-

documents the resources required;

-
-
-
- - - - - - - -
-

[3]

-
-

allocates the resources required; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the allocation of resources to information security requirements

-

- procedures addressing capital planning and investment control

-

- organizational programming and budgeting documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities

-

- organizational personnel responsible for determining information security requirements for information systems/services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information security requirements

-

- organizational processes for capital planning, programming, and budgeting

-

- automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

-
-
-

References

-
-

NIST Special Publication 800-65

-
-
-
-
-

- SA-3 SYSTEM DEVELOPMENT LIFE CYCLE

-
-

- Parameter: - sa-3_a organization-defined system development life cycle

-

- Value: organization-defined system development life cycle

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Manages the information system using - - sa-3_a - - organization-defined system development life cycle - organization-defined system development life cycle - that incorporates information security considerations;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

d.

-
-

Integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Supplemental guidance

-

A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a system development life cycle that incorporates information security considerations to be used to manage the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

manages the information system using the organization-defined system development life cycle;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

(c)

-
-

identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

(d)

-
-

integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security into the system development life cycle process

-

- information system development life cycle documentation

-

- information security risk management strategy/program documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security and system life cycle development responsibilities

-

- organizational personnel with information security risk management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining and documenting the SDLC

-

- organizational processes for identifying SDLC roles and responsibilities

-

- organizational process for integrating information security risk management into the SDLC

-

- automated mechanisms supporting and/or implementing the SDLC

-
-
-

References

-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-
-
-

- SA-4 ACQUISITION PROCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

a.

-
-

Security functional requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Security strength requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Security assurance requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Security-related documentation requirements;

-
-
-
- - - - - - - -
-

e.

-
-

Requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

f.

-
-

Description of the information system development environment and environment in which the system is intended to operate; and

-
-
-
- - - - - - - -
-

g.

-
-

Acceptance criteria.

-
-
-
-
-
-

Supplemental guidance

-

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. -Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

- - - - - - - - -
-
-

- SA-4 (10) USE OF APPROVED PIV PRODUCTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Supplemental guidance

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documentation

-

- acquisition documentation

-

- acquisition contracts for the information system, system component, or information system service

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- organizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for selecting and employing FIPS 201-approved products

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

(a)

-
-

security functional requirements;

-
-
-
- - - - - - - -
-

(b)

-
-

security strength requirements;

-
-
-
- - - - - - - -
-

(c)

-
-

security assurance requirements;

-
-
-
- - - - - - - -
-

(d)

-
-

security-related documentation requirements;

-
-
-
- - - - - - - -
-

(e)

-
-

requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

(f)

-
-

description of:

-
- - - - - - - -
-

[1]

-
-

the information system development environment;

-
-
-
- - - - - - - -
-

[2]

-
-

the environment in which the system is intended to operate; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

acceptance criteria.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- acquisition contracts for the information system, system component, or information system service

-

- information system design documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information system security functional, strength, and assurance requirements

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

-
-
-

References

-
-

HSPD-12

-
-
-

ISO/IEC 15408

-
-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-23

-
-
-

NIST Special Publication 800-35

-
-
-

NIST Special Publication 800-36

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-137

-
-
-

Federal Acquisition Regulation

-
-
-

http://www.niap-ccevs.org

-
-
-

http://fips201ep.cio.gov

-
-
-

http://www.acquisition.gov/far

-
-
-
-
-

- SA-5 INFORMATION SYSTEM DOCUMENTATION

-
-

- Parameter: - sa-5_a organization-defined actions

-

- Value: organization-defined actions

-
-
-

- Parameter: - sa-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

Secure configuration, installation, and operation of the system, component, or service;

-
-
-
- - - - - - - -
-

2.

-
-

Effective use and maintenance of security functions/mechanisms; and

-
-
-
- - - - - - - -
-

3.

-
-

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

-
-
-
- - - - - - - -
-

2.

-
-

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

-
-
-
- - - - - - - -
-

3.

-
-

User responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes - - sa-5_a - - organization-defined actions - organization-defined actions - in response;

-
-
-
- - - - - - - -
-

d.

-
-

Protects documentation as required, in accordance with the risk management strategy; and

-
-
-
- - - - - - - -
-

e.

-
-

Distributes documentation to - - sa-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

secure configuration of the system, system component, or service;

-
-
-
- - - - - - - -
-

[2]

-
-

secure installation of the system, system component, or service;

-
-
-
- - - - - - - -
-

[3]

-
-

secure operation of the system, system component, or service;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

effective use of the security features/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

effective maintenance of the security features/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

user-accessible security functions/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

how to effectively use those functions/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;

-
-
-
- - - - - - - -
-

(3)

-
-

user responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[2]

-
-

documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[3]

-
-

takes organization-defined actions in response;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects documentation as required, in accordance with the risk management strategy;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom documentation is to be distributed; and

-
-
-
- - - - - - - -
-

[2]

-
-

distributes documentation to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing information system documentation

-

- information system documentation including administrator and user guides

-

- records documenting attempts to obtain unavailable or nonexistent information system documentation

-

- list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation

-

- risk management strategy documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- system administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation

-
-

References: None -

-
-
-

- SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

-
-

- Parameter: - sa-9_a organization-defined security controls

-

- Value: organization-defined security controls

-
-
-

- Parameter: - sa-9_b organization-defined processes, methods, and techniques

-

- Value: organization-defined processes, methods, and techniques

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires that providers of external information system services comply with organizational information security requirements and employ - - sa-9_a - - organization-defined security controls - organization-defined security controls - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

-
-
-
- - - - - - - -
-

c.

-
-

Employs - - sa-9_b - - organization-defined processes, methods, and techniques - organization-defined processes, methods, and techniques - to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-

Supplemental guidance

-

External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security controls to be employed by providers of external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that providers of external information system services comply with organizational information security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines and documents government oversight with regard to external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

defines and documents user roles and responsibilities with regard to external information system services;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing external information system services

-

- procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services

-

- acquisition contracts, service-level agreements

-

- organizational security requirements and security specifications for external provider services

-

- security control assessment evidence from external providers of information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- external providers of information system services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring security control compliance by external service providers on an ongoing basis

-

- automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-
-

SYSTEM AND COMMUNICATIONS PROTECTION

-
-

- SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - sc-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sc-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sc-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sc-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and communications protection policy - - sc-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and communications protection procedures - - sc-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and communications protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and communications protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and communications protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and communications protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SC-5 DENIAL OF SERVICE PROTECTION

-
-

- Parameter: - sc-5_a organization-defined types of denial of service attacks or references to sources for such information

-

- Value: organization-defined types of denial of service attacks or references to sources for such information

-
-
-

- Parameter: - sc-5_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects against or limits the effects of the following types of denial of service attacks: - - sc-5_a - - organization-defined types of denial of service attacks or references to sources for such information - organization-defined types of denial of service attacks or references to sources for such information - by employing - - sc-5_b - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing denial of service protection

-

- information system design documentation

-

- security plan

-

- list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks

-

- list of security safeguards protecting against or limiting the effects of denial of service attacks

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with incident response responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms protecting against or limiting the effects of denial of service attacks

-
-

References: None -

-
-
-

- SC-7 BOUNDARY PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

b.

-
-

Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and

-
-
-
- - - - - - - -
-

c.

-
-

Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Supplemental guidance

-

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

- - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

monitors communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors communications at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

[3]

-
-

controls communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

controls communications at key internal boundaries within the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements subnetworks for publicly accessible system components that are either:

-
- - - - - - - -
-

[1]

-
-

physically separated from internal organizational networks; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

logically separated from internal organizational networks; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- list of key internal boundaries of the information system

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system configuration settings and associated documentation

-

- enterprise security architecture documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-41

-
-
-

NIST Special Publication 800-77

-
-
-
-
-

- SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

-
-

- Parameter: - sc-12_a organization-defined requirements for key generation, distribution, storage, access, and destruction

-

- Value: organization-defined requirements for key generation, distribution, storage, access, and destruction

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with - - sc-12_a - - organization-defined requirements for key generation, distribution, storage, access, and destruction - organization-defined requirements for key generation, distribution, storage, access, and destruction - .

-
-
-
-

Supplemental guidance

-

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines requirements for cryptographic key:

-
- - - - - - - -
-

[a]

-
-

generation;

-
-
-
- - - - - - - -
-

[b]

-
-

distribution;

-
-
-
- - - - - - - -
-

[c]

-
-

storage;

-
-
-
- - - - - - - -
-

[d]

-
-

access;

-
-
-
- - - - - - - -
-

[e]

-
-

destruction; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic key establishment and management

-

- information system design documentation

-

- cryptographic mechanisms

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for cryptographic key establishment and/or management

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic key establishment and management

-
-
-

References

-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-
-
-

- SC-13 CRYPTOGRAPHIC PROTECTION

-
-

- Parameter: - sc-13_a organization-defined cryptographic uses and type of cryptography required for each use

-

- Value: organization-defined cryptographic uses and type of cryptography required for each use

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements - - sc-13_a - - organization-defined cryptographic uses and type of cryptography required for each use - organization-defined cryptographic uses and type of cryptography required for each use - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-

Supplemental guidance

-

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

- - - - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines cryptographic uses; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the type of cryptography required for each use; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic protection

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic module validation certificates

-

- list of FIPS validated cryptographic modules

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for cryptographic protection

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic protection

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/cryptval

-
-
-

http://www.cnss.gov

-
-
-
-
-

- SC-15 COLLABORATIVE COMPUTING DEVICES

-
-

- Parameter: - sc-15_a organization-defined exceptions where remote activation is to be allowed

-

- Value: organization-defined exceptions where remote activation is to be allowed

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Prohibits remote activation of collaborative computing devices with the following exceptions: - - sc-15_a - - organization-defined exceptions where remote activation is to be allowed - organization-defined exceptions where remote activation is to be allowed - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Supplemental guidance

-

Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing collaborative computing

-

- access control policy and procedures

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for managing collaborative computing devices

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing management of remote activation of collaborative computing devices

-

- automated mechanisms providing an indication of use of collaborative computing devices

-
-

References: None -

-
-
-

- SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

-
-
-
-
-
-

Supplemental guidance

-

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-

provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;

-
-
-
- - - - - - - -
-

(b)

-
-

provides the means to, when operating as part of a distributed, hierarchical namespace:

-
- - - - - - - -
-

[1]

-
-

indicate the security status of child zones; and

-
-
-
- - - - - - - -
-

[2]

-
-

enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (authoritative source)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing secure name/address resolution service

-
-
-

References

-
-

OMB Memorandum 08-23

-
-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-

Supplemental guidance

-

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[2]

-
-

requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[3]

-
-

performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and

-
-
-
- - - - - - - -
-

[4]

-
-

performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (recursive or caching resolver)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

-
-
-
-

Supplemental guidance

-

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information systems that collectively provide name/address resolution service for an organization:

-
- - - - - - - -
-

[1]

-
-

are fault tolerant; and

-
-
-
- - - - - - - -
-

[2]

-
-

implement internal/external role separation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing architecture and provisioning for name/address resolution service

-

- access control policy and procedures

-

- information system design documentation

-

- assessment results from independent, testing organizations

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing name/address resolution service for fault tolerance and role separation

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-39 PROCESS ISOLATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system maintains a separate execution domain for each executing process.

-
-
-
-

Supplemental guidance

-

Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.

- - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system maintains a separate execution domain for each executing process.

-
-
-
-

Assessment: EXAMINE

-

- Information system design documentation

-

- information system architecture

-

- independent verification and validation documentation

-

- testing and evaluation documentation, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Information system developers/integrators

-

- information system security architect

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing separate execution domains for each executing process

-
-

References: None -

-
-
-
-

SYSTEM AND INFORMATION INTEGRITY

-
-

- SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES

-
-

- Parameter: - si-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - si-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and information integrity policy - - si-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and information integrity procedures - - si-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and information integrity policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and information integrity policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and information integrity policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and information integrity responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SI-2 FLAW REMEDIATION

-
-

- Parameter: - si-2_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies, reports, and corrects information system flaws;

-
-
-
- - - - - - - -
-

b.

-
-

Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

c.

-
-

Installs security-relevant software and firmware updates within - - si-2_a - - organization-defined time period - organization-defined time period - of the release of the updates; and

-
-
-
- - - - - - - -
-

d.

-
-

Incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Supplemental guidance

-

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies information system flaws;

-
-
-
- - - - - - - -
-

[2]

-
-

reports information system flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

corrects information system flaws;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

tests software updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

[2]

-
-

tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which to install security-relevant software updates after the release of the updates;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to install security-relevant firmware updates after the release of the updates;

-
-
-
- - - - - - - -
-

[3]

-
-

installs software updates within the organization-defined time period of the release of the updates;

-
-
-
- - - - - - - -
-

[4]

-
-

installs firmware updates within the organization-defined time period of the release of the updates; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- procedures addressing configuration management

-

- list of flaws and vulnerabilities potentially affecting the information system

-

- list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)

-

- test results from the installation of software and firmware updates to correct information system flaws

-

- installation/change control records for security-relevant software and firmware updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for identifying, reporting, and correcting information system flaws

-

- organizational process for installing software and firmware updates

-

- automated mechanisms supporting and/or implementing reporting, and correcting information system flaws

-

- automated mechanisms supporting and/or implementing testing software and firmware updates

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-128

-
-
-
-
-

- SI-3 MALICIOUS CODE PROTECTION

-
-

- Parameter: - si-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-3_b organization-defined action

-

- Value: organization-defined action

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

-
-
-
- - - - - - - -
-

b.

-
-

Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

-
-
-
- - - - - - - -
-

c.

-
-

Configures malicious code protection mechanisms to:

-
- - - - - - - -
-

1.

-
-

Perform periodic scans of the information system - - si-3_a - - organization-defined frequency - organization-defined frequency - and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and

-
-
-
- - - - - - - -
-

2.

-
-

[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; - - si-3_b - - organization-defined action - organization-defined action - ] in response to malicious code detection; and

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

-
-
-
-
-
-

Supplemental guidance

-

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files.

- - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs malicious code protection mechanisms to detect and eradicate malicious code at information system:

-
- - - - - - - -
-

[1]

-
-

entry points;

-
-
-
- - - - - - - -
-

[2]

-
-

exit points;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines action to be initiated by malicious protection mechanisms in response to malicious code detection;

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

(1)

-
-

configures malicious code protection mechanisms to:

-
- - - - - - - -
-

[a]

-
-

perform periodic scans of the information system with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

configures malicious code protection mechanisms to do one or more of the following:

-
- - - - - - - -
-

[a]

-
-

block malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[b]

-
-

quarantine malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[c]

-
-

send alert to administrator in response to malicious code detection; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

initiate organization-defined action in response to malicious code detection;

-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

addresses the receipt of false positives during malicious code detection and eradication; and

-
-
-
- - - - - - - -
-

[2]

-
-

addresses the resulting potential impact on the availability of the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- configuration management policy and procedures

-

- procedures addressing malicious code protection

-

- malicious code protection mechanisms

-

- records of malicious code protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- scan results from malicious code protection mechanisms

-

- record of actions initiated by malicious code protection mechanisms in response to malicious code detection

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for employing, updating, and configuring malicious code protection mechanisms

-

- organizational process for addressing false positives and resulting potential impact

-

- automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms

-

- automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions

-
-
-

References

-
-

NIST Special Publication 800-83

-
-
-
-
-

- SI-4 INFORMATION SYSTEM MONITORING

-
-

- Parameter: - si-4_a organization-defined monitoring objectives

-

- Value: organization-defined monitoring objectives

-
-
-

- Parameter: - si-4_b organization-defined techniques and methods

-

- Value: organization-defined techniques and methods

-
-
-

- Parameter: - si-4_c organization-defined information system monitoring information

-

- Value: organization-defined information system monitoring information

-
-
-

- Parameter: - si-4_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-4_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors the information system to detect:

-
- - - - - - - -
-

1.

-
-

Attacks and indicators of potential attacks in accordance with - - si-4_a - - organization-defined monitoring objectives - organization-defined monitoring objectives - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Unauthorized local, network, and remote connections;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Identifies unauthorized use of the information system through - - si-4_b - - organization-defined techniques and methods - organization-defined techniques and methods - ;

-
-
-
- - - - - - - -
-

c.

-
-

Deploys monitoring devices:

-
- - - - - - - -
-

1.

-
-

Strategically within the information system to collect organization-determined essential information; and

-
-
-
- - - - - - - -
-

2.

-
-

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

-
-
-
- - - - - - - -
-

e.

-
-

Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

f.

-
-

Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

-
-
-
- - - - - - - -
-

g.

-
-

Provides - - si-4_c - - organization-defined information system monitoring information - organization-defined information system monitoring information - to - - si-4_d - - organization-defined personnel or roles - organization-defined personnel or roles - [Selection (one or more): as needed; - - si-4_e - - organization-defined frequency - organization-defined frequency - ].

-
-
-
-
-
-

Supplemental guidance

-

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

- - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the information system to detect, in accordance with organization-defined monitoring objectives,:

-
- - - - - - - -
-

[a]

-
-

attacks;

-
-
-
- - - - - - - -
-

[b]

-
-

indicators of potential attacks;

-
-
-
-
-
-
-
- - - - - - - -
-

(2)

-
-

monitors the information system to detect unauthorized:

-
- - - - - - - -
-

[1]

-
-

local connections;

-
-
-
- - - - - - - -
-

[2]

-
-

network connections;

-
-
-
- - - - - - - -
-

[3]

-
-

remote connections;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

(1)

-
-

defines techniques and methods to identify unauthorized use of the information system;

-
-
-
- - - - - - - -
-

(2)

-
-

identifies unauthorized use of the information system through organization-defined techniques and methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

deploys monitoring devices:

-
- - - - - - - -
-

[1]

-
-

strategically within the information system to collect organization-determined essential information;

-
-
-
- - - - - - - -
-

[2]

-
-

at ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects information obtained from intrusion-monitoring tools from unauthorized:

-
- - - - - - - -
-

[1]

-
-

access;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
- - - - - - - -
-

[3]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

(f)

-
-

obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;

-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom information system monitoring information is to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines information system monitoring information to be provided to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[4]

-
-

provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:

-
- - - - - - - -
-

[a]

-
-

as needed; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Continuous monitoring strategy

-

- system and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- facility diagram/layout

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- locations within information system where monitoring devices are deployed

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility monitoring the information system

-
-
-

Assessment: TEST

-

- Organizational processes for information system monitoring

-

- automated mechanisms supporting and/or implementing information system monitoring capability

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-92

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

-
-

- Parameter: - si-5_a organization-defined external organizations

-

- Value: organization-defined external organizations

-
-
-

- Parameter: - si-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-5_c organization-defined elements within the organization

-

- Value: organization-defined elements within the organization

-
-
-

- Parameter: - si-5_d organization-defined external organizations

-

- Value: organization-defined external organizations

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Receives information system security alerts, advisories, and directives from - - si-5_a - - organization-defined external organizations - organization-defined external organizations - on an ongoing basis;

-
-
-
- - - - - - - -
-

b.

-
-

Generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

c.

-
-

Disseminates security alerts, advisories, and directives to: [Selection (one or more): - - si-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - ; - - si-5_c - - organization-defined elements within the organization - organization-defined elements within the organization - ; - - si-5_d - - organization-defined external organizations - organization-defined external organizations - ]; and

-
-
-
- - - - - - - -
-

d.

-
-

Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-

Supplemental guidance

-

The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines external organizations from whom information system security alerts, advisories and directives are to be received;

-
-
-
- - - - - - - -
-

[2]

-
-

receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines elements within the organization to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[3]

-
-

defines external organizations to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[4]

-
-

disseminates security alerts, advisories, and directives to one or more of the following:

-
- - - - - - - -
-

[a]

-
-

organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[b]

-
-

organization-defined elements within the organization; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

organization-defined external organizations; and

-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

implements security directives in accordance with established time frames; or

-
-
-
- - - - - - - -
-

[2]

-
-

notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security alerts, advisories, and directives

-

- records of security alerts and advisories

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security alert and advisory responsibilities

-

- organizational personnel implementing, operating, maintaining, and using the information system

-

- organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing security directives

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-
-
-

- SI-12 INFORMATION HANDLING AND RETENTION

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

-
-
-
-

Supplemental guidance

-

Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:

-
- - - - - - - -
-

[1]

-
-

handles information within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

handles output from the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

retains information within the information system; and

-
-
-
- - - - - - - -
-

[4]

-
-

retains output from the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention

-

- media protection policy and procedures

-

- procedures addressing information system output handling and retention

-

- information retention records, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information handling and retention

-

- organizational personnel with information security responsibilities/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for information handling and retention

-

- automated mechanisms supporting and/or implementing information handling and retention

-
-

References: None -

-
-
-
-
-
-
- - diff --git a/examples/SP800-53/pub/SP800-53-MODERATE-baseline-rendered.html b/examples/SP800-53/pub/SP800-53-MODERATE-baseline-rendered.html deleted file mode 100644 index 1b1efabeea..0000000000 --- a/examples/SP800-53/pub/SP800-53-MODERATE-baseline-rendered.html +++ /dev/null @@ -1,62265 +0,0 @@ - - - - - - SP800-53 MODERATE BASELINE IMPACT - - - - -
-
-

- NIST SP800-53 rev 4 -

-
-

- ACCESS CONTROL -

- - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - -
-
-
-
-

SP800-53 MODERATE BASELINE IMPACT

-
-
-

SP800-53-rev4-catalog.xml ➭ Included: - - Control ac.1 - - Control ac.2 - - Subcontrol ac.2.1. - - Subcontrol ac.2.2. - - Subcontrol ac.2.3. - - Subcontrol ac.2.4. - - Control ac.3 - - Control ac.4 - - Control ac.5 - - Control ac.6 - - Subcontrol ac.6.1. - - Subcontrol ac.6.2. - - Subcontrol ac.6.5. - - Subcontrol ac.6.9. - - Subcontrol ac.6.10. - - Control ac.7 - - Control ac.8 - - Control ac.11 - - Subcontrol ac.11.1. - - Control ac.12 - - Control ac.14 - - Control ac.17 - - Subcontrol ac.17.1. - - Subcontrol ac.17.2. - - Subcontrol ac.17.3. - - Subcontrol ac.17.4. - - Control ac.18 - - Subcontrol ac.18.1. - - Control ac.19 - - Subcontrol ac.19.5. - - Control ac.20 - - Subcontrol ac.20.1. - - Subcontrol ac.20.2. - - Control ac.21 - - Control ac.22 - - Control at.1 - - Control at.2 - - Subcontrol at.2.2. - - Control at.3 - - Control at.4 - - Control au.1 - - Control au.2 - - Subcontrol au.2.3. - - Control au.3 - - Subcontrol au.3.1. - - Control au.4 - - Control au.5 - - Control au.6 - - Subcontrol au.6.1. - - Subcontrol au.6.3. - - Control au.7 - - Subcontrol au.7.1. - - Control au.8 - - Subcontrol au.8.1. - - Control au.9 - - Subcontrol au.9.4. - - Control au.11 - - Control au.12 - - Control ca.1 - - Control ca.2 - - Subcontrol ca.2.1. - - Control ca.3 - - Subcontrol ca.3.5. - - Control ca.5 - - Control ca.6 - - Control ca.7 - - Subcontrol ca.7.1. - - Control ca.9 - - Control cm.1 - - Control cm.2 - - Subcontrol cm.2.1. - - Subcontrol cm.2.3. - - Subcontrol cm.2.7. - - Control cm.3 - - Subcontrol cm.3.2. - - Control cm.4 - - Control cm.5 - - Control cm.6 - - Control cm.7 - - Subcontrol cm.7.1. - - Subcontrol cm.7.2. - - Subcontrol cm.7.4. - - Control cm.8 - - Subcontrol cm.8.1. - - Subcontrol cm.8.3. - - Subcontrol cm.8.5. - - Control cm.9 - - Control cm.10 - - Control cm.11 - - Control cp.1 - - Control cp.2 - - Subcontrol cp.2.1. - - Subcontrol cp.2.3. - - Subcontrol cp.2.8. - - Control cp.3 - - Control cp.4 - - Subcontrol cp.4.1. - - Control cp.6 - - Subcontrol cp.6.1. - - Subcontrol cp.6.3. - - Control cp.7 - - Subcontrol cp.7.1. - - Subcontrol cp.7.2. - - Subcontrol cp.7.3. - - Control cp.8 - - Subcontrol cp.8.1. - - Subcontrol cp.8.2. - - Control cp.9 - - Subcontrol cp.9.1. - - Control cp.10 - - Subcontrol cp.10.2. - - Control ia.1 - - Control ia.2 - - Subcontrol ia.2.1. - - Subcontrol ia.2.2. - - Subcontrol ia.2.3. - - Subcontrol ia.2.8. - - Subcontrol ia.2.11. - - Subcontrol ia.2.12. - - Control ia.3 - - Control ia.4 - - Control ia.5 - - Subcontrol ia.5.1. - - Subcontrol ia.5.2. - - Subcontrol ia.5.3. - - Subcontrol ia.5.11. - - Control ia.6 - - Control ia.7 - - Control ia.8 - - Subcontrol ia.8.1. - - Subcontrol ia.8.2. - - Subcontrol ia.8.3. - - Subcontrol ia.8.4. - - Control ir.1 - - Control ir.2 - - Control ir.3 - - Subcontrol ir.3.2. - - Control ir.4 - - Subcontrol ir.4.1. - - Control ir.5 - - Control ir.6 - - Subcontrol ir.6.1. - - Control ir.7 - - Subcontrol ir.7.1. - - Control ir.8 - - Control ma.1 - - Control ma.2 - - Control ma.3 - - Subcontrol ma.3.1. - - Subcontrol ma.3.2. - - Control ma.4 - - Subcontrol ma.4.2. - - Control ma.5 - - Control ma.6 - - Control mp.1 - - Control mp.2 - - Control mp.3 - - Control mp.4 - - Control mp.5 - - Subcontrol mp.5.4. - - Control mp.6 - - Control mp.7 - - Subcontrol mp.7.1. - - Control pe.1 - - Control pe.2 - - Control pe.3 - - Control pe.4 - - Control pe.5 - - Control pe.6 - - Subcontrol pe.6.1. - - Control pe.8 - - Control pe.9 - - Control pe.10 - - Control pe.11 - - Control pe.12 - - Control pe.13 - - Subcontrol pe.13.3. - - Control pe.14 - - Control pe.15 - - Control pe.16 - - Control pe.17 - - Control pl.1 - - Control pl.2 - - Subcontrol pl.2.3. - - Control pl.4 - - Subcontrol pl.4.1. - - Control pl.8 - - Control ps.1 - - Control ps.2 - - Control ps.3 - - Control ps.4 - - Control ps.5 - - Control ps.6 - - Control ps.7 - - Control ps.8 - - Control ra.1 - - Control ra.2 - - Control ra.3 - - Control ra.5 - - Subcontrol ra.5.1. - - Subcontrol ra.5.2. - - Subcontrol ra.5.5. - - Control sa.1 - - Control sa.2 - - Control sa.3 - - Control sa.4 - - Subcontrol sa.4.1. - - Subcontrol sa.4.2. - - Subcontrol sa.4.9. - - Subcontrol sa.4.10. - - Control sa.5 - - Control sa.8 - - Control sa.9 - - Subcontrol sa.9.2. - - Control sa.10 - - Control sa.11 - - Control sc.1 - - Control sc.2 - - Control sc.4 - - Control sc.5 - - Control sc.7 - - Subcontrol sc.7.3. - - Subcontrol sc.7.4. - - Subcontrol sc.7.5. - - Subcontrol sc.7.7. - - Control sc.8 - - Subcontrol sc.8.1. - - Control sc.10 - - Control sc.12 - - Control sc.13 - - Control sc.15 - - Control sc.17 - - Control sc.18 - - Control sc.19 - - Control sc.20 - - Control sc.21 - - Control sc.22 - - Control sc.23 - - Control sc.28 - - Control sc.39 - - Control si.1 - - Control si.2 - - Subcontrol si.2.2. - - Control si.3 - - Subcontrol si.3.1. - - Subcontrol si.3.2. - - Control si.4 - - Subcontrol si.4.2. - - Subcontrol si.4.4. - - Subcontrol si.4.5. - - Control si.5 - - Control si.7 - - Subcontrol si.7.1. - - Subcontrol si.7.7. - - Control si.8 - - Subcontrol si.8.1. - - Subcontrol si.8.2. - - Control si.10 - - Control si.11 - - Control si.12 - - Control si.16 -

-
-
-

NIST SP800-53 rev 4

-
-

ACCESS CONTROL

-
-

- AC-1 ACCESS CONTROL POLICY AND PROCEDURES

-
-

- Parameter: - ac-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ac-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ac-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the access control policy and associated access controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Access control policy - - ac-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Access control procedures - - ac-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an access control policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the access control policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the access control policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current access control procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current access control procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AC-2 ACCOUNT MANAGEMENT

-
-

- Parameter: - ac-2_a organization-defined information system account types

-

- Value: organization-defined information system account types

-
-
-

- Parameter: - ac-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ac-2_c organization-defined procedures or conditions

-

- Value: organization-defined procedures or conditions

-
-
-

- Parameter: - ac-2_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies and selects the following types of information system accounts to support organizational missions/business functions: - - ac-2_a - - organization-defined information system account types - organization-defined information system account types - ;

-
-
-
- - - - - - - -
-

b.

-
-

Assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

c.

-
-

Establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

d.

-
-

Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

-
-
-
- - - - - - - -
-

e.

-
-

Requires approvals by - - ac-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - for requests to create information system accounts;

-
-
-
- - - - - - - -
-

f.

-
-

Creates, enables, modifies, disables, and removes information system accounts in accordance with - - ac-2_c - - organization-defined procedures or conditions - organization-defined procedures or conditions - ;

-
-
-
- - - - - - - -
-

g.

-
-

Monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

h.

-
-

Notifies account managers:

-
- - - - - - - -
-

1.

-
-

When accounts are no longer required;

-
-
-
- - - - - - - -
-

2.

-
-

When users are terminated or transferred; and

-
-
-
- - - - - - - -
-

3.

-
-

When individual information system usage or need-to-know changes;

-
-
-
-
-
- - - - - - - -
-

i.

-
-

Authorizes access to the information system based on:

-
- - - - - - - -
-

1.

-
-

A valid access authorization;

-
-
-
- - - - - - - -
-

2.

-
-

Intended system usage; and

-
-
-
- - - - - - - -
-

3.

-
-

Other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

j.

-
-

Reviews accounts for compliance with account management requirements - - ac-2_d - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

k.

-
-

Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Supplemental guidance

-

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

- - - - - - - - - - - - - - - - - - - - - -
-
-

- AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to support the management of information system accounts.

-
-
-
-

Supplemental guidance

-

The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to support the management of information system accounts.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (2) REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS

-
-

- Parameter: - ac-2_e organization-defined time period for each type of account

-

- Value: organization-defined time period for each type of account

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically [Selection: removes; disables] temporary and emergency accounts after - - ac-2_e - - organization-defined time period for each type of account - organization-defined time period for each type of account - .

-
-
-
-

Supplemental guidance

-

This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system-generated list of temporary accounts removed and/or disabled

-

- information system-generated list of emergency accounts removed and/or disabled

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (3) DISABLE INACTIVE ACCOUNTS

-
-

- Parameter: - ac-2_f organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically disables inactive accounts after - - ac-2_f - - organization-defined time period - organization-defined time period - .

-
-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the time period after which the information system automatically disables inactive accounts; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically disables inactive accounts after the organization-defined time period.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system-generated list of temporary accounts removed and/or disabled

-

- information system-generated list of emergency accounts removed and/or disabled

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

- AC-2 (4) AUTOMATED AUDIT ACTIONS

-
-

- Parameter: - ac-2_g organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies - - ac-2_g - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system automatically audits the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling;

-
-
-
- - - - - - - -
-

[e]

-
-

removal;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to be notified of the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling;

-
-
-
- - - - - - - -
-

[e]

-
-

removal;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the information system notifies organization-defined personnel or roles of the following account actions:

-
- - - - - - - -
-

[a]

-
-

creation;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

enabling;

-
-
-
- - - - - - - -
-

[d]

-
-

disabling; and

-
-
-
- - - - - - - -
-

[e]

-
-

removal.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- notifications/alerts of account creation, modification, enabling, disabling, and removal actions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing account management functions

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system account types to be identified and selected to support organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies and selects organization-defined information system account types to support organizational missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

assigns account managers for information system accounts;

-
-
-
- - - - - - - -
-

(c)

-
-

establishes conditions for group and role membership;

-
-
-
- - - - - - - -
-

(d)

-
-

specifies for each account (as required):

-
- - - - - - - -
-

[1]

-
-

authorized users of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

group and role membership;

-
-
-
- - - - - - - -
-

[3]

-
-

access authorizations (i.e., privileges);

-
-
-
- - - - - - - -
-

[4]

-
-

other attributes;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to approve requests to create information system accounts;

-
-
-
- - - - - - - -
-

[2]

-
-

requires approvals by organization-defined personnel or roles for requests to create information system accounts;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines procedures or conditions to:

-
- - - - - - - -
-

[a]

-
-

create information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enable information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modify information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disable information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

remove information system accounts;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined procedures or conditions:

-
- - - - - - - -
-

[a]

-
-

creates information system accounts;

-
-
-
- - - - - - - -
-

[b]

-
-

enables information system accounts;

-
-
-
- - - - - - - -
-

[c]

-
-

modifies information system accounts;

-
-
-
- - - - - - - -
-

[d]

-
-

disables information system accounts;

-
-
-
- - - - - - - -
-

[e]

-
-

removes information system accounts;

-
-
-
-
-
-
-
- - - - - - - -
-

(g)

-
-

monitors the use of information system accounts;

-
-
-
- - - - - - - -
-

(h)

-
-

notifies account managers:

-
- - - - - - - -
-

(1)

-
-

when accounts are no longer required;

-
-
-
- - - - - - - -
-

(2)

-
-

when users are terminated or transferred;

-
-
-
- - - - - - - -
-

(3)

-
-

when individual information system usage or need to know changes;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-

authorizes access to the information system based on;

-
- - - - - - - -
-

(1)

-
-

a valid access authorization;

-
-
-
- - - - - - - -
-

(2)

-
-

intended system usage;

-
-
-
- - - - - - - -
-

(3)

-
-

other attributes as required by the organization or associated missions/business functions;

-
-
-
-
-
- - - - - - - -
-

(j)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review accounts for compliance with account management requirements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews accounts for compliance with account management requirements with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(k)

-
-

establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of active system accounts along with the name of the individual associated with each account

-

- list of conditions for group and role membership

-

- notifications or records of recently transferred, separated, or terminated employees

-

- list of recently disabled information system accounts along with the name of the individual associated with each account

-

- access authorization records

-

- account management compliance reviews

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes account management on the information system

-

- automated mechanisms for implementing account management

-
-

References: None -

-
-
-

- AC-3 ACCESS ENFORCEMENT

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Supplemental guidance

-

Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

- - - - - - - - - - - - - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access enforcement

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of approved authorizations (user privileges)

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access enforcement responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy

-
-

References: None -

-
-
-

- AC-4 INFORMATION FLOW ENFORCEMENT

-
-

- Parameter: - ac-4_a organization-defined information flow control policies

-

- Value: organization-defined information flow control policies

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on - - ac-4_a - - organization-defined information flow control policies - organization-defined information flow control policies - .

-
-
-
-

Supplemental guidance

-

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. -Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- information flow control policies

-

- procedures addressing information flow enforcement

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system baseline configuration

-

- list of information flow authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information flow enforcement policy

-
-

References: None -

-
-
-

- AC-5 SEPARATION OF DUTIES

-
-

- Parameter: - ac-5_a organization-defined duties of individuals

-

- Value: organization-defined duties of individuals

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Separates - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

-
-
-
- - - - - - - -
-

b.

-
-

Documents separation of duties of individuals; and

-
-
-
- - - - - - - -
-

c.

-
-

Defines information system access authorizations to support separation of duties.

-
-
-
-
-
-

Supplemental guidance

-

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines duties of individuals to be separated;

-
-
-
- - - - - - - -
-

[2]

-
-

separates organization-defined duties of individuals;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents separation of duties; and

-
-
-
- - - - - - - -
-

(c)

-
-

defines information system access authorizations to support separation of duties.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing divisions of responsibility and separation of duties

-

- information system configuration settings and associated documentation

-

- list of divisions of responsibility and separation of duties

-

- information system access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing separation of duties policy

-
-

References: None -

-
-
-

- AC-6 LEAST PRIVILEGE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

-
-
-
-

Supplemental guidance

-

Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.

- - - - - - -
-
-

- AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS

-
-

- Parameter: - ac-6_a organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information

-

- Value: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization explicitly authorizes access to - - ac-6_a - - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information - .

-
-
-
-

Supplemental guidance

-

Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security-relevant information for which access must be explicitly authorized;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security functions deployed in:

-
- - - - - - - -
-

[a]

-
-

hardware;

-
-
-
- - - - - - - -
-

[b]

-
-

software;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

explicitly authorizes access to:

-
- - - - - - - -
-

[a]

-
-

organization-defined security functions; and

-
-
-
- - - - - - - -
-

[b]

-
-

security-relevant information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

-
-

- Parameter: - ac-6_b organization-defined security functions or security-relevant information

-

- Value: organization-defined security functions or security-relevant information

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that users of information system accounts, or roles, with access to - - ac-6_b - - organization-defined security functions or security-relevant information - organization-defined security functions or security-relevant information - , use non-privileged accounts or roles, when accessing nonsecurity functions.

-
-
-
-

Supplemental guidance

-

This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and

-
-
-
- - - - - - - -
-

[2]

-
-

requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of system-generated security functions or security-relevant information assigned to information system accounts or roles

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-6 (5) PRIVILEGED ACCOUNTS

-
-

- Parameter: - ac-6_e organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization restricts privileged accounts on the information system to - - ac-6_e - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines personnel or roles for which privileged accounts on the information system are to be restricted; and

-
-
-
- - - - - - - -
-

[2]

-
-

restricts privileged accounts on the information system to organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of system-generated privileged accounts

-

- list of system administration personnel

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system audits the execution of privileged functions.

-
-
-
-

Supplemental guidance

-

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system audits the execution of privileged functions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of privileged functions to be audited

-

- list of audited events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms auditing the execution of least privilege functions

-
-

References: None -

-
-
-

- AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

-
-
-
-

Supplemental guidance

-

Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system prevents non-privileged users from executing privileged functions to include:

-
- - - - - - - -
-

[1]

-
-

disabling implemented security safeguards/countermeasures;

-
-
-
- - - - - - - -
-

[2]

-
-

circumventing security safeguards/countermeasures; or

-
-
-
- - - - - - - -
-

[3]

-
-

altering implemented security safeguards/countermeasures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of privileged functions and associated user account assignments

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions for non-privileged users

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing least privilege

-

- list of assigned access authorizations (user privileges)

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing least privilege functions

-
-

References: None -

-
-
-

- AC-7 UNSUCCESSFUL LOGON ATTEMPTS

-
-

- Parameter: - ac-7_a organization-defined number

-

- Value: organization-defined number

-
-
-

- Parameter: - ac-7_b organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ac-7_c organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ac-7_d organization-defined delay algorithm

-

- Value: organization-defined delay algorithm

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Enforces a limit of - - ac-7_a - - organization-defined number - organization-defined number - consecutive invalid logon attempts by a user during a - - ac-7_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Automatically [Selection: locks the account/node for an - - ac-7_c - - organization-defined time period - organization-defined time period - ; locks the account/node until released by an administrator; delays next logon prompt according to - - ac-7_d - - organization-defined delay algorithm - organization-defined delay algorithm - ] when the maximum number of unsuccessful attempts is exceeded.

-
-
-
-
-
-

Supplemental guidance

-

This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:

-
- - - - - - - -
-

[a]

-
-

locks the account/node for the organization-defined time period;

-
-
-
- - - - - - - -
-

[b]

-
-

locks the account/node until released by an administrator; or

-
-
-
- - - - - - - -
-

[c]

-
-

delays next logon prompt according to the organization-defined delay algorithm.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing unsuccessful logon attempts

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system developers

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for unsuccessful logon attempts

-
-

References: None -

-
-
-

- AC-8 SYSTEM USE NOTIFICATION

-
-

- Parameter: - ac-8_a organization-defined system use notification message or banner

-

- Value: organization-defined system use notification message or banner

-
-
-

- Parameter: - ac-8_b organization-defined conditions

-

- Value: organization-defined conditions

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Displays to users - - ac-8_a - - organization-defined system use notification message or banner - organization-defined system use notification message or banner - before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

-
- - - - - - - -
-

1.

-
-

Users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

2.

-
-

Information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

3.

-
-

Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

-
-
-
- - - - - - - -
-

4.

-
-

Use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

For publicly accessible systems:

-
- - - - - - - -
-

1.

-
-

Displays system use information - - ac-8_b - - organization-defined conditions - organization-defined conditions - , before granting further access;

-
-
-
- - - - - - - -
-

2.

-
-

Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

3.

-
-

Includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Supplemental guidance

-

System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:

-
- - - - - - - -
-

(1)

-
-

users are accessing a U.S. Government information system;

-
-
-
- - - - - - - -
-

(2)

-
-

information system usage may be monitored, recorded, and subject to audit;

-
-
-
- - - - - - - -
-

(3)

-
-

unauthorized use of the information system is prohibited and subject to criminal and civil penalties;

-
-
-
- - - - - - - -
-

(4)

-
-

use of the information system indicates consent to monitoring and recording;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;

-
-
-
- - - - - - - -
-

(c)

-
-

for publicly accessible systems:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines conditions for system use to be displayed by the information system before granting further access;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system displays organization-defined conditions before granting further access;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

-
-
-
- - - - - - - -
-

(3)

-
-

the information system includes a description of the authorized uses of the system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- privacy and security policies, procedures addressing system use notification

-

- documented approval of information system use notification messages or banners

-

- information system audit records

-

- user acknowledgements of notification message or banner

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system use notification messages

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for providing legal advice

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing system use notification

-
-

References: None -

-
-
-

- AC-11 SESSION LOCK

-
-

- Parameter: - ac-11_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Prevents further access to the system by initiating a session lock after - - ac-11_a - - organization-defined time period - organization-defined time period - of inactivity or upon receiving a request from a user; and

-
-
-
- - - - - - - -
-

b.

-
-

Retains the session lock until the user reestablishes access using established identification and authentication procedures.

-
-
-
-
-
-

Supplemental guidance

-

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

- -
-
-

- AC-11 (1) PATTERN-HIDING DISPLAYS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

-
-
-
-

Supplemental guidance

-

Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session lock

-

- display screen with session lock activated

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Information system session lock mechanisms

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the time period of user inactivity after which the information system initiates a session lock;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session lock

-

- procedures addressing identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing access control policy for session lock

-
-
-

References

-
-

OMB Memorandum 06-16

-
-
-
-
-

- AC-12 SESSION TERMINATION

-
-

- Parameter: - ac-12_a organization-defined conditions or trigger events requiring session disconnect

-

- Value: organization-defined conditions or trigger events requiring session disconnect

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically terminates a user session after - - ac-12_a - - organization-defined conditions or trigger events requiring session disconnect - organization-defined conditions or trigger events requiring session disconnect - .

-
-
-
-

Supplemental guidance

-

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user�s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines conditions or trigger events requiring session disconnect; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing session termination

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of conditions or trigger events requiring session disconnect

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing user session termination

-
-

References: None -

-
-
-

- AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION

-
-

- Parameter: - ac-14_a organization-defined user actions

-

- Value: organization-defined user actions

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies - - ac-14_a - - organization-defined user actions - organization-defined user actions - that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;

-
-
-
- - - - - - - -
-

[2]

-
-

identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing permitted actions without identification or authentication

-

- information system configuration settings and associated documentation

-

- security plan

-

- list of user actions that can be performed without identification or authentication

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- AC-17 REMOTE ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

- - - - - - - - - - - - - - - - -
-
-

- AC-17 (1) AUTOMATED MONITORING / CONTROL

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system monitors and controls remote access methods.

-
-
-
-

Supplemental guidance

-

Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system monitors and controls remote access methods.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- information system monitoring records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms monitoring and controlling remote access methods

-
-

References: None -

-
-
-

- AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

-
-
-
-

Supplemental guidance

-

The encryption strength of mechanism is selected based on the security categorization of the information.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic mechanisms and associated configuration documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions

-
-

References: None -

-
-
-

- AC-17 (3) MANAGED ACCESS CONTROL POINTS

-
-

- Parameter: - ac-17_a organization-defined number

-

- Value: organization-defined number

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system routes all remote accesses through - - ac-17_a - - organization-defined number - organization-defined number - managed network access control points.

-
-
-
-

Supplemental guidance

-

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines the number of managed network access control points through which all remote accesses are to be routed; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system routes all remote accesses through the organization-defined number of managed network access control points.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system design documentation

-

- list of all managed network access control points

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms routing all remote accesses through managed network access control points

-
-

References: None -

-
-
-

- AC-17 (4) PRIVILEGED COMMANDS / ACCESS

-
-

- Parameter: - ac-17_b organization-defined needs

-

- Value: organization-defined needs

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Authorizes the execution of privileged commands and access to security-relevant information via remote access only for - - ac-17_b - - organization-defined needs - organization-defined needs - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Documents the rationale for such access in the security plan for the information system.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents the rationale for such access in the information system security plan.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access to the information system

-

- information system configuration settings and associated documentation

-

- security plan

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing remote access management

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies the types of remote access allowed to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents for each type of remote access allowed:

-
- - - - - - - -
-

[a]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[b]

-
-

configuration/connection requirements;

-
-
-
- - - - - - - -
-

[c]

-
-

implementation guidance; and

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes remote access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing remote access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system configuration settings and associated documentation

-

- remote access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing remote access connections

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Remote access management capability for the information system

-
-
-

References

-
-

NIST Special Publication 800-46

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-113

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-121

-
-
-
-
-

- AC-18 WIRELESS ACCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Supplemental guidance

-

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

- - - - - - - - - - - - -
-
-

- AC-18 (1) AUTHENTICATION AND ENCRYPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system protects wireless access to the system using encryption and one or more of the following:

-
- - - - - - - -
-

[1]

-
-

authentication of users; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

authentication of devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless implementation and usage (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing wireless access protections to the information system

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for wireless access:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes wireless access to the information system prior to allowing such connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing wireless access implementation and usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- wireless access authorizations

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing wireless access connections

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Wireless access management capability for the information system

-
-
-

References

-
-

NIST Special Publication 800-48

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-97

-
-
-
-
-

- AC-19 ACCESS CONTROL FOR MOBILE DEVICES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Supplemental guidance

-

A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

- - - - - - - - - - - - - - - - -
-
-

- AC-19 (5) FULL DEVICE / CONTAINER-BASED ENCRYPTION

-
-

- Parameter: - ac-19_c organization-defined mobile devices

-

- Value: organization-defined mobile devices

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on - - ac-19_c - - organization-defined mobile devices - organization-defined mobile devices - .

-
-
-
-

Supplemental guidance

-

Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access control for mobile devices

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- encryption mechanism s and associated configuration documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities for mobile devices

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Encryption mechanisms protecting confidentiality and integrity of information on mobile devices

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes for organization-controlled mobile devices:

-
- - - - - - - -
-

[1]

-
-

usage restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

configuration/connection requirement;

-
-
-
- - - - - - - -
-

[3]

-
-

implementation guidance; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

authorizes the connection of mobile devices to organizational information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing access control for mobile device usage (including restrictions)

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- authorizations for mobile device connections to organizational information systems

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel using mobile devices to access organizational information systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Access control capability authorizing mobile device connections to organizational information systems

-
-
-

References

-
-

OMB Memorandum 06-16

-
-
-

NIST Special Publication 800-114

-
-
-

NIST Special Publication 800-124

-
-
-

NIST Special Publication 800-164

-
-
-
-
-

- AC-20 USE OF EXTERNAL INFORMATION SYSTEMS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

a.

-
-

Access the information system from external information systems; and

-
-
-
- - - - - - - -
-

b.

-
-

Process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Supplemental guidance

-

External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. -For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. -This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

- - - - - - -
-
-

- AC-20 (1) LIMITS ON AUTHORIZED USE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

-
- - - - - - - -
-

(a)

-
-

Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or

-
-
-
- - - - - - - -
-

(b)

-
-

Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

-
- - - - - - - -
-

(a)

-
-

verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or

-
-
-
- - - - - - - -
-

(b)

-
-

retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- security plan

-

- information system connection or processing agreements

-

- account management documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing limits on use of external information systems

-
-

References: None -

-
-
-

- AC-20 (2) PORTABLE STORAGE DEVICES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.

-
-
-
-

Supplemental guidance

-

Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.

-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system connection or processing agreements

-

- account management documents

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing restrictions on use of portable storage devices

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

-
- - - - - - - -
-

(a)

-
-

access the information system from the external information systems; and

-
-
-
- - - - - - - -
-

(b)

-
-

process, store, or transmit organization-controlled information using external information systems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing the use of external information systems

-

- external information systems terms and conditions

-

- list of types of applications accessible from external information systems

-

- maximum security categorization for information processed, stored, or transmitted on external information systems

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing terms and conditions on use of external information systems

-
-
-

References

-
-

FIPS Publication 199

-
-
-
-
-

- AC-21 INFORMATION SHARING

-
-

- Parameter: - ac-21_a organization-defined information sharing circumstances where user discretion is required

-

- Value: organization-defined information sharing circumstances where user discretion is required

-
-
-

- Parameter: - ac-21_b organization-defined automated mechanisms or manual processes

-

- Value: organization-defined automated mechanisms or manual processes

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for - - ac-21_a - - organization-defined information sharing circumstances where user discretion is required - organization-defined information sharing circumstances where user discretion is required - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Employs - - ac-21_b - - organization-defined automated mechanisms or manual processes - organization-defined automated mechanisms or manual processes - to assist users in making information sharing/collaboration decisions.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information sharing circumstances where user discretion is required;

-
-
-
- - - - - - - -
-

[2]

-
-

facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines automated mechanisms or manual processes to be employed to assist users in making information sharing/collaboration decisions; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing user-based collaboration and information sharing (including restrictions)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of users authorized to make information sharing/collaboration decisions

-

- list of information sharing circumstances requiring user discretion

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel responsible for making information sharing/collaboration decisions

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions

-
-

References: None -

-
-
-

- AC-22 PUBLICLY ACCESSIBLE CONTENT

-
-

- Parameter: - ac-22_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

b.

-
-

Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the content on the publicly accessible information system for nonpublic information - - ac-22_a - - organization-defined frequency - organization-defined frequency - and removes such information, if discovered.

-
-
-
-
-
-

Supplemental guidance

-

In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

designates individuals authorized to post information onto a publicly accessible information system;

-
-
-
- - - - - - - -
-

(b)

-
-

trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

-
-
-
- - - - - - - -
-

(c)

-
-

reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the content on the publicly accessible information system for nonpublic information;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[3]

-
-

removes nonpublic information from the publicly accessible information system, if discovered.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing publicly accessible content

-

- list of users authorized to post publicly accessible content on organizational information systems

-

- training materials and/or records

-

- records of publicly accessible information reviews

-

- records of response to nonpublic information on public websites

-

- system audit logs

-

- security awareness training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing management of publicly accessible content

-
-

References: None -

-
-
-
-

AWARENESS AND TRAINING

-
-

- AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

-
-

- Parameter: - at-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - at-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - at-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - at-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security awareness and training policy - - at-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security awareness and training procedures - - at-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an security awareness and training policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security awareness and training policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security awareness and training policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security awareness and training procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security awareness and training procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security awareness and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AT-2 SECURITY AWARENESS TRAINING

-
-

- Parameter: - at-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

-
- - - - - - - -
-

a.

-
-

As part of initial training for new users;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-2_a - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

- - - -
-
-

- AT-2 (2) INSIDER THREAT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

-
-
-
-

Supplemental guidance

-

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.

- - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security awareness training implementation

-

- security awareness training curriculum

-

- security awareness training materials

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel that participate in security awareness training

-

- organizational personnel with responsibilities for basic security awareness training

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;

-
-
-
- - - - - - - -
-

(b)

-
-

provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security awareness training implementation

-

- appropriate codes of federal regulations

-

- security awareness training curriculum

-

- security awareness training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for security awareness training

-

- organizational personnel with information security responsibilities

-

- organizational personnel comprising the general information system user community

-
-
-

Assessment: TEST

-

- Automated mechanisms managing security awareness training

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-3 ROLE-BASED SECURITY TRAINING

-
-

- Parameter: - at-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - at-3_a - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;

-
-
-
- - - - - - - -
-

(b)

-
-

provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training implementation

-

- codes of federal regulations

-

- security training curriculum

-

- security training materials

-

- security plan

-

- training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for role-based security training

-

- organizational personnel with assigned information system security roles and responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms managing role-based security training

-
-
-

References

-
-

C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- AT-4 SECURITY TRAINING RECORDS

-
-

- Parameter: - at-4_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

-
-
-
- - - - - - - -
-

b.

-
-

Retains individual training records for - - at-4_a - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

Documentation for specialized training may be maintained by individual supervisors at the option of the organization.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

documents individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

monitors individual information system security training activities including:

-
- - - - - - - -
-

[a]

-
-

basic security awareness training;

-
-
-
- - - - - - - -
-

[b]

-
-

specific role-based information system security training;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period to retain individual training records; and

-
-
-
- - - - - - - -
-

[2]

-
-

retains individual training records for the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security awareness and training policy

-

- procedures addressing security training records

-

- security awareness and training records

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security training record retention responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting management of security training records

-
-

References: None -

-
-
-
-

AUDIT AND ACCOUNTABILITY

-
-

- AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

-
-

- Parameter: - au-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - au-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Audit and accountability policy - - au-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Audit and accountability procedures - - au-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an audit and accountability policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the audit and accountability policy are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the audit and accountability policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current audit and accountability procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- AU-2 AUDIT EVENTS

-
-

- Parameter: - au-2_a organization-defined auditable events

-

- Value: organization-defined auditable events

-
-
-

- Parameter: - au-2_b organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event

-

- Value: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines that the information system is capable of auditing the following events: - - au-2_a - - organization-defined auditable events - organization-defined auditable events - ;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

c.

-
-

Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

d.

-
-

Determines that the following events are to be audited within the information system: - - au-2_b - - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - .

-
-
-
-
-
-

Supplemental guidance

-

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

- - - - - - - - -
-
-

- AU-2 (3) REVIEWS AND UPDATES

-
-

- Parameter: - au-2_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews and updates the audited events - - au-2_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-

Supplemental guidance

-

Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the audited events; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the auditable events with organization-defined frequency.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing auditable events

-

- security plan

-

- list of organization-defined auditable events

-

- auditable events review and update records

-

- information system audit records

-

- information system incident reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting review and update of auditable events

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the auditable events that the information system must be capable of auditing;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the information system is capable of auditing organization-defined auditable events;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

-
-
-
- - - - - - - -
-

(c)

-
-

provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines the subset of auditable events defined in AU-2a that are to be audited within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

determines the frequency of (or situation requiring) auditing for each identified event.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing auditable events

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- information system auditable events

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing

-
-
-

References

-
-

NIST Special Publication 800-92

-
-
-

http://idmanagement.gov

-
-
-
-
-

- AU-3 CONTENT OF AUDIT RECORDS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

-
-
-
-

Supplemental guidance

-

Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).

- - - - -
-
-

- AU-3 (1) ADDITIONAL AUDIT INFORMATION

-
-

- Parameter: - au-3_a organization-defined additional, more detailed information

-

- Value: organization-defined additional, more detailed information

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system generates audit records containing the following additional information: - - au-3_a - - organization-defined additional, more detailed information - organization-defined additional, more detailed information - .

-
-
-
-

Supplemental guidance

-

Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines additional, more detailed information to be contained in audit records that the information system generates; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system generates audit records containing the organization-defined additional, more detailed information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Information system audit capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system generates audit records containing information that establishes:

-
- - - - - - - -
-

[1]

-
-

what type of event occurred;

-
-
-
- - - - - - - -
-

[2]

-
-

when the event occurred;

-
-
-
- - - - - - - -
-

[3]

-
-

where the event occurred;

-
-
-
- - - - - - - -
-

[4]

-
-

the source of the event;

-
-
-
- - - - - - - -
-

[5]

-
-

the outcome of the event; and

-
-
-
- - - - - - - -
-

[6]

-
-

the identity of any individuals or subjects associated with the event.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing content of audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of organization-defined auditable events

-

- information system audit records

-

- information system incident reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system auditing of auditable events

-
-

References: None -

-
-
-

- AU-4 AUDIT STORAGE CAPACITY

-
-

- Parameter: - au-4_a organization-defined audit record storage requirements

-

- Value: organization-defined audit record storage requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization allocates audit record storage capacity in accordance with - - au-4_a - - organization-defined audit record storage requirements - organization-defined audit record storage requirements - .

-
-
-
-

Supplemental guidance

-

Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines audit record storage requirements; and

-
-
-
- - - - - - - -
-

[2]

-
-

allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit storage capacity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit record storage requirements

-

- audit record storage capability for information system components

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Audit record storage capacity and related configuration settings

-
-

References: None -

-
-
-

- AU-5 RESPONSE TO AUDIT PROCESSING FAILURES

-
-

- Parameter: - au-5_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - au-5_b organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)

-

- Value: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Alerts - - au-5_a - - organization-defined personnel or roles - organization-defined personnel or roles - in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

b.

-
-

Takes the following additional actions: - - au-5_b - - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - .

-
-
-
-
-
-

Supplemental guidance

-

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles to be alerted in the event of an audit processing failure;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system takes the additional organization-defined actions in the event of an audit processing failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing response to audit processing failures

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- list of personnel to be notified in case of an audit processing failure

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing information system response to audit processing failures

-
-

References: None -

-
-
-

- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING

-
-

- Parameter: - au-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-6_b organization-defined inappropriate or unusual activity

-

- Value: organization-defined inappropriate or unusual activity

-
-
-

- Parameter: - au-6_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and analyzes information system audit records - - au-6_a - - organization-defined frequency - organization-defined frequency - for indications of - - au-6_b - - organization-defined inappropriate or unusual activity - organization-defined inappropriate or unusual activity - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports findings to - - au-6_c - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-

- AU-6 (1) PROCESS INTEGRATION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

-
-
-
-

Supplemental guidance

-

Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

employs automated mechanisms to integrate:

-
- - - - - - - -
-

[a]

-
-

audit review;

-
-
-
- - - - - - - -
-

[b]

-
-

analysis;

-
-
-
- - - - - - - -
-

[c]

-
-

reporting processes;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

uses integrated audit review, analysis and reporting processes to support organizational processes for:

-
- - - - - - - -
-

[a]

-
-

investigation of suspicious activities; and

-
-
-
- - - - - - - -
-

[b]

-
-

response to suspicious activities.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- procedures addressing investigation and response to suspicious activities

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms integrating audit review, analysis, and reporting processes

-
-

References: None -

-
-
-

- AU-6 (3) CORRELATE AUDIT REPOSITORIES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

-
-
-
-

Supplemental guidance

-

Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records across different repositories

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting analysis and correlation of audit records

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports findings to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit review, analysis, and reporting

-

- reports of audit findings

-

- records of actions taken in response to reviews/analyses of audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit review, analysis, and reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- AU-7 AUDIT REDUCTION AND REPORT GENERATION

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides an audit reduction and report generation capability that:

-
- - - - - - - -
-

a.

-
-

Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

b.

-
-

Does not alter the original content or time ordering of audit records.

-
-
-
-
-
-

Supplemental guidance

-

Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.

- -
-
-

- AU-7 (1) AUTOMATIC PROCESSING

-
-

- Parameter: - au-7_a organization-defined audit fields within audit records

-

- Value: organization-defined audit fields within audit records

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system provides the capability to process audit records for events of interest based on - - au-7_a - - organization-defined audit fields within audit records - organization-defined audit fields within audit records - .

-
-
-
-

Supplemental guidance

-

Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines audit fields within audit records in order to process audit records for events of interest; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit reduction and report generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit reduction, review, analysis, and reporting tools

-

- audit record criteria (fields) establishing events of interest

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit reduction and report generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Audit reduction and report generation capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system provides an audit reduction and report generation capability that supports:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

on-demand audit review;

-
-
-
- - - - - - - -
-

[2]

-
-

analysis;

-
-
-
- - - - - - - -
-

[3]

-
-

reporting requirements;

-
-
-
- - - - - - - -
-

[4]

-
-

after-the-fact investigations of security incidents; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

does not alter the original content or time ordering of audit records.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit reduction and report generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit reduction, review, analysis, and reporting tools

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit reduction and report generation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Audit reduction and report generation capability

-
-

References: None -

-
-
-

- AU-8 TIME STAMPS

-
-

- Parameter: - au-8_a organization-defined granularity of time measurement

-

- Value: organization-defined granularity of time measurement

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Uses internal system clocks to generate time stamps for audit records; and

-
-
-
- - - - - - - -
-

b.

-
-

Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets - - au-8_a - - organization-defined granularity of time measurement - organization-defined granularity of time measurement - .

-
-
-
-
-
-

Supplemental guidance

-

Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

- - -
-
-

- AU-8 (1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE

-
-

- Parameter: - au-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - au-8_c organization-defined authoritative time source

-

- Value: organization-defined authoritative time source

-
-
-

- Parameter: - au-8_d organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

(a)

-
-

Compares the internal information system clocks - - au-8_b - - organization-defined frequency - organization-defined frequency - with - - au-8_c - - organization-defined authoritative time source - organization-defined authoritative time source - ; and

-
-
-
- - - - - - - -
-

(b)

-
-

Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than - - au-8_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the authoritative time source to which internal information system clocks are to be compared;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing time stamp generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing internal information system clock synchronization

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-

the information system uses internal system clocks to generate time stamps for audit records;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and

-
-
-
- - - - - - - -
-

[3]

-
-

the organization records time stamps for audit records that meet the organization-defined granularity of time measurement.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing time stamp generation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing time stamp generation

-
-

References: None -

-
-
-

- AU-9 PROTECTION OF AUDIT INFORMATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

-
-
-
-

Supplemental guidance

-

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

- - - - - - - -
-
-

- AU-9 (4) ACCESS BY SUBSET OF PRIVILEGED USERS

-
-

- Parameter: - au-9_b organization-defined subset of privileged users

-

- Value: organization-defined subset of privileged users

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes access to management of audit functionality to only - - au-9_b - - organization-defined subset of privileged users - organization-defined subset of privileged users - .

-
-
-
-

Supplemental guidance

-

Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a subset of privileged users to be authorized access to management of audit functionality; and

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes access to management of audit functionality to only the organization-defined subset of privileged users.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality

-

- access authorizations

-

- access control list

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms managing access to audit functionality

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system protects audit information from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification;

-
-
-
- - - - - - - -
-

[c]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects audit tools from unauthorized:

-
- - - - - - - -
-

[a]

-
-

access;

-
-
-
- - - - - - - -
-

[b]

-
-

modification; and

-
-
-
- - - - - - - -
-

[c]

-
-

deletion.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- access control policy and procedures

-

- procedures addressing protection of audit information

-

- information system design documentation

-

- information system configuration settings and associated documentation, information system audit records

-

- audit tools

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit and accountability responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit information protection

-
-

References: None -

-
-
-

- AU-11 AUDIT RECORD RETENTION

-
-

- Parameter: - au-11_a organization-defined time period consistent with records retention policy

-

- Value: organization-defined time period consistent with records retention policy

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization retains audit records for - - au-11_a - - organization-defined time period consistent with records retention policy - organization-defined time period consistent with records retention policy - to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

-
-
-
-

Supplemental guidance

-

Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a time period to retain audit records that is consistent with records retention policy;

-
-
-
- - - - - - - -
-

[2]

-
-

retains audit records for the organization-defined time period consistent with records retention policy to:

-
- - - - - - - -
-

[a]

-
-

provide support for after-the-fact investigations of security incidents; and

-
-
-
- - - - - - - -
-

[b]

-
-

meet regulatory and organizational information retention requirements.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- audit record retention policy and procedures

-

- security plan

-

- organization-defined retention period for audit records

-

- audit record archives

-

- audit logs

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record retention responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-

References: None -

-
-
-

- AU-12 AUDIT GENERATION

-
-

- Parameter: - au-12_a organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - au-12_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides audit record generation capability for the auditable events defined in AU-2 a. at - - au-12_a - - organization-defined information system components - organization-defined information system components - ;

-
-
-
- - - - - - - -
-

b.

-
-

Allows - - au-12_b - - organization-defined personnel or roles - organization-defined personnel or roles - to select which auditable events are to be audited by specific components of the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

-
-
-
-
-
-

Supplemental guidance

-

Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Audit and accountability policy

-

- procedures addressing audit record generation

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of auditable events

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with audit record generation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing audit record generation capability

-
-

References: None -

-
-
-
-

SECURITY ASSESSMENT AND AUTHORIZATION

-
-

- CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES

-
-

- Parameter: - ca-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ca-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security assessment and authorization policy - - ca-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security assessment and authorization procedures - - ca-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a security assessment and authorization policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the security assessment and authorization policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current security assessment and authorization procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment and authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CA-2 SECURITY ASSESSMENTS

-
-

- Parameter: - ca-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ca-2_b organization-defined individuals or roles

-

- Value: organization-defined individuals or roles

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

1.

-
-

Security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

2.

-
-

Assessment procedures to be used to determine security control effectiveness; and

-
-
-
- - - - - - - -
-

3.

-
-

Assessment environment, assessment team, and assessment roles and responsibilities;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Assesses the security controls in the information system and its environment of operation - - ca-2_a - - organization-defined frequency - organization-defined frequency - to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Produces a security assessment report that documents the results of the assessment; and

-
-
-
- - - - - - - -
-

d.

-
-

Provides the results of the security control assessment to - - ca-2_b - - organization-defined individuals or roles - organization-defined individuals or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. -To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

- - - - - - - - -
-
-

- CA-2 (1) INDEPENDENT ASSESSORS

-
-

- Parameter: - ca-2_c organization-defined level of independence

-

- Value: organization-defined level of independence

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs assessors or assessment teams with - - ca-2_c - - organization-defined level of independence - organization-defined level of independence - to conduct security control assessments.

-
-
-
-

Supplemental guidance

-

Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the level of independence to be employed to conduct security control assessments; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessments

-

- security authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security assessment plan that describes the scope of the assessment including:

-
- - - - - - - -
-

(1)

-
-

security controls and control enhancements under assessment;

-
-
-
- - - - - - - -
-

(2)

-
-

assessment procedures to be used to determine security control effectiveness;

-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

assessment environment;

-
-
-
- - - - - - - -
-

[2]

-
-

assessment team;

-
-
-
- - - - - - - -
-

[3]

-
-

assessment roles and responsibilities;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to assess the security controls in the information system and its environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

produces a security assessment report that documents the results of the assessment;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines individuals or roles to whom the results of the security control assessment are to be provided; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides the results of the security control assessment to organization-defined individuals or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security assessment planning

-

- procedures addressing security assessments

-

- security assessment plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting

-
-
-

References

-
-

Executive Order 13587

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-3 SYSTEM INTERCONNECTIONS

-
-

- Parameter: - ca-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates Interconnection Security Agreements - - ca-3_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.

- - - - - - - - - - - -
-
-

- CA-3 (5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

-
-

- Parameter: - ca-3_h organization-defined information systems

-

- Value: organization-defined information systems

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing - - ca-3_h - - organization-defined information systems - organization-defined information systems - to connect to external information systems.

-
-
-
-

Supplemental guidance

-

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems to be allowed to connect to external information systems;

-
-
-
- - - - - - - -
-

[2]

-
-

employs one of the following policies for allowing organization-defined information systems to connect to external information systems:

-
- - - - - - - -
-

[a]

-
-

allow-all policy;

-
-
-
- - - - - - - -
-

[b]

-
-

deny-by-exception policy;

-
-
-
- - - - - - - -
-

[c]

-
-

deny-all policy; or

-
-
-
- - - - - - - -
-

[d]

-
-

permit-by-exception policy.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- information system interconnection agreements

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security assessment report

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for managing connections to external information systems

-

- network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing restrictions on external system connections

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each interconnection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update Interconnection Security Agreements; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates Interconnection Security Agreements with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- information system Interconnection Security Agreements

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements

-

- organizational personnel with information security responsibilities

-

- personnel managing the system(s) to which the Interconnection Security Agreement applies

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-47

-
-
-
-
-

- CA-5 PLAN OF ACTION AND MILESTONES

-
-

- Parameter: - ca-5_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

-
-
-
- - - - - - - -
-

b.

-
-

Updates existing plan of action and milestones - - ca-5_a - - organization-defined frequency - organization-defined frequency - based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

-
-
-
-
-
-

Supplemental guidance

-

Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a plan of action and milestones for the information system to:

-
- - - - - - - -
-

[1]

-
-

document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

reduce or eliminate known vulnerabilities in the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the existing plan of action and milestones;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:

-
- - - - - - - -
-

[a]

-
-

security controls assessments;

-
-
-
- - - - - - - -
-

[b]

-
-

security impact analyses; and

-
-
-
- - - - - - - -
-

[c]

-
-

continuous monitoring activities.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing plan of action and milestones

-

- security plan

-

- security assessment plan

-

- security assessment report

-

- security assessment evidence

-

- plan of action and milestones

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with plan of action and milestones development and implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms for developing, implementing, and maintaining plan of action and milestones

-
-
-

References

-
-

OMB Memorandum 02-01

-
-
-

NIST Special Publication 800-37

-
-
-
-
-

- CA-6 SECURITY AUTHORIZATION

-
-

- Parameter: - ca-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

-
-
-
- - - - - - - -
-

c.

-
-

Updates the security authorization - - ca-6_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a senior-level executive or manager as the authorizing official for the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

ensures that the authorizing official authorizes the information system for processing before commencing operations;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the security authorization; and

-
-
-
- - - - - - - -
-

[2]

-
-

updates the security authorization with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing security authorization

-

- security authorization package (including security plan

-

- security assessment report

-

- plan of action and milestones

-

- authorization statement)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security authorization responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that facilitate security authorizations and updates

-
-
-

References

-
-

OMB Circular A-130

-
-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- CA-7 CONTINUOUS MONITORING

-
-

- Parameter: - ca-7_a organization-defined metrics

-

- Value: organization-defined metrics

-
-
-

- Parameter: - ca-7_b organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_c organization-defined frequencies

-

- Value: organization-defined frequencies

-
-
-

- Parameter: - ca-7_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ca-7_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

-
- - - - - - - -
-

a.

-
-

Establishment of - - ca-7_a - - organization-defined metrics - organization-defined metrics - to be monitored;

-
-
-
- - - - - - - -
-

b.

-
-

Establishment of - - ca-7_b - - organization-defined frequencies - organization-defined frequencies - for monitoring and - - ca-7_c - - organization-defined frequencies - organization-defined frequencies - for assessments supporting such monitoring;

-
-
-
- - - - - - - -
-

c.

-
-

Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

d.

-
-

Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
- - - - - - - -
-

e.

-
-

Correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

f.

-
-

Response actions to address results of the analysis of security-related information; and

-
-
-
- - - - - - - -
-

g.

-
-

Reporting the security status of organization and the information system to - - ca-7_d - - organization-defined personnel or roles - organization-defined personnel or roles - - - - ca-7_e - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.

- - - - - - - - - - - - -
-
-

- CA-7 (1) INDEPENDENT ASSESSMENT

-
-

- Parameter: - ca-7_f organization-defined level of independence

-

- Value: organization-defined level of independence

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs assessors or assessment teams with - - ca-7_f - - organization-defined level of independence - organization-defined level of independence - to monitor the security controls in the information system on an ongoing basis.

-
-
-
-

Supplemental guidance

-

Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing continuous monitoring of information system security controls

-

- security plan

-

- security assessment report

-

- plan of action and milestones

-

- information system monitoring records

-

- security impact analyses

-

- status reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with continuous monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines metrics to be monitored;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[3]

-
-

implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines frequencies for monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

defines frequencies for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security control assessments;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;

-
-
-
- - - - - - - -
-

[2]

-
-

implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;

-
-
-
- - - - - - - -
-

[2]

-
-

develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security assessment and authorization policy

-

- procedures addressing continuous monitoring of information system security controls

-

- procedures addressing configuration management

-

- security plan

-

- security assessment report

-

- plan of action and milestones

-

- information system monitoring records

-

- configuration management records, security impact analyses

-

- status reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with continuous monitoring responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Mechanisms implementing continuous monitoring

-
-
-

References

-
-

OMB Memorandum 11-33

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-53A

-
-
-

NIST Special Publication 800-115

-
-
-

NIST Special Publication 800-137

-
-
-

US-CERT Technical Cyber Security Alerts

-
-
-

DoD Information Assurance Vulnerability Alerts

-
-
-
-
-

- CA-9 INTERNAL SYSTEM CONNECTIONS

-
-

- Parameter: - ca-9_a organization-defined information system components or classes of components

-

- Value: organization-defined information system components or classes of components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Authorizes internal connections of - - ca-9_a - - organization-defined information system components or classes of components - organization-defined information system components or classes of components - to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components or classes of components to be authorized as internal connections to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes internal connections of organization-defined information system components or classes of components to the information system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

documents, for each internal connection:

-
- - - - - - - -
-

[1]

-
-

the interface characteristics;

-
-
-
- - - - - - - -
-

[2]

-
-

the security requirements; and

-
-
-
- - - - - - - -
-

[3]

-
-

the nature of the information communicated.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Access control policy

-

- procedures addressing information system connections

-

- system and communications protection policy

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of components or classes of components authorized as internal system connections

-

- security assessment report

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-
-

CONFIGURATION MANAGEMENT

-
-

- CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES

-
-

- Parameter: - cm-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cm-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cm-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Configuration management policy - - cm-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Configuration management procedures - - cm-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a configuration management policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the configuration management policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the configuration management policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current configuration management procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current configuration management procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CM-2 BASELINE CONFIGURATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

-
-
-
-

Supplemental guidance

-

This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.

- - - - - - - -
-
-

- CM-2 (1) REVIEWS AND UPDATES

-
-

- Parameter: - cm-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-2_b Assignment organization-defined circumstances

-

- Value: Assignment organization-defined circumstances

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization reviews and updates the baseline configuration of the information system:

-
- - - - - - - -
-

(a)

-
-

- - - cm-2_a - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

(b)

-
-

When required due to - - cm-2_b - - Assignment organization-defined circumstances - Assignment organization-defined circumstances - ; and

-
-
-
- - - - - - - -
-

(c)

-
-

As an integral part of information system component installations and upgrades.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the baseline configuration of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the baseline configuration of the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines circumstances that require the baseline configuration of the information system to be reviewed and updated;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing the baseline configuration of the information system

-

- procedures addressing information system component installations and upgrades

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of information system baseline configuration reviews and updates

-

- information system component installations/upgrades and associated records

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms supporting review and update of the baseline configuration

-
-

References: None -

-
-
-

- CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS

-
-

- Parameter: - cm-2_c organization-defined previous versions of baseline configurations of the information system

-

- Value: organization-defined previous versions of baseline configurations of the information system

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization retains - - cm-2_c - - organization-defined previous versions of baseline configurations of the information system - organization-defined previous versions of baseline configurations of the information system - to support rollback.

-
-
-
-

Supplemental guidance

-

Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines previous versions of baseline configurations of the information system to be retained to support rollback; and

-
-
-
- - - - - - - -
-

[2]

-
-

retains organization-defined previous versions of baseline configurations of the information system to support rollback.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- copies of previous baseline configuration versions

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-
-

References: None -

-
-
-

- CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS

-
-

- Parameter: - cm-2_d organization-defined information systems, system components, or devices

-

- Value: organization-defined information systems, system components, or devices

-
-
-

- Parameter: - cm-2_e organization-defined configurations

-

- Value: organization-defined configurations

-
-
-

- Parameter: - cm-2_f organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Issues - - cm-2_d - - organization-defined information systems, system components, or devices - organization-defined information systems, system components, or devices - with - - cm-2_e - - organization-defined configurations - organization-defined configurations - to individuals traveling to locations that the organization deems to be of significant risk; and

-
-
-
- - - - - - - -
-

(b)

-
-

Applies - - cm-2_f - - organization-defined security safeguards - organization-defined security safeguards - to the devices when the individuals return.

-
-
-
-
-
-

Supplemental guidance

-

When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;

-
-
-
- - - - - - - -
-

[2]

-
-

defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;

-
-
-
- - - - - - - -
-

[3]

-
-

issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be applied to the devices when the individuals return; and

-
-
-
- - - - - - - -
-

[2]

-
-

applies organization-defined safeguards to the devices when the individuals return.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing the baseline configuration of the information system

-

- procedures addressing information system component installations and upgrades

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of information system baseline configuration reviews and updates

-

- information system component installations/upgrades and associated records

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

develops and documents a current baseline configuration of the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains, under configuration control, a current baseline configuration of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing the baseline configuration of the information system

-

- configuration management plan

-

- enterprise architecture documentation

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- change control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing baseline configurations

-

- automated mechanisms supporting configuration control of the baseline configuration

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-3 CONFIGURATION CHANGE CONTROL

-
-

- Parameter: - cm-3_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - cm-3_b organization-defined configuration change control element (e.g., committee, board)

-

- Value: organization-defined configuration change control element (e.g., committee, board)

-
-
-

- Parameter: - cm-3_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-3_d organization-defined configuration change conditions

-

- Value: organization-defined configuration change conditions

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines the types of changes to the information system that are configuration-controlled;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

-
-
-
- - - - - - - -
-

c.

-
-

Documents configuration change decisions associated with the information system;

-
-
-
- - - - - - - -
-

d.

-
-

Implements approved configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

e.

-
-

Retains records of configuration-controlled changes to the information system for - - cm-3_a - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

f.

-
-

Audits and reviews activities associated with configuration-controlled changes to the information system; and

-
-
-
- - - - - - - -
-

g.

-
-

Coordinates and provides oversight for configuration change control activities through - - cm-3_b - - organization-defined configuration change control element (e.g., committee, board) - organization-defined configuration change control element (e.g., committee, board) - that convenes [Selection (one or more): - - cm-3_c - - organization-defined frequency - organization-defined frequency - ; - - cm-3_d - - organization-defined configuration change conditions - organization-defined configuration change conditions - ].

-
-
-
-
-
-

Supplemental guidance

-

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

- - - - - - - - - -
-
-

- CM-3 (2) TEST / VALIDATE / DOCUMENT CHANGES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

-
-
-
-

Supplemental guidance

-

Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems).

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization, before implementing changes on the operational system:

-
- - - - - - - -
-

[1]

-
-

tests changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

validates changes to the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

documents changes to the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing information system configuration change control

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- test records

-

- validation records

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms supporting and/or implementing testing, validating, and documenting information system changes

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

determines the type of changes to the information system that must be configuration-controlled;

-
-
-
- - - - - - - -
-

(b)

-
-

reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

-
-
-
- - - - - - - -
-

(c)

-
-

documents configuration change decisions associated with the information system;

-
-
-
- - - - - - - -
-

(d)

-
-

implements approved configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period to retain records of configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

retains records of configuration-controlled changes to the information system for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

audits and reviews activities associated with configuration-controlled changes to the information system;

-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency with which the configuration change control element must convene; and/or

-
-
-
- - - - - - - -
-

[3]

-
-

defines configuration change conditions that prompt the configuration change control element to convene; and

-
-
-
- - - - - - - -
-

[4]

-
-

coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system configuration change control

-

- configuration management plan

-

- information system architecture and configuration documentation

-

- security plan

-

- change control records

-

- information system audit records

-

- change control audit and review reports

-

- agenda /minutes from configuration change control oversight meetings

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with configuration change control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- members of change control board or similar

-
-
-

Assessment: TEST

-

- Organizational processes for configuration change control

-

- automated mechanisms that implement configuration change control

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-4 SECURITY IMPACT ANALYSIS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Supplemental guidance

-

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

- - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing security impact analysis for changes to the information system

-

- configuration management plan

-

- security impact analysis documentation

-

- analysis tools and associated outputs

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for conducting security impact analysis

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for security impact analysis

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-5 ACCESS RESTRICTIONS FOR CHANGE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

-
-
-
-

Supplemental guidance

-

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

documents physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

approves physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

enforces physical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[5]

-
-

defines logical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[6]

-
-

documents logical access restrictions associated with changes to the information system;

-
-
-
- - - - - - - -
-

[7]

-
-

approves logical access restrictions associated with changes to the information system; and

-
-
-
- - - - - - - -
-

[8]

-
-

enforces logical access restrictions associated with changes to the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing access restrictions for changes to the information system

-

- configuration management plan

-

- information system design documentation

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- logical access approvals

-

- physical access approvals

-

- access credentials

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with logical access control responsibilities

-

- organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing access restrictions to change

-

- automated mechanisms supporting/implementing/enforcing access restrictions associated with changes to the information system

-
-

References: None -

-
-
-

- CM-6 CONFIGURATION SETTINGS

-
-

- Parameter: - cm-6_a organization-defined security configuration checklists

-

- Value: organization-defined security configuration checklists

-
-
-

- Parameter: - cm-6_b organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - cm-6_c organization-defined operational requirements

-

- Value: organization-defined operational requirements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and documents configuration settings for information technology products employed within the information system using - - cm-6_a - - organization-defined security configuration checklists - organization-defined security configuration checklists - that reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Implements the configuration settings;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies, documents, and approves any deviations from established configuration settings for - - cm-6_b - - organization-defined information system components - organization-defined information system components - based on - - cm-6_c - - organization-defined operational requirements - organization-defined operational requirements - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. -Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements the configuration settings established/documented in CM-6(a);;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information system components for which any deviations from established configuration settings must be:

-
- - - - - - - -
-

[a]

-
-

identified;

-
-
-
- - - - - - - -
-

[b]

-
-

documented;

-
-
-
- - - - - - - -
-

[c]

-
-

approved;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines operational requirements to support:

-
- - - - - - - -
-

[a]

-
-

the identification of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[b]

-
-

the documentation of any deviations from established configuration settings;

-
-
-
- - - - - - - -
-

[c]

-
-

the approval of any deviations from established configuration settings;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[4]

-
-

documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
- - - - - - - -
-

[5]

-
-

approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

monitors changes to the configuration settings in accordance with organizational policies and procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

controls changes to the configuration settings in accordance with organizational policies and procedures.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration settings for the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- evidence supporting approved deviations from established configuration settings

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing configuration settings

-

- automated mechanisms that implement, monitor, and/or control information system configuration settings

-

- automated mechanisms that identify and/or document deviations from established configuration settings

-
-
-

References

-
-

OMB Memorandum 07-11

-
-
-

OMB Memorandum 07-18

-
-
-

OMB Memorandum 08-22

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-128

-
-
-

http://nvd.nist.gov

-
-
-

http://checklists.nist.gov

-
-
-

http://www.nsa.gov

-
-
-
-
-

- CM-7 LEAST FUNCTIONALITY

-
-

- Parameter: - cm-7_a organization-defined prohibited or restricted functions, ports, protocols, and/or services

-

- Value: organization-defined prohibited or restricted functions, ports, protocols, and/or services

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Configures the information system to provide only essential capabilities; and

-
-
-
- - - - - - - -
-

b.

-
-

Prohibits or restricts the use of the following functions, ports, protocols, and/or services: - - cm-7_a - - organization-defined prohibited or restricted functions, ports, protocols, and/or services - organization-defined prohibited or restricted functions, ports, protocols, and/or services - .

-
-
-
-
-
-

Supplemental guidance

-

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

- - - - - -
-
-

- CM-7 (1) PERIODIC REVIEW

-
-

- Parameter: - cm-7_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-7_c organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure

-

- Value: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Reviews the information system - - cm-7_b - - organization-defined frequency - organization-defined frequency - to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

-
-
-
- - - - - - - -
-

(b)

-
-

Disables - - cm-7_c - - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - .

-
-
-
-
-
-

Supplemental guidance

-

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the information system to identify unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

reviews the information system with the organization-defined frequency to identify unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines, within the information system, unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

disables organization-defined unnecessary and/or nonsecure:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- documented reviews of functions, ports, protocols, and/or services

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for reviewing/disabling nonsecure functions, ports, protocols, and/or services

-

- automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services

-
-

References: None -

-
-
-

- CM-7 (2) PREVENT PROGRAM EXECUTION

-
-

- Parameter: - cm-7_d organization-defined policies regarding software program usage and restrictions

-

- Value: organization-defined policies regarding software program usage and restrictions

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents program execution in accordance with [Selection (one or more): - - cm-7_d - - organization-defined policies regarding software program usage and restrictions - organization-defined policies regarding software program usage and restrictions - ; rules authorizing the terms and conditions of software program usage].

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines policies regarding software program usage and restrictions;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prevents program execution in accordance with one or more of the following:

-
- - - - - - - -
-

[a]

-
-

organization-defined policies regarding program usage and restrictions; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

rules authorizing the terms and conditions of software program usage.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- specifications for preventing software program execution

-

- information system configuration settings and associated documentation

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes preventing program execution on the information system

-

- organizational processes for software program usage and restrictions

-

- automated mechanisms preventing program execution on the information system

-

- automated mechanisms supporting and/or implementing software program usage and restrictions

-
-

References: None -

-
-
-

- CM-7 (4) UNAUTHORIZED SOFTWARE / BLACKLISTING

-
-

- Parameter: - cm-7_f organization-defined software programs not authorized to execute on the information system

-

- Value: organization-defined software programs not authorized to execute on the information system

-
-
-

- Parameter: - cm-7_g organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Identifies - - cm-7_f - - organization-defined software programs not authorized to execute on the information system - organization-defined software programs not authorized to execute on the information system - ;

-
-
-
- - - - - - - -
-

(b)

-
-

Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and

-
-
-
- - - - - - - -
-

(c)

-
-

Reviews and updates the list of unauthorized software programs - - cm-7_g - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

Identifies/defines software programs not authorized to execute on the information system;

-
-
-
- - - - - - - -
-

(b)

-
-

employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the list of unauthorized software programs on the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the list of unauthorized software programs with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing least functionality in the information system

-

- configuration management plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of software programs not authorized to execute on the information system

-

- security configuration checklists

-

- review and update records associated with list of unauthorized software programs

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for identifying software not authorized to execute on the information system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational process for identifying, reviewing, and updating programs not authorized to execute on the information system

-

- organizational process for implementing blacklisting

-

- automated mechanisms supporting and/or implementing blacklisting

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

configures the information system to provide only essential capabilities;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines prohibited or restricted:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

prohibits or restricts the use of organization-defined:

-
- - - - - - - -
-

[a]

-
-

functions;

-
-
-
- - - - - - - -
-

[b]

-
-

ports;

-
-
-
- - - - - - - -
-

[c]

-
-

protocols; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

services.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- configuration management plan

-

- procedures addressing least functionality in the information system

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- security configuration checklists

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security configuration management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes prohibiting or restricting functions, ports, protocols, and/or services

-

- automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services

-
-
-

References

-
-

DoD Instruction 8551.01

-
-
-
-
-

- CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

-
-

- Parameter: - cm-8_a organization-defined information deemed necessary to achieve effective information system component accountability

-

- Value: organization-defined information deemed necessary to achieve effective information system component accountability

-
-
-

- Parameter: - cm-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents an inventory of information system components that:

-
- - - - - - - -
-

1.

-
-

Accurately reflects the current information system;

-
-
-
- - - - - - - -
-

2.

-
-

Includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

3.

-
-

Is at the level of granularity deemed necessary for tracking and reporting; and

-
-
-
- - - - - - - -
-

4.

-
-

Includes - - cm-8_a - - organization-defined information deemed necessary to achieve effective information system component accountability - organization-defined information deemed necessary to achieve effective information system component accountability - ; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the information system component inventory - - cm-8_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

- - - -
-
-

- CM-8 (1) UPDATES DURING INSTALLATIONS / REMOVALS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization updates the inventory of information system components as an integral part of:

-
- - - - - - - -
-

[1]

-
-

component installations;

-
-
-
- - - - - - - -
-

[2]

-
-

component removals; and

-
-
-
- - - - - - - -
-

[3]

-
-

information system updates.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- inventory reviews and update records

-

- component installation records

-

- component removal records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for updating the information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for updating inventory of information system components

-

- automated mechanisms implementing updating of the information system component inventory

-
-

References: None -

-
-
-

- CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION

-
-

- Parameter: - cm-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cm-8_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Employs automated mechanisms - - cm-8_c - - organization-defined frequency - organization-defined frequency - to detect the presence of unauthorized hardware, software, and firmware components within the information system; and

-
-
-
- - - - - - - -
-

(b)

-
-

Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies - - cm-8_d - - organization-defined personnel or roles - organization-defined personnel or roles - ].

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to employ automated mechanisms to detect the presence of unauthorized:

-
- - - - - - - -
-

[a]

-
-

hardware components within the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

software components within the information system;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware components within the information system;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:

-
- - - - - - - -
-

[a]

-
-

hardware components within the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

software components within the information system;

-
-
-
- - - - - - - -
-

[c]

-
-

firmware components within the information system;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when unauthorized components are detected;

-
-
-
- - - - - - - -
-

[2]

-
-

takes one or more of the following actions when unauthorized components are detected:

-
- - - - - - - -
-

[a]

-
-

disables network access by such components;

-
-
-
- - - - - - - -
-

[b]

-
-

isolates the components; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

notifies organization-defined personnel or roles.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system inventory records

-

- alerts/notifications of unauthorized components within the information system

-

- information system monitoring records

-

- change control records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for detection of unauthorized information system components

-

- automated mechanisms implementing the detection of unauthorized information system components

-
-

References: None -

-
-
-

- CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories.

-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system inventory responsibilities

-

- organizational personnel with responsibilities for defining information system components within the authorization boundary of the system

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining the inventory of information system components

-

- automated mechanisms implementing the information system component inventory

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-

develops and documents an inventory of information system components that accurately reflects the current information system;

-
-
-
- - - - - - - -
-

(2)

-
-

develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;

-
-
-
- - - - - - - -
-

(3)

-
-

develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;

-
-
-
- - - - - - - -
-

(4)

-
-
- - - - - - - -
-

[1]

-
-

defines the information deemed necessary to achieve effective information system component accountability;

-
-
-
- - - - - - - -
-

[2]

-
-

develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the information system component inventory; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the information system component inventory with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing information system component inventory

-

- configuration management plan

-

- security plan

-

- information system inventory records

-

- inventory reviews and update records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system component inventory

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for developing and documenting an inventory of information system components

-

- automated mechanisms supporting and/or implementing the information system component inventory

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-9 CONFIGURATION MANAGEMENT PLAN

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops, documents, and implements a configuration management plan for the information system that:

-
- - - - - - - -
-

a.

-
-

Addresses roles, responsibilities, and configuration management processes and procedures;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

-
-
-
- - - - - - - -
-

c.

-
-

Defines the configuration items for the information system and places the configuration items under configuration management; and

-
-
-
- - - - - - - -
-

d.

-
-

Protects the configuration management plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization develops, documents, and implements a configuration management plan for the information system that:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

addresses roles;

-
-
-
- - - - - - - -
-

[2]

-
-

addresses responsibilities;

-
-
-
- - - - - - - -
-

[3]

-
-

addresses configuration management processes and procedures;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

establishes a process for:

-
- - - - - - - -
-

[1]

-
-

identifying configuration items throughout the SDLC;

-
-
-
- - - - - - - -
-

[2]

-
-

managing the configuration of the configuration items;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the configuration items for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

places the configuration items under configuration management;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects the configuration management plan from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure; and

-
-
-
- - - - - - - -
-

[2]

-
-

modification.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing configuration management planning

-

- configuration management plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for developing the configuration management plan

-

- organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan

-

- organizational personnel with responsibilities for protecting the configuration management plan

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for developing and documenting the configuration management plan

-

- organizational processes for identifying and managing configuration items

-

- organizational processes for protecting the configuration management plan

-

- automated mechanisms implementing the configuration management plan

-

- automated mechanisms for managing configuration items

-

- automated mechanisms for protecting the configuration management plan

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- CM-10 SOFTWARE USAGE RESTRICTIONS

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

b.

-
-

Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

c.

-
-

Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Supplemental guidance

-

Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

uses software and associated documentation in accordance with contract agreements and copyright laws;

-
-
-
- - - - - - - -
-

(b)

-
-

tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

-
-
-
- - - - - - - -
-

(c)

-
-

controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing software usage restrictions

-

- configuration management plan

-

- security plan

-

- software contract agreements and copyright laws

-

- site license documentation

-

- list of software usage restrictions

-

- software license tracking reports

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel with software license management responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for tracking the use of software protected by quantity licenses

-

- organization process for controlling/documenting the use of peer-to-peer file sharing technology

-

- automated mechanisms implementing software license tracking

-

- automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology

-
-

References: None -

-
-
-

- CM-11 USER-INSTALLED SOFTWARE

-
-

- Parameter: - cm-11_a organization-defined policies

-

- Value: organization-defined policies

-
-
-

- Parameter: - cm-11_b organization-defined methods

-

- Value: organization-defined methods

-
-
-

- Parameter: - cm-11_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes - - cm-11_a - - organization-defined policies - organization-defined policies - governing the installation of software by users;

-
-
-
- - - - - - - -
-

b.

-
-

Enforces software installation policies through - - cm-11_b - - organization-defined methods - organization-defined methods - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Monitors policy compliance at - - cm-11_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved �app stores.� Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines policies to govern the installation of software by users;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes organization-defined policies governing the installation of software by users;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines methods to enforce software installation policies;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces software installation policies through organization-defined methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines frequency to monitor policy compliance; and

-
-
-
- - - - - - - -
-

[2]

-
-

monitors policy compliance at organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Configuration management policy

-

- procedures addressing user installed software

-

- configuration management plan

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of rules governing user installed software

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-

- continuous monitoring strategy

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for governing user-installed software

-

- organizational personnel operating, using, and/or maintaining the information system

-

- organizational personnel monitoring compliance with user-installed software policy

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes governing user-installed software on the information system

-

- automated mechanisms enforcing rules/methods for governing the installation of software by users

-

- automated mechanisms monitoring policy compliance

-
-

References: None -

-
-
-
-

CONTINGENCY PLANNING

-
-

- CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - cp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - cp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Contingency planning policy - - cp-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Contingency planning procedures - - cp-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents a contingency planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the contingency planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the frequency to review and update the current contingency planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization reviews and updates the current contingency planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- CP-2 CONTINGENCY PLAN

-
-

- Parameter: - cp-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - cp-2_b organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - cp-2_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-2_d organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a contingency plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

2.

-
-

Provides recovery objectives, restoration priorities, and metrics;

-
-
-
- - - - - - - -
-

3.

-
-

Addresses contingency roles, responsibilities, assigned individuals with contact information;

-
-
-
- - - - - - - -
-

4.

-
-

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

5.

-
-

Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

-
-
-
- - - - - - - -
-

6.

-
-

Is reviewed and approved by - - cp-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the contingency plan to - - cp-2_b - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

d.

-
-

Reviews the contingency plan for the information system - - cp-2_c - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

e.

-
-

Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

f.

-
-

Communicates contingency plan changes to - - cp-2_d - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

- - - - - - - - - - - - - -
-
-

- CP-2 (1) COORDINATE WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates contingency plan development with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business contingency plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- cyber incident response plan

-

- insider threat implementation plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-

- personnel with responsibility for related plans

-
-

References: None -

-
-
-

- CP-2 (3) RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS

-
-

- Parameter: - cp-2_e organization-defined time period

-

- Value: organization-defined time period

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans for the resumption of essential missions and business functions within - - cp-2_e - - organization-defined time period - organization-defined time period - of contingency plan activation.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- business impact assessment

-

- other related plans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for resumption of missions and business functions

-
-

References: None -

-
-
-

- CP-2 (8) IDENTIFY CRITICAL ASSETS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies critical information system assets supporting essential missions and business functions.

-
-
-
-

Supplemental guidance

-

Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies critical information system assets supporting essential missions and business functions.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- business impact assessment

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents a contingency plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

identifies essential missions and business functions and associated contingency requirements;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

provides recovery objectives;

-
-
-
- - - - - - - -
-

[2]

-
-

provides restoration priorities;

-
-
-
- - - - - - - -
-

[3]

-
-

provides metrics;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-
- - - - - - - -
-

[1]

-
-

addresses contingency roles;

-
-
-
- - - - - - - -
-

[2]

-
-

addresses contingency responsibilities;

-
-
-
- - - - - - - -
-

[3]

-
-

addresses assigned individuals with contact information;

-
-
-
-
-
- - - - - - - -
-

(4)

-
-

addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

-
-
-
- - - - - - - -
-

(5)

-
-

addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;

-
-
-
- - - - - - - -
-

(6)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates contingency planning activities with incident handling activities;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the contingency plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

updates the contingency plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the organization, information system, or environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems encountered during plan implementation, execution, and testing;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

protects the contingency plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency operations for the information system

-

- contingency plan

-

- security plan

-

- evidence of contingency plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning and plan implementation responsibilities

-

- organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan development, review, update, and protection

-

- automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-3 CONTINGENCY TRAINING

-
-

- Parameter: - cp-3_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - cp-3_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - cp-3_a - - organization-defined time period - organization-defined time period - of assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - cp-3_b - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency for contingency training thereafter; and

-
-
-
- - - - - - - -
-

[2]

-
-

provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency training

-

- contingency plan

-

- contingency training curriculum

-

- contingency training material

-

- security plan

-

- contingency training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, plan implementation, and training responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency training

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- CP-4 CONTINGENCY PLAN TESTING

-
-

- Parameter: - cp-4_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - cp-4_b organization-defined tests

-

- Value: organization-defined tests

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Tests the contingency plan for the information system - - cp-4_a - - organization-defined frequency - organization-defined frequency - using - - cp-4_b - - organization-defined tests - organization-defined tests - to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

c.

-
-

Initiates corrective actions, if needed.

-
-
-
-
-
-

Supplemental guidance

-

Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

- - - -
-
-

- CP-4 (1) COORDINATE WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- incident response policy

-

- procedures addressing contingency plan testing

-

- contingency plan testing documentation

-

- contingency plan

-

- business continuity plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- cyber incident response plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan testing responsibilities

-

- organizational personnel

-

- personnel with responsibilities for related plans

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;

-
-
-
- - - - - - - -
-

[2]

-
-

defines a frequency to test the contingency plan for the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

reviews the contingency plan test results; and

-
-
-
- - - - - - - -
-

(c)

-
-

initiates corrective actions, if needed.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing contingency plan testing

-

- contingency plan

-

- security plan

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for contingency plan testing

-

- automated mechanisms supporting the contingency plan and/or contingency plan testing

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-34

-
-
-

NIST Special Publication 800-84

-
-
-
-
-

- CP-6 ALTERNATE STORAGE SITE

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

-
-
-
-
-
-

Supplemental guidance

-

Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

- - - - - -
-
-

- CP-6 (1) SEPARATION FROM PRIMARY SITE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- alternate storage site agreements

-

- primary storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-6 (3) ACCESSIBILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

-
-
-
-

Supplemental guidance

-

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and

-
-
-
- - - - - - - -
-

[2]

-
-

outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site

-

- list of potential accessibility problems to alternate storage site

-

- mitigation actions for accessibility problems to alternate storage site

-

- organizational risk assessments

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate storage sites

-

- contingency plan

-

- alternate storage site agreements

-

- primary storage site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate storage site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for storing and retrieving information system backup information at the alternate storage site

-

- automated mechanisms supporting and/or implementing storage and retrieval of information system backup information at the alternate storage site

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-7 ALTERNATE PROCESSING SITE

-
-

- Parameter: - cp-7_a organization-defined information system operations

-

- Value: organization-defined information system operations

-
-
-

- Parameter: - cp-7_b organization-defined time period consistent with recovery time and recovery point objectives

-

- Value: organization-defined time period consistent with recovery time and recovery point objectives

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of - - cp-7_a - - organization-defined information system operations - organization-defined information system operations - for essential missions/business functions within - - cp-7_b - - organization-defined time period consistent with recovery time and recovery point objectives - organization-defined time period consistent with recovery time and recovery point objectives - when the primary processing capabilities are unavailable;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

-
-
-
-
-
-

Supplemental guidance

-

Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems.

- - - - - - -
-
-

- CP-7 (1) SEPARATION FROM PRIMARY SITE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

-
-
-
-

Supplemental guidance

-

Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- primary processing site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-7 (2) ACCESSIBILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

-
-
-
-

Supplemental guidance

-

Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and

-
-
-
- - - - - - - -
-

[2]

-
-

outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site

-

- alternate processing site agreements

-

- primary processing site agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- CP-7 (3) PRIORITY OF SERVICE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

-
-
-
-

Supplemental guidance

-

Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan).

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site agreements

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan alternate processing site responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer/resumption of organization-defined information system operations for essential missions/business functions;

-
-
-
- - - - - - - -
-

[3]

-
-

establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate processing sites

-

- contingency plan

-

- alternate processing site agreements

-

- primary processing site agreements

-

- spare equipment and supplies inventory at alternate processing site

-

- equipment and supply contracts

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for recovery at the alternate site

-

- automated mechanisms supporting and/or implementing recovery at the alternate processing site

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-8 TELECOMMUNICATIONS SERVICES

-
-

- Parameter: - cp-8_a organization-defined information system operations

-

- Value: organization-defined information system operations

-
-
-

- Parameter: - cp-8_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of - - cp-8_a - - organization-defined information system operations - organization-defined information system operations - for essential missions and business functions within - - cp-8_b - - organization-defined time period - organization-defined time period - when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

-
-
-
-

Supplemental guidance

-

This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

- - - -
-
-

- CP-8 (1) PRIORITY OF SERVICE PROVISIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and

-
-
-
- - - - - - - -
-

(b)

-
-

Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

-
-
-
-
-
-

Supplemental guidance

-

Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and

-
-
-
- - - - - - - -
-

[2]

-
-

requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- Telecommunications Service Priority documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting telecommunications

-
-

References: None -

-
-
-

- CP-8 (2) SINGLE POINTS OF FAILURE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing primary and alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- primary and alternate telecommunications service providers

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and

-
-
-
- - - - - - - -
-

[3]

-
-

establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing alternate telecommunications services

-

- contingency plan

-

- primary and alternate telecommunications service agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency plan telecommunications responsibilities

-

- organizational personnel with information system recovery responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibility for acquisitions/contractual agreements

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting telecommunications

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-

National Communications Systems Directive 3-10

-
-
-

http://www.dhs.gov/telecommunications-service-priority-tsp

-
-
-
-
-

- CP-9 INFORMATION SYSTEM BACKUP

-
-

- Parameter: - cp-9_a organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_b organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-
-

- Parameter: - cp-9_c organization-defined frequency consistent with recovery time and recovery point objectives

-

- Value: organization-defined frequency consistent with recovery time and recovery point objectives

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts backups of user-level information contained in the information system - - cp-9_a - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

b.

-
-

Conducts backups of system-level information contained in the information system - - cp-9_b - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts backups of information system documentation including security-related documentation - - cp-9_c - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Supplemental guidance

-

System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

- - - - - -
-
-

- CP-9 (1) TESTING FOR RELIABILITY / INTEGRITY

-
-

- Parameter: - cp-9_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests backup information - - cp-9_d - - organization-defined frequency - organization-defined frequency - to verify media reliability and information integrity.

-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to test backup information to verify media reliability and information integrity; and

-
-
-
- - - - - - - -
-

[2]

-
-

tests backup information with the organization-defined frequency to verify media reliability and information integrity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test documentation

-

- contingency plan test results

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of user-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of system-level information contained in the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects the confidentiality, integrity, and availability of backup information at storage locations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- backup storage location(s)

-

- information system backup logs or records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system backup responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for conducting information system backups

-

- automated mechanisms supporting and/or implementing information system backups

-
-
-

References

-
-

NIST Special Publication 800-34

-
-
-
-
-

- CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

-
-
-
-

Supplemental guidance

-

Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.

- - - - - - - - -
-
-

- CP-10 (2) TRANSACTION RECOVERY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements transaction recovery for systems that are transaction-based.

-
-
-
-

Supplemental guidance

-

Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements transaction recovery for systems that are transaction-based.

-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system recovery and reconstitution

-

- contingency plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- contingency plan test documentation

-

- contingency plan test results

-

- information system transaction recovery records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for transaction recovery

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing transaction recovery capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides for:

-
- - - - - - - -
-

[1]

-
-

the recovery of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the reconstitution of the information system to a known state after:

-
- - - - - - - -
-

[a]

-
-

a disruption;

-
-
-
- - - - - - - -
-

[b]

-
-

a compromise; or

-
-
-
- - - - - - - -
-

[c]

-
-

a failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Contingency planning policy

-

- procedures addressing information system backup

-

- contingency plan

-

- information system backup test results

-

- contingency plan test results

-

- contingency plan test documentation

-

- redundant secondary system for information system backups

-

- location(s) of redundant secondary backup system(s)

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes implementing information system recovery and reconstitution operations

-

- automated mechanisms supporting and/or implementing information system recovery and reconstitution operations

-
-
-

References

-
-

Federal Continuity Directive 1

-
-
-

NIST Special Publication 800-34

-
-
-
-
-
-

IDENTIFICATION AND AUTHENTICATION

-
-

- IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES

-
-

- Parameter: - ia-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ia-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ia-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Identification and authentication policy - - ia-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Identification and authentication procedures - - ia-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an identification and authentication policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the identification and authentication policy is to be disseminated; and

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the identification and authentication policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication policy with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current identification and authentication procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current identification and authentication procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identification and authentication responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Supplemental guidance

-

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. -Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

- - - - - - - - -
-
-

- IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for network access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for network access to non-privileged accounts.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for network access to non-privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for local access to privileged accounts.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements multifactor authentication for local access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing multifactor authentication capability

-
-

References: None -

-
-
-

- IA-2 (8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

-
-
-
-

Supplemental guidance

-

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

-
-

References: None -

-
-
-

- IA-2 (11) REMOTE ACCESS - SEPARATE DEVICE

-
-

- Parameter: - ia-2_d organization-defined strength of mechanism requirements

-

- Value: organization-defined strength of mechanism requirements

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets - - ia-2_d - - organization-defined strength of mechanism requirements - organization-defined strength of mechanism requirements - .

-
-
-
-

Supplemental guidance

-

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;

-
-
-
- - - - - - - -
-

[5]

-
-

the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and

-
-
-
- - - - - - - -
-

[6]

-
-

the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of privileged and non-privileged information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-

References: None -

-
-
-

- IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for uniquely identifying and authenticating users

-

- automated mechanisms supporting and/or implementing identification and authentication capability

-
-
-

References

-
-

HSPD-12

-
-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 06-16

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION

-
-

- Parameter: - ia-3_a organization-defined specific and/or types of devices

-

- Value: organization-defined specific and/or types of devices

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates - - ia-3_a - - organization-defined specific and/or types of devices - organization-defined specific and/or types of devices - before establishing a [Selection (one or more): local; remote; network] connection.

-
-
-
-

Supplemental guidance

-

Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:

-
- - - - - - - -
-

[a]

-
-

a local connection;

-
-
-
- - - - - - - -
-

[b]

-
-

a remote connection; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

a network connection; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:

-
- - - - - - - -
-

[a]

-
-

a local connection;

-
-
-
- - - - - - - -
-

[b]

-
-

a remote connection; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

a network connection.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing device identification and authentication

-

- information system design documentation

-

- list of devices requiring unique identification and authentication

-

- device connection reports

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with operational responsibilities for device identification and authentication

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing device identification and authentication capability

-
-

References: None -

-
-
-

- IA-4 IDENTIFIER MANAGEMENT

-
-

- Parameter: - ia-4_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ia-4_b organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ia-4_c organization-defined time period of inactivity

-

- Value: organization-defined time period of inactivity

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system identifiers by:

-
- - - - - - - -
-

a.

-
-

Receiving authorization from - - ia-4_a - - organization-defined personnel or roles - organization-defined personnel or roles - to assign an individual, group, role, or device identifier;

-
-
-
- - - - - - - -
-

b.

-
-

Selecting an identifier that identifies an individual, group, role, or device;

-
-
-
- - - - - - - -
-

c.

-
-

Assigning the identifier to the intended individual, group, role, or device;

-
-
-
- - - - - - - -
-

d.

-
-

Preventing reuse of identifiers for - - ia-4_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Disabling the identifier after - - ia-4_c - - organization-defined time period of inactivity - organization-defined time period of inactivity - .

-
-
-
-
-
-

Supplemental guidance

-

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system identifiers by:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defining personnel or roles from whom authorization must be received to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

receiving authorization from organization-defined personnel or roles to assign:

-
- - - - - - - -
-

[a]

-
-

an individual identifier;

-
-
-
- - - - - - - -
-

[b]

-
-

a group identifier;

-
-
-
- - - - - - - -
-

[c]

-
-

a role identifier; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

a device identifier;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

selecting an identifier that identifies:

-
- - - - - - - -
-

[1]

-
-

an individual;

-
-
-
- - - - - - - -
-

[2]

-
-

a group;

-
-
-
- - - - - - - -
-

[3]

-
-

a role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

a device;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

assigning the identifier to the intended:

-
- - - - - - - -
-

[1]

-
-

individual;

-
-
-
- - - - - - - -
-

[2]

-
-

group;

-
-
-
- - - - - - - -
-

[3]

-
-

role; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

device;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period for preventing reuse of identifiers;

-
-
-
- - - - - - - -
-

[2]

-
-

preventing reuse of identifiers for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period of inactivity to disable the identifier; and

-
-
-
- - - - - - - -
-

[2]

-
-

disabling the identifier after the organization-defined time period of inactivity.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing identifier management

-

- procedures addressing account management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system accounts

-

- list of identifiers generated from physical access control devices

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with identifier management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identifier management

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-
-
-

- IA-5 AUTHENTICATOR MANAGEMENT

-
-

- Parameter: - ia-5_a organization-defined time period by authenticator type

-

- Value: organization-defined time period by authenticator type

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization manages information system authenticators by:

-
- - - - - - - -
-

a.

-
-

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

-
-
-
- - - - - - - -
-

b.

-
-

Establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

d.

-
-

Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

-
-
-
- - - - - - - -
-

e.

-
-

Changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

f.

-
-

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

-
-
-
- - - - - - - -
-

g.

-
-

Changing/refreshing authenticators - - ia-5_a - - organization-defined time period by authenticator type - organization-defined time period by authenticator type - ;

-
-
-
- - - - - - - -
-

h.

-
-

Protecting authenticator content from unauthorized disclosure and modification;

-
-
-
- - - - - - - -
-

i.

-
-

Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

-
-
-
- - - - - - - -
-

j.

-
-

Changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Supplemental guidance

-

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

- - - - - - - - - - - - - - -
-
-

- IA-5 (1) PASSWORD-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_b organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-

- Value: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type

-
-
-

- Parameter: - ia-5_c organization-defined number

-

- Value: organization-defined number

-
-
-

- Parameter: - ia-5_d organization-defined numbers for lifetime minimum, lifetime maximum

-

- Value: organization-defined numbers for lifetime minimum, lifetime maximum

-
-
-

- Parameter: - ia-5_e organization-defined number

-

- Value: organization-defined number

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-

Enforces minimum password complexity of - - ia-5_b - - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - ;

-
-
-
- - - - - - - -
-

(b)

-
-

Enforces at least the following number of changed characters when new passwords are created: - - ia-5_c - - organization-defined number - organization-defined number - ;

-
-
-
- - - - - - - -
-

(c)

-
-

Stores and transmits only cryptographically-protected passwords;

-
-
-
- - - - - - - -
-

(d)

-
-

Enforces password minimum and maximum lifetime restrictions of - - ia-5_d - - organization-defined numbers for lifetime minimum, lifetime maximum - organization-defined numbers for lifetime minimum, lifetime maximum - ;

-
-
-
- - - - - - - -
-

(e)

-
-

Prohibits password reuse for - - ia-5_e - - organization-defined number - organization-defined number - generations; and

-
-
-
- - - - - - - -
-

(f)

-
-

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

- -
-
-

Objectives

- - - - - - -
- -

Determine if, for password-based authentication:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines requirements for case sensitivity;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines requirements for number of characters;

-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;

-
-
-
- - - - - - - -
-

[4]

-
-

the organization defines minimum requirements for each type of character;

-
-
-
- - - - - - - -
-

[5]

-
-

the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines a minimum number of changed characters to be enforced when new passwords are created;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

the information system stores and transmits only encrypted representations of passwords;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;

-
-
-
- - - - - - - -
-

[3]

-
-

the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;

-
-
-
- - - - - - - -
-

[4]

-
-

the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines the number of password generations to be prohibited from password reuse;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits password reuse for the organization-defined number of generations; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- password policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- password configurations and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing password-based authenticator management capability

-
-

References: None -

-
-
-

- IA-5 (2) PKI-BASED AUTHENTICATION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for PKI-based authentication:

-
- - - - - - - -
-

(a)

-
-

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

-
-
-
- - - - - - - -
-

(b)

-
-

Enforces authorized access to the corresponding private key;

-
-
-
- - - - - - - -
-

(c)

-
-

Maps the authenticated identity to the account of the individual or group; and

-
-
-
- - - - - - - -
-

(d)

-
-

Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

-
-
-
-
-
-

Supplemental guidance

-

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the information system, for PKI-based authentication:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

validates certifications by constructing a certification path to an accepted trust anchor;

-
-
-
- - - - - - - -
-

[2]

-
-

validates certifications by verifying a certification path to an accepted trust anchor;

-
-
-
- - - - - - - -
-

[3]

-
-

includes checking certificate status information when constructing and verifying the certification path;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

enforces authorized access to the corresponding private key;

-
-
-
- - - - - - - -
-

(c)

-
-

maps the authenticated identity to the account of the individual or group; and

-
-
-
- - - - - - - -
-

(d)

-
-

implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- PKI certification validation records

-

- PKI certification revocation lists

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with PKI-based, authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability

-
-

References: None -

-
-
-

- IA-5 (3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION

-
-

- Parameter: - ia-5_f organization-defined types of and/or specific authenticators

-

- Value: organization-defined types of and/or specific authenticators

-
-
-

- Parameter: - ia-5_g organization-defined registration authority

-

- Value: organization-defined registration authority

-
-
-

- Parameter: - ia-5_h organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires that the registration process to receive - - ia-5_f - - organization-defined types of and/or specific authenticators - organization-defined types of and/or specific authenticators - be conducted [Selection: in person; by a trusted third party] before - - ia-5_g - - organization-defined registration authority - organization-defined registration authority - with authorization by - - ia-5_h - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of and/or specific authenticators to be received in person or by a trusted third party;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the registration authority with oversight of the registration process for receipt of organization-defined types of and/or specific authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

defines personnel or roles responsible for authorizing organization-defined registration authority;

-
-
-
- - - - - - - -
-

[4]

-
-

defines if the registration process is to be conducted:

-
- - - - - - - -
-

[a]

-
-

in person; or

-
-
-
- - - - - - - -
-

[b]

-
-

by a trusted third party; and

-
-
-
-
-
- - - - - - - -
-

[5]

-
-

requires that the registration process to receive organization-defined types of and/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- registration process for receiving information system authenticators

-

- list of authenticators requiring in-person registration

-

- list of authenticators requiring trusted third party registration

-

- authenticator registration documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- registration authority

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION

-
-

- Parameter: - ia-5_l organization-defined token quality requirements

-

- Value: organization-defined token quality requirements

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, for hardware token-based authentication, employs mechanisms that satisfy - - ia-5_l - - organization-defined token quality requirements - organization-defined token quality requirements - .

-
-
-
-

Supplemental guidance

-

Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

-
-
-

Objectives

- - - - - - -
- -

Determine if, for hardware token-based authentication:

-
- - - - - - - -
-

[1]

-
-

the organization defines token quality requirements to be satisfied; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system employs mechanisms that satisfy organization-defined token quality requirements.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- security plan

-

- information system design documentation

-

- automated mechanisms employing hardware token-based authentication for the information system

-

- list of token quality requirements

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization manages information system authenticators by:

-
- - - - - - - -
-

(a)

-
-

verifying, as part of the initial authenticator distribution, the identity of:

-
- - - - - - - -
-

[1]

-
-

the individual receiving the authenticator;

-
-
-
- - - - - - - -
-

[2]

-
-

the group receiving the authenticator;

-
-
-
- - - - - - - -
-

[3]

-
-

the role receiving the authenticator; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

the device receiving the authenticator;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

establishing initial authenticator content for authenticators defined by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

ensuring that authenticators have sufficient strength of mechanism for their intended use;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

establishing and implementing administrative procedures for initial authenticator distribution;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing and implementing administrative procedures for lost/compromised or damaged authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing and implementing administrative procedures for revoking authenticators;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

changing default content of authenticators prior to information system installation;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

establishing minimum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

establishing maximum lifetime restrictions for authenticators;

-
-
-
- - - - - - - -
-

[3]

-
-

establishing reuse conditions for authenticators;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defining a time period (by authenticator type) for changing/refreshing authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

changing/refreshing authenticators with the organization-defined time period by authenticator type;

-
-
-
-
-
- - - - - - - -
-

(h)

-
-

protecting authenticator content from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
-
-
- - - - - - - -
-

(i)

-
-
- - - - - - - -
-

[1]

-
-

requiring individuals to take specific security safeguards to protect authenticators;

-
-
-
- - - - - - - -
-

[2]

-
-

having devices implement specific security safeguards to protect authenticators; and

-
-
-
-
-
- - - - - - - -
-

(j)

-
-

changing authenticators for group/role accounts when membership to those accounts changes.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator management

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system authenticator types

-

- change control records associated with managing information system authenticators

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with authenticator management responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing authenticator management capability

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

http://idmanagement.gov

-
-
-
-
-

- IA-6 AUTHENTICATOR FEEDBACK

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Supplemental guidance

-

The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing authenticator feedback

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

-
-

References: None -

-
-
-

- IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Supplemental guidance

-

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing cryptographic module authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for cryptographic module authentication

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic module authentication

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/groups/STM/cmvp/index.html

-
-
-
-
-

- IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Supplemental guidance

-

Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

- - - - - - - - - - - -
-
-

- IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

accepts Personal Identity Verification (PIV) credentials from other agencies; and

-
-
-
- - - - - - - -
-

[2]

-
-

electronically verifies Personal Identity Verification (PIV) credentials from other agencies.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- PIV verification records

-

- evidence of PIV credentials

-

- PIV credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept and verify PIV credentials

-
-

References: None -

-
-
-

- IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system accepts only FICAM-approved third-party credentials.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization

-

- third-party credential verification records

-

- evidence of FICAM-approved third-party credentials

-

- third-party credential authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms that accept FICAM-approved credentials

-
-

References: None -

-
-
-

- IA-8 (3) USE OF FICAM-APPROVED PRODUCTS

-
-

- Parameter: - ia-8_a organization-defined information systems

-

- Value: organization-defined information systems

-
-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only FICAM-approved information system components in - - ia-8_a - - organization-defined information systems - organization-defined information systems - to accept third-party credentials.

-
-
-
-

Supplemental guidance

-

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- third-party credential validations

-

- third-party credential authorizations

-

- third-party credential records

-

- list of FICAM-approved information system components procured and implemented by organization

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information system security, acquisition, and contracting responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-

References: None -

-
-
-

- IA-8 (4) USE OF FICAM-ISSUED PROFILES

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system conforms to FICAM-issued profiles.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system conforms to FICAM-issued profiles.

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- system and services acquisition policy

-

- procedures addressing user identification and authentication

-

- procedures addressing the integration of security requirements into the acquisition process

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of FICAM-issued profiles and associated, approved protocols

-

- acquisition documentation

-

- acquisition contracts for information system procurements or services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developers

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-

- automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles

-
-

References: None -

-
-
-

Objective

- - - - - - -
- -

Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

-
-
-
-

Assessment: EXAMINE

-

- Identification and authentication policy

-

- procedures addressing user identification and authentication

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- list of information system accounts

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system operations responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing identification and authentication capability

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

OMB Memorandum 11-11

-
-
-

OMB Memorandum 10-06-2011

-
-
-

FICAM Roadmap and Implementation Guidance

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-116

-
-
-

National Strategy for Trusted Identities in Cyberspace

-
-
-

http://idmanagement.gov

-
-
-
-
-
-

INCIDENT RESPONSE

-
-

- IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES

-
-

- Parameter: - ir-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ir-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Incident response policy - - ir-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Incident response procedures - - ir-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an incident response policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the incident response policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the incident response policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current incident response procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current incident response procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- IR-2 INCIDENT RESPONSE TRAINING

-
-

- Parameter: - ir-2_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

-
- - - - - - - -
-

a.

-
-

Within - - ir-2_a - - organization-defined time period - organization-defined time period - of assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

b.

-
-

When required by information system changes; and

-
-
-
- - - - - - - -
-

c.

-
-

- - - ir-2_b - - organization-defined frequency - organization-defined frequency - thereafter.

-
-
-
-
-
-

Supplemental guidance

-

Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;

-
-
-
- - - - - - - -
-

[2]

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and

-
-
-
- - - - - - - -
-

[2]

-
-

after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response training

-

- incident response training curriculum

-

- incident response training materials

-

- security plan

-

- incident response plan

-

- security plan

-

- incident response training records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response training and operational responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-16

-
-
-

NIST Special Publication 800-50

-
-
-
-
-

- IR-3 INCIDENT RESPONSE TESTING

-
-

- Parameter: - ir-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-3_b organization-defined tests

-

- Value: organization-defined tests

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tests the incident response capability for the information system - - ir-3_a - - organization-defined frequency - organization-defined frequency - using - - ir-3_b - - organization-defined tests - organization-defined tests - to determine the incident response effectiveness and documents the results.

-
-
-
-

Supplemental guidance

-

Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.

- - -
-
-

- IR-3 (2) COORDINATION WITH RELATED PLANS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization coordinates incident response testing with organizational elements responsible for related plans.

-
-
-
-

Supplemental guidance

-

Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization coordinates incident response testing with organizational elements responsible for related plans.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident response testing

-

- incident response testing documentation

-

- incident response plan

-

- business continuity plans

-

- contingency plans

-

- disaster recovery plans

-

- continuity of operations plans

-

- crisis communications plans

-

- critical infrastructure plans

-

- occupant emergency plans

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response testing responsibilities

-

- organizational personnel with responsibilities for testing organizational plans related to incident response testing

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines incident response tests to test the incident response capability for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to test the incident response capability for the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident response testing

-

- procedures addressing contingency plan testing

-

- incident response testing material

-

- incident response test results

-

- incident response test plan

-

- incident response plan

-

- contingency plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response testing responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-84

-
-
-

NIST Special Publication 800-115

-
-
-
-
-

- IR-4 INCIDENT HANDLING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

-
-
-
- - - - - - - -
-

b.

-
-

Coordinates incident handling activities with contingency planning activities; and

-
-
-
- - - - - - - -
-

c.

-
-

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

-
-
-
-
-
-

Supplemental guidance

-

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

- - - - - - - - - - - - - -
-
-

- IR-4 (1) AUTOMATED INCIDENT HANDLING PROCESSES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to support the incident handling process.

-
-
-
-

Supplemental guidance

-

Automated mechanisms supporting incident handling processes include, for example, online incident management systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to support the incident handling process.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident handling

-

- automated mechanisms supporting incident handling

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms that support and/or implement the incident handling process

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements an incident handling capability for security incidents that includes:

-
- - - - - - - -
-

[1]

-
-

preparation;

-
-
-
- - - - - - - -
-

[2]

-
-

detection and analysis;

-
-
-
- - - - - - - -
-

[3]

-
-

containment;

-
-
-
- - - - - - - -
-

[4]

-
-

eradication;

-
-
-
- - - - - - - -
-

[5]

-
-

recovery;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

coordinates incident handling activities with contingency planning activities;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

incorporates lessons learned from ongoing incident handling activities into:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training;

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

implements the resulting changes accordingly to:

-
- - - - - - - -
-

[a]

-
-

incident response procedures;

-
-
-
- - - - - - - -
-

[b]

-
-

training; and

-
-
-
- - - - - - - -
-

[c]

-
-

testing/exercises.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- contingency planning policy

-

- procedures addressing incident handling

-

- incident response plan

-

- contingency plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident handling responsibilities

-

- organizational personnel with contingency planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident handling capability for the organization

-
-
-

References

-
-

Executive Order 13587

-
-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-5 INCIDENT MONITORING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization tracks and documents information system security incidents.

-
-
-
-

Supplemental guidance

-

Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

- - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

tracks information system security incidents; and

-
-
-
- - - - - - - -
-

[2]

-
-

documents information system security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident monitoring

-

- incident response records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident monitoring responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Incident monitoring capability for the organization

-

- automated mechanisms supporting and/or implementing tracking and documenting of system security incidents

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-

- IR-6 INCIDENT REPORTING

-
-

- Parameter: - ir-6_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ir-6_b organization-defined authorities

-

- Value: organization-defined authorities

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires personnel to report suspected security incidents to the organizational incident response capability within - - ir-6_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reports security incident information to - - ir-6_b - - organization-defined authorities - organization-defined authorities - .

-
-
-
-
-
-

Supplemental guidance

-

The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.

- - - -
-
-

- IR-6 (1) AUTOMATED REPORTING

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to assist in the reporting of security incidents.

-
-
-
-

Supplemental guidance

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident reporting

-

- automated mechanisms supporting incident reporting

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident reporting responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident reporting

-

- automated mechanisms supporting and/or implementing reporting of security incidents

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which personnel report suspected security incidents to the organizational incident response capability;

-
-
-
- - - - - - - -
-

[2]

-
-

requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines authorities to whom security incident information is to be reported; and

-
-
-
- - - - - - - -
-

[2]

-
-

reports security incident information to organization-defined authorities.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident reporting

-

- incident reporting records and documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident reporting responsibilities

-

- organizational personnel with information security responsibilities

-

- personnel who have/should have reported incidents

-

- personnel (authorities) to whom incident information is to be reported

-
-
-

Assessment: TEST

-

- Organizational processes for incident reporting

-

- automated mechanisms supporting and/or implementing incident reporting

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

http://www.us-cert.gov

-
-
-
-
-

- IR-7 INCIDENT RESPONSE ASSISTANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-

Supplemental guidance

-

Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.

- - - - - -
-
-

- IR-7 (1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

-
-
-
-

Supplemental guidance

-

Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.

-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response assistance

-

- automated mechanisms supporting incident response support and assistance

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response support and assistance responsibilities

-

- organizational personnel with access to incident response support and assistance capability

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident response assistance

-

- automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides an incident response support resource:

-
- - - - - - - -
-

[1]

-
-

that is integral to the organizational incident response capability; and

-
-
-
- - - - - - - -
-

[2]

-
-

that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response assistance

-

- incident response plan

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response assistance and support responsibilities

-

- organizational personnel with access to incident response support and assistance capability

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incident response assistance

-

- automated mechanisms supporting and/or implementing incident response assistance

-
-

References: None -

-
-
-

- IR-8 INCIDENT RESPONSE PLAN

-
-

- Parameter: - ir-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ir-8_b organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-
-

- Parameter: - ir-8_c organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ir-8_d organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-

- Value: organization-defined incident response personnel (identified by name and/or by role) and organizational elements

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops an incident response plan that:

-
- - - - - - - -
-

1.

-
-

Provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

2.

-
-

Describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

3.

-
-

Provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

4.

-
-

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

-
-
-
- - - - - - - -
-

5.

-
-

Defines reportable incidents;

-
-
-
- - - - - - - -
-

6.

-
-

Provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

7.

-
-

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

-
-
-
- - - - - - - -
-

8.

-
-

Is reviewed and approved by - - ir-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the incident response plan to - - ir-8_b - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the incident response plan - - ir-8_c - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

-
-
-
- - - - - - - -
-

e.

-
-

Communicates incident response plan changes to - - ir-8_d - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - ; and

-
-
-
- - - - - - - -
-

f.

-
-

Protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops an incident response plan that:

-
- - - - - - - -
-

(1)

-
-

provides the organization with a roadmap for implementing its incident response capability;

-
-
-
- - - - - - - -
-

(2)

-
-

describes the structure and organization of the incident response capability;

-
-
-
- - - - - - - -
-

(3)

-
-

provides a high-level approach for how the incident response capability fits into the overall organization;

-
-
-
- - - - - - - -
-

(4)

-
-

meets the unique requirements of the organization, which relate to:

-
- - - - - - - -
-

[1]

-
-

mission;

-
-
-
- - - - - - - -
-

[2]

-
-

size;

-
-
-
- - - - - - - -
-

[3]

-
-

structure;

-
-
-
- - - - - - - -
-

[4]

-
-

functions;

-
-
-
-
-
- - - - - - - -
-

(5)

-
-

defines reportable incidents;

-
-
-
- - - - - - - -
-

(6)

-
-

provides metrics for measuring the incident response capability within the organization;

-
-
-
- - - - - - - -
-

(7)

-
-

defines the resources and management support needed to effectively maintain and mature an incident response capability;

-
-
-
- - - - - - - -
-

(8)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to review and approve the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

is reviewed and approved by organization-defined personnel or roles;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom copies of the incident response plan are to be distributed;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the incident response plan;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the incident response plan with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the incident response plan to address system/organizational changes or problems encountered during plan:

-
- - - - - - - -
-

[1]

-
-

implementation;

-
-
-
- - - - - - - -
-

[2]

-
-

execution; or

-
-
-
- - - - - - - -
-

[3]

-
-

testing;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;

-
-
-
- - - - - - - -
-

[b]

-
-

defines organizational elements to whom incident response plan changes are to be communicated;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

-
-
-
-
-
- - - - - - - -
-

(f)

-
-

protects the incident response plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Incident response policy

-

- procedures addressing incident response planning

-

- incident response plan

-

- records of incident response plan reviews and approvals

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with incident response planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational incident response plan and related organizational processes

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-
-
-
-

MAINTENANCE

-
-

- MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES

-
-

- Parameter: - ma-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ma-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ma-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System maintenance policy - - ma-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System maintenance procedures - - ma-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system maintenance policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system maintenance policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system maintenance policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system maintenance procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system maintenance procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Maintenance policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MA-2 CONTROLLED MAINTENANCE

-
-

- Parameter: - ma-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ma-2_b organization-defined maintenance-related information

-

- Value: organization-defined maintenance-related information

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

c.

-
-

Requires that - - ma-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

d.

-
-

Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

e.

-
-

Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and

-
-
-
- - - - - - - -
-

f.

-
-

Includes - - ma-2_b - - organization-defined maintenance-related information - organization-defined maintenance-related information - in organizational maintenance records.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

schedules maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

performs maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

documents maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
- - - - - - - -
-

[4]

-
-

reviews records of maintenance and repairs on information system components in accordance with:

-
- - - - - - - -
-

[a]

-
-

manufacturer or vendor specifications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

organizational requirements;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

-
-
-
- - - - - - - -
-

(e)

-
-

checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines maintenance-related information to be included in organizational maintenance records; and

-
-
-
- - - - - - - -
-

[2]

-
-

includes organization-defined maintenance-related information in organizational maintenance records.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing controlled information system maintenance

-

- maintenance records

-

- manufacturer/vendor maintenance specifications

-

- equipment sanitization records

-

- media sanitization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel responsible for media sanitization

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system

-

- organizational processes for sanitizing information system components

-

- automated mechanisms supporting and/or implementing controlled maintenance

-

- automated mechanisms implementing sanitization of information system components

-
-

References: None -

-
-
-

- MA-3 MAINTENANCE TOOLS

-

- priority: P3

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization approves, controls, and monitors information system maintenance tools.

-
-
-
-

Supplemental guidance

-

This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing �ping,� �ls,� �ipconfig,� or the hardware and software implementing the monitoring port of an Ethernet switch.

- - - -
-
-

- MA-3 (1) INSPECT TOOLS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

-
-
-
-

Supplemental guidance

-

If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance tool inspection records

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for inspecting maintenance tools

-

- automated mechanisms supporting and/or implementing inspection of maintenance tools

-
-

References: None -

-
-
-

- MA-3 (2) INSPECT MEDIA

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

-
-
-
-

Supplemental guidance

-

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for inspecting media for malicious code

-

- automated mechanisms supporting and/or implementing inspection of media used for maintenance

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

approves information system maintenance tools;

-
-
-
- - - - - - - -
-

[2]

-
-

controls information system maintenance tools; and

-
-
-
- - - - - - - -
-

[3]

-
-

monitors information system maintenance tools.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance tools

-

- information system maintenance tools and associated documentation

-

- maintenance records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for approving, controlling, and monitoring maintenance tools

-

- automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools

-
-
-

References

-
-

NIST Special Publication 800-88

-
-
-
-
-

- MA-4 NONLOCAL MAINTENANCE

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Approves and monitors nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

b.

-
-

Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

d.

-
-

Maintains records for nonlocal maintenance and diagnostic activities; and

-
-
-
- - - - - - - -
-

e.

-
-

Terminates session and network connections when nonlocal maintenance is completed.

-
-
-
-
-
-

Supplemental guidance

-

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

- - - - - - - - - - - - - - - - - -
-
-

- MA-4 (2) DOCUMENT NONLOCAL MAINTENANCE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

-
-
-
-

Objectives

- - - - - - -
- -

Determine if the organization documents in the security plan for the information system:

-
- - - - - - - -
-

[1]

-
-

the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and

-
-
-
- - - - - - - -
-

[2]

-
-

the procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing non-local information system maintenance

-

- security plan

-

- maintenance records

-

- diagnostic records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

approves nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors nonlocal maintenance and diagnostic activities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

allows the use of nonlocal maintenance and diagnostic tools only:

-
- - - - - - - -
-

[1]

-
-

as consistent with organizational policy;

-
-
-
- - - - - - - -
-

[2]

-
-

as documented in the security plan for the information system;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

-
-
-
- - - - - - - -
-

(d)

-
-

maintains records for nonlocal maintenance and diagnostic activities;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

terminates sessions when nonlocal maintenance or diagnostics is completed; and

-
-
-
- - - - - - - -
-

[2]

-
-

terminates network connections when nonlocal maintenance or diagnostics is completed.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing nonlocal information system maintenance

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- maintenance records

-

- diagnostic records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for managing nonlocal maintenance

-

- automated mechanisms implementing, supporting, and/or managing nonlocal maintenance

-

- automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

-

- automated mechanisms for terminating nonlocal maintenance sessions and network connections

-
-
-

References

-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 197

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-63

-
-
-

NIST Special Publication 800-88

-
-
-

CNSS Policy 15

-
-
-
-
-

- MA-5 MAINTENANCE PERSONNEL

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

-
-
-
- - - - - - - -
-

b.

-
-

Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

c.

-
-

Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes a process for maintenance personnel authorization;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains a list of authorized maintenance organizations or personnel;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

-
-
-
- - - - - - - -
-

(c)

-
-

designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing maintenance personnel

-

- service provider contracts

-

- service-level agreements

-

- list of authorized personnel

-

- maintenance records

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for authorizing and managing maintenance personnel

-

- automated mechanisms supporting and/or implementing authorization of maintenance personnel

-
-

References: None -

-
-
-

- MA-6 TIMELY MAINTENANCE

-
-

- Parameter: - ma-6_a organization-defined information system components

-

- Value: organization-defined information system components

-
-
-

- Parameter: - ma-6_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization obtains maintenance support and/or spare parts for - - ma-6_a - - organization-defined information system components - organization-defined information system components - within - - ma-6_b - - organization-defined time period - organization-defined time period - of failure.

-
-
-
-

Supplemental guidance

-

Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system components for which maintenance support and/or spare parts are to be obtained;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which maintenance support and/or spare parts are to be obtained after a failure;

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

[a]

-
-

obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

obtains spare parts for organization-defined information system components within the organization-defined time period of failure.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system maintenance policy

-

- procedures addressing information system maintenance

-

- service provider contracts

-

- service-level agreements

-

- inventory and availability of spare parts

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system maintenance responsibilities

-

- organizational personnel with acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for ensuring timely maintenance

-
-

References: None -

-
-
-
-

MEDIA PROTECTION

-
-

- MP-1 MEDIA PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - mp-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - mp-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - mp-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - mp-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Media protection policy - - mp-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Media protection procedures - - mp-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a media protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the media protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the media protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current media protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current media protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Media protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- MP-2 MEDIA ACCESS

-
-

- Parameter: - mp-2_a organization-defined types of digital and/or non-digital media

-

- Value: organization-defined types of digital and/or non-digital media

-
-
-

- Parameter: - mp-2_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization restricts access to - - mp-2_a - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - to - - mp-2_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of digital and/or non-digital media requiring restricted access;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and

-
-
-
- - - - - - - -
-

[3]

-
-

restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media access restrictions

-

- access control policy and procedures

-

- physical and environmental protection policy and procedures

-

- media storage facilities

-

- access control records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for restricting information media

-

- automated mechanisms supporting and/or implementing media access restrictions

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- MP-3 MEDIA MARKING

-
-

- Parameter: - mp-3_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-3_b organization-defined controlled areas

-

- Value: organization-defined controlled areas

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

-
-
-
- - - - - - - -
-

b.

-
-

Exempts - - mp-3_a - - organization-defined types of information system media - organization-defined types of information system media - from marking as long as the media remain within - - mp-3_b - - organization-defined controlled areas - organization-defined controlled areas - .

-
-
-
-
-
-

Supplemental guidance

-

The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

marks information system media indicating the:

-
- - - - - - - -
-

[1]

-
-

distribution limitations of the information;

-
-
-
- - - - - - - -
-

[2]

-
-

handling caveats of the information;

-
-
-
- - - - - - - -
-

[3]

-
-

applicable security markings (if any) of the information;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and

-
-
-
- - - - - - - -
-

[3]

-
-

exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media marking

-

- physical and environmental protection policy and procedures

-

- security plan

-

- list of information system media marking security attributes

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and marking responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for marking information media

-

- automated mechanisms supporting and/or implementing media marking

-
-
-

References

-
-

FIPS Publication 199

-
-
-
-
-

- MP-4 MEDIA STORAGE

-
-

- Parameter: - mp-4_a organization-defined types of digital and/or non-digital media

-

- Value: organization-defined types of digital and/or non-digital media

-
-
-

- Parameter: - mp-4_b organization-defined controlled areas

-

- Value: organization-defined controlled areas

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Physically controls and securely stores - - mp-4_a - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - within - - mp-4_b - - organization-defined controlled areas - organization-defined controlled areas - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media;

-
-
-
- - - - - - - -
-

[3]

-
-

physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas;

-
-
-
- - - - - - - -
-

[4]

-
-

securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media storage

-

- physical and environmental protection policy and procedures

-

- access control policy and procedures

-

- security plan

-

- information system media

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and storage responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for storing information media

-

- automated mechanisms supporting and/or implementing secure media storage/media protection

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- MP-5 MEDIA TRANSPORT

-
-

- Parameter: - mp-5_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-5_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Protects and controls - - mp-5_a - - organization-defined types of information system media - organization-defined types of information system media - during transport outside of controlled areas using - - mp-5_b - - organization-defined security safeguards - organization-defined security safeguards - ;

-
-
-
- - - - - - - -
-

b.

-
-

Maintains accountability for information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

c.

-
-

Documents activities associated with the transport of information system media; and

-
-
-
- - - - - - - -
-

d.

-
-

Restricts the activities associated with the transport of information system media to authorized personnel.

-
-
-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. -Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.

- - - - - - - - -
-
-

- MP-5 (4) CRYPTOGRAPHIC PROTECTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

-
-
-
-

Supplemental guidance

-

This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media transport

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system media transport records

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media transport responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be protected and controlled during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

[3]

-
-

protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

maintains accountability for information system media during transport outside of controlled areas;

-
-
-
- - - - - - - -
-

(c)

-
-

documents activities associated with the transport of information system media; and

-
-
-
- - - - - - - -
-

(d)

-
-

restricts the activities associated with transport of information system media to authorized personnel.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media storage

-

- physical and environmental protection policy and procedures

-

- access control policy and procedures

-

- security plan

-

- information system media

-

- designated controlled areas

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media protection and storage responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for storing information media

-

- automated mechanisms supporting and/or implementing media storage/media protection

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-60

-
-
-
-
-

- MP-6 MEDIA SANITIZATION

-
-

- Parameter: - mp-6_a organization-defined information system media

-

- Value: organization-defined information system media

-
-
-

- Parameter: - mp-6_b organization-defined sanitization techniques and procedures

-

- Value: organization-defined sanitization techniques and procedures

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Sanitizes - - mp-6_a - - organization-defined information system media - organization-defined information system media - prior to disposal, release out of organizational control, or release for reuse using - - mp-6_b - - organization-defined sanitization techniques and procedures - organization-defined sanitization techniques and procedures - in accordance with applicable federal and organizational standards and policies; and

-
-
-
- - - - - - - -
-

b.

-
-

Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines information system media to be sanitized prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:

-
- - - - - - - -
-

[a]

-
-

disposal;

-
-
-
- - - - - - - -
-

[b]

-
-

release out of organizational control; or

-
-
-
- - - - - - - -
-

[c]

-
-

release for reuse;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- procedures addressing media sanitization and disposal

-

- applicable federal standards and policies addressing media sanitization

-

- media sanitization records

-

- audit records

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with media sanitization responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media sanitization

-

- automated mechanisms supporting and/or implementing media sanitization

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-88

-
-
-

http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml

-
-
-
-
-

- MP-7 MEDIA USE

-
-

- Parameter: - mp-7_a organization-defined types of information system media

-

- Value: organization-defined types of information system media

-
-
-

- Parameter: - mp-7_b organization-defined information systems or system components

-

- Value: organization-defined information systems or system components

-
-
-

- Parameter: - mp-7_c organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization [Selection: restricts; prohibits] the use of - - mp-7_a - - organization-defined types of information system media - organization-defined types of information system media - on - - mp-7_b - - organization-defined information systems or system components - organization-defined information systems or system components - using - - mp-7_c - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

- - -
-
-

- MP-7 (1) PROHIBIT USE WITHOUT OWNER

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

-
-
-
-

Supplemental guidance

-

Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- system use policy

-

- procedures addressing media usage restrictions

-

- security plan

-

- rules of behavior

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media use responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media use

-

- automated mechanisms prohibiting use of media on information systems or system components

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system media to be:

-
- - - - - - - -
-

[a]

-
-

restricted on information systems or system components; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited from use on information systems or system components;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:

-
- - - - - - - -
-

[a]

-
-

restricted; or

-
-
-
- - - - - - - -
-

[b]

-
-

prohibited;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and

-
-
-
- - - - - - - -
-

[4]

-
-

restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Information system media protection policy

-

- system use policy

-

- procedures addressing media usage restrictions

-

- security plan

-

- rules of behavior

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information system media use responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for media use

-

- automated mechanisms restricting or prohibiting use of information system media on information systems or system components

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-111

-
-
-
-
-
-

PHYSICAL AND ENVIRONMENTAL PROTECTION

-
-

- PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - pe-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pe-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pe-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Physical and environmental protection policy - - pe-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Physical and environmental protection procedures - - pe-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a physical and environmental protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the physical and environmental protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current physical and environmental protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current physical and environmental protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical and environmental protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PE-2 PHYSICAL ACCESS AUTHORIZATIONS

-
-

- Parameter: - pe-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

b.

-
-

Issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the access list detailing authorized facility access by individuals - - pe-2_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

develops a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

approves a list of individuals with authorized access to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains a list of individuals with authorized access to the facility where the information system resides;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

issues authorization credentials for facility access;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the access list detailing authorized facility access by individuals;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

removes individuals from the facility access list when access is no longer required.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access authorizations

-

- security plan

-

- authorized personnel access list

-

- authorization credentials

-

- physical access list reviews

-

- physical access termination records and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access authorization responsibilities

-

- organizational personnel with physical access to information system facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access authorizations

-

- automated mechanisms supporting and/or implementing physical access authorizations

-
-

References: None -

-
-
-

- PE-3 PHYSICAL ACCESS CONTROL

-
-

- Parameter: - pe-3_a organization-defined entry/exit points to the facility where the information system resides

-

- Value: organization-defined entry/exit points to the facility where the information system resides

-
-
-

- Parameter: - pe-3_b organization-defined physical access control systems/devices

-

- Value: organization-defined physical access control systems/devices

-
-
-

- Parameter: - pe-3_c organization-defined entry/exit points

-

- Value: organization-defined entry/exit points

-
-
-

- Parameter: - pe-3_d organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-
-

- Parameter: - pe-3_e organization-defined circumstances requiring visitor escorts and monitoring

-

- Value: organization-defined circumstances requiring visitor escorts and monitoring

-
-
-

- Parameter: - pe-3_f organization-defined physical access devices

-

- Value: organization-defined physical access devices

-
-
-

- Parameter: - pe-3_g organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-3_h organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Enforces physical access authorizations at - - pe-3_a - - organization-defined entry/exit points to the facility where the information system resides - organization-defined entry/exit points to the facility where the information system resides - by;

-
- - - - - - - -
-

1.

-
-

Verifying individual access authorizations before granting access to the facility; and

-
-
-
- - - - - - - -
-

2.

-
-

Controlling ingress/egress to the facility using [Selection (one or more): - - pe-3_b - - organization-defined physical access control systems/devices - organization-defined physical access control systems/devices - ; guards];

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Maintains physical access audit logs for - - pe-3_c - - organization-defined entry/exit points - organization-defined entry/exit points - ;

-
-
-
- - - - - - - -
-

c.

-
-

Provides - - pe-3_d - - organization-defined security safeguards - organization-defined security safeguards - to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

d.

-
-

Escorts visitors and monitors visitor activity - - pe-3_e - - organization-defined circumstances requiring visitor escorts and monitoring - organization-defined circumstances requiring visitor escorts and monitoring - ;

-
-
-
- - - - - - - -
-

e.

-
-

Secures keys, combinations, and other physical access devices;

-
-
-
- - - - - - - -
-

f.

-
-

Inventories - - pe-3_f - - organization-defined physical access devices - organization-defined physical access devices - every - - pe-3_g - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

g.

-
-

Changes combinations and keys - - pe-3_h - - organization-defined frequency - organization-defined frequency - and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

-
-
-
-
-
-

Supplemental guidance

-

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

- - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:

-
- - - - - - - -
-

(1)

-
-

verifying individual access authorizations before granting access to the facility;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[a]

-
-

defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[b]

-
-

using one or more of the following ways to control ingress/egress to the facility:

-
- - - - - - - -
-

[1]

-
-

organization-defined physical access control systems/devices; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

guards;

-
-
-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines entry/exit points for which physical access audit logs are to be maintained;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains physical access audit logs for organization-defined entry/exit points;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines circumstances requiring visitor:

-
- - - - - - - -
-

[a]

-
-

escorts;

-
-
-
- - - - - - - -
-

[b]

-
-

monitoring;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with organization-defined circumstances requiring visitor escorts and monitoring:

-
- - - - - - - -
-

[a]

-
-

escorts visitors;

-
-
-
- - - - - - - -
-

[b]

-
-

monitors visitor activities;

-
-
-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

secures keys;

-
-
-
- - - - - - - -
-

[2]

-
-

secures combinations;

-
-
-
- - - - - - - -
-

[3]

-
-

secures other physical access devices;

-
-
-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines physical access devices to be inventoried;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to inventory organization-defined physical access devices;

-
-
-
- - - - - - - -
-

[3]

-
-

inventories the organization-defined physical access devices with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to change combinations and keys; and

-
-
-
- - - - - - - -
-

[2]

-
-

changes combinations and keys with the organization-defined frequency and/or when:

-
- - - - - - - -
-

[a]

-
-

keys are lost;

-
-
-
- - - - - - - -
-

[b]

-
-

combinations are compromised;

-
-
-
- - - - - - - -
-

[c]

-
-

individuals are transferred or terminated.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access control

-

- security plan

-

- physical access control logs or records

-

- inventory records of physical access control devices

-

- information system entry and exit points

-

- records of key and lock combination changes

-

- storage locations for physical access control devices

-

- physical access control devices

-

- list of security safeguards controlling access to designated publicly accessible areas within facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for physical access control

-

- automated mechanisms supporting and/or implementing physical access control

-

- physical access control devices

-
-
-

References

-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

NIST Special Publication 800-116

-
-
-

ICD 704

-
-
-

ICD 705

-
-
-

DoD Instruction 5200.39

-
-
-

Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)

-
-
-

http://idmanagement.gov

-
-
-

http://fips201ep.cio.gov

-
-
-
-
-

- PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM

-
-

- Parameter: - pe-4_a organization-defined information system distribution and transmission lines

-

- Value: organization-defined information system distribution and transmission lines

-
-
-

- Parameter: - pe-4_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization controls physical access to - - pe-4_a - - organization-defined information system distribution and transmission lines - organization-defined information system distribution and transmission lines - within organizational facilities using - - pe-4_b - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines information system distribution and transmission lines requiring physical access controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing access control for transmission medium

-

- information system design documentation

-

- facility communications and wiring diagrams

-

- list of physical security safeguards applied to information system distribution and transmission lines

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access control to distribution and transmission lines

-

- automated mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines

-
-
-

References

-
-

NSTISSI No. 7003

-
-
-
-
-

- PE-5 ACCESS CONTROL FOR OUTPUT DEVICES

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

-
-
-
-

Supplemental guidance

-

Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.

- - - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing access control for display medium

-

- facility layout of information system components

-

- actual displays from information system components

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access control to output devices

-

- automated mechanisms supporting and/or implementing access control to output devices

-
-

References: None -

-
-
-

- PE-6 MONITORING PHYSICAL ACCESS

-
-

- Parameter: - pe-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pe-6_b organization-defined events or potential indications of events

-

- Value: organization-defined events or potential indications of events

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews physical access logs - - pe-6_a - - organization-defined frequency - organization-defined frequency - and upon occurrence of - - pe-6_b - - organization-defined events or potential indications of events - organization-defined events or potential indications of events - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Supplemental guidance

-

Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

- - - -
-
-

- PE-6 (1) INTRUSION ALARMS / SURVEILLANCE EQUIPMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization monitors physical intrusion alarms and surveillance equipment.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization monitors physical intrusion alarms and surveillance equipment.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- security plan

-

- physical access logs or records

-

- physical access monitoring records

-

- physical access log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical intrusion alarms and surveillance equipment

-

- automated mechanisms supporting and/or implementing physical access monitoring

-

- automated mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review physical access logs;

-
-
-
- - - - - - - -
-

[2]

-
-

defines events or potential indication of events requiring physical access logs to be reviewed;

-
-
-
- - - - - - - -
-

[3]

-
-

reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

coordinates results of reviews and investigations with the organizational incident response capability.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing physical access monitoring

-

- security plan

-

- physical access logs or records

-

- physical access monitoring records

-

- physical access log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with physical access monitoring responsibilities

-

- organizational personnel with incident response responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring physical access

-

- automated mechanisms supporting and/or implementing physical access monitoring

-

- automated mechanisms supporting and/or implementing reviewing of physical access logs

-
-

References: None -

-
-
-

- PE-8 VISITOR ACCESS RECORDS

-
-

- Parameter: - pe-8_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - pe-8_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains visitor access records to the facility where the information system resides for - - pe-8_a - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Reviews visitor access records - - pe-8_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period to maintain visitor access records to the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

maintains visitor access records to the facility where the information system resides for the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review visitor access records; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews visitor access records with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing visitor access records

-

- security plan

-

- visitor access control logs or records

-

- visitor access record or log reviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with visitor access records responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for maintaining and reviewing visitor access records

-

- automated mechanisms supporting and/or implementing maintenance and review of visitor access records

-
-

References: None -

-
-
-

- PE-9 POWER EQUIPMENT AND CABLING

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects power equipment and power cabling for the information system from damage and destruction.

-
-
-
-

Supplemental guidance

-

Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing power equipment/cabling protection

-

- facilities housing power equipment/cabling

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for protecting power equipment/cabling

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing protection of power equipment/cabling

-
-

References: None -

-
-
-

- PE-10 EMERGENCY SHUTOFF

-
-

- Parameter: - pe-10_a organization-defined location by information system or system component

-

- Value: organization-defined location by information system or system component

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Provides the capability of shutting off power to the information system or individual system components in emergency situations;

-
-
-
- - - - - - - -
-

b.

-
-

Places emergency shutoff switches or devices in - - pe-10_a - - organization-defined location by information system or system component - organization-defined location by information system or system component - to facilitate safe and easy access for personnel; and

-
-
-
- - - - - - - -
-

c.

-
-

Protects emergency power shutoff capability from unauthorized activation.

-
-
-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

provides the capability of shutting off power to the information system or individual system components in emergency situations;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the location of emergency shutoff switches or devices by information system or system component;

-
-
-
- - - - - - - -
-

[2]

-
-

places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

protects emergency power shutoff capability from unauthorized activation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing power source emergency shutoff

-

- security plan

-

- emergency shutoff controls or switches

-

- locations housing emergency shutoff switches and devices

-

- security safeguards protecting emergency power shutoff capability from unauthorized activation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing emergency power shutoff

-
-

References: None -

-
-
-

- PE-11 EMERGENCY POWER

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.

-
-
-
-

Supplemental guidance

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:

-
- - - - - - - -
-

[1]

-
-

an orderly shutdown of the information system; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

transition of the information system to long-term alternate power.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency power

-

- uninterruptible power supply

-

- uninterruptible power supply documentation

-

- uninterruptible power supply test records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency power and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing uninterruptible power supply

-

- the uninterruptable power supply

-
-

References: None -

-
-
-

- PE-12 EMERGENCY LIGHTING

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization employs and maintains automatic emergency lighting for the information system that:

-
- - - - - - - -
-

[1]

-
-

activates in the event of a power outage or disruption; and

-
-
-
- - - - - - - -
-

[2]

-
-

covers emergency exits and evacuation routes within the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing emergency lighting

-

- emergency lighting documentation

-

- emergency lighting test records

-

- emergency exits and evacuation routes

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for emergency lighting and/or planning

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing emergency lighting capability

-
-

References: None -

-
-
-

- PE-13 FIRE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

-
-
-

- PE-13 (3) AUTOMATIC FIRE SUPPRESSION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems documentation

-

- facility housing the information system

-

- alarm service-level agreements

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression devices/systems

-

- activation of fire suppression devices/systems (simulated)

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and

-
-
-
- - - - - - - -
-

[2]

-
-

maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing fire protection

-

- fire suppression and detection devices/systems

-

- fire suppression and detection devices/systems documentation

-

- test records of fire suppression and detection devices/systems

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for fire detection and suppression devices/systems

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems

-
-

References: None -

-
-
-

- PE-14 TEMPERATURE AND HUMIDITY CONTROLS

-
-

- Parameter: - pe-14_a organization-defined acceptable levels

-

- Value: organization-defined acceptable levels

-
-
-

- Parameter: - pe-14_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Maintains temperature and humidity levels within the facility where the information system resides at - - pe-14_a - - organization-defined acceptable levels - organization-defined acceptable levels - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Monitors temperature and humidity levels - - pe-14_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines acceptable temperature levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[2]

-
-

defines acceptable humidity levels to be maintained within the facility where the information system resides;

-
-
-
- - - - - - - -
-

[3]

-
-

maintains temperature levels within the facility where the information system resides at the organization-defined levels;

-
-
-
- - - - - - - -
-

[4]

-
-

maintains humidity levels within the facility where the information system resides at the organization-defined levels;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to monitor temperature levels;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency to monitor humidity levels;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors temperature levels with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[4]

-
-

monitors humidity levels with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing temperature and humidity control

-

- security plan

-

- temperature and humidity controls

-

- facility housing the information system

-

- temperature and humidity controls documentation

-

- temperature and humidity records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels

-
-

References: None -

-
-
-

- PE-15 WATER DAMAGE PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

-
-
-
-

Supplemental guidance

-

This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:

-
- - - - - - - -
-

[1]

-
-

accessible;

-
-
-
- - - - - - - -
-

[2]

-
-

working properly; and

-
-
-
- - - - - - - -
-

[3]

-
-

known to key personnel.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing water damage protection

-

- facility housing the information system

-

- master shutoff valves

-

- list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

-

- master shutoff valve documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for information system environmental controls

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Master water-shutoff valves

-

- organizational process for activating master water-shutoff

-
-

References: None -

-
-
-

- PE-16 DELIVERY AND REMOVAL

-
-

- Parameter: - pe-16_a organization-defined types of information system components

-

- Value: organization-defined types of information system components

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization authorizes, monitors, and controls - - pe-16_a - - organization-defined types of information system components - organization-defined types of information system components - entering and exiting the facility and maintains records of those items.

-
-
-
-

Supplemental guidance

-

Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;

-
-
-
- - - - - - - -
-

[2]

-
-

authorizes organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[3]

-
-

monitors organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[4]

-
-

controls organization-defined information system components entering the facility;

-
-
-
- - - - - - - -
-

[5]

-
-

authorizes organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[6]

-
-

monitors organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[7]

-
-

controls organization-defined information system components exiting the facility;

-
-
-
- - - - - - - -
-

[8]

-
-

maintains records of information system components entering the facility; and

-
-
-
- - - - - - - -
-

[9]

-
-

maintains records of information system components exiting the facility.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing delivery and removal of information system components from the facility

-

- security plan

-

- facility housing the information system

-

- records of items entering and exiting the facility

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibilities for controlling information system components entering and exiting the facility

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-

- automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility

-
-

References: None -

-
-
-

- PE-17 ALTERNATE WORK SITE

-
-

- Parameter: - pe-17_a organization-defined security controls

-

- Value: organization-defined security controls

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs - - pe-17_a - - organization-defined security controls - organization-defined security controls - at alternate work sites;

-
-
-
- - - - - - - -
-

b.

-
-

Assesses as feasible, the effectiveness of security controls at alternate work sites; and

-
-
-
- - - - - - - -
-

c.

-
-

Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

-
-
-
-
-
-

Supplemental guidance

-

Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security controls to be employed at alternate work sites;

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined security controls at alternate work sites;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

assesses, as feasible, the effectiveness of security controls at alternate work sites; and

-
-
-
- - - - - - - -
-

(c)

-
-

provides a means for employees to communicate with information security personnel in case of security incidents or problems.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Physical and environmental protection policy

-

- procedures addressing alternate work sites for organizational personnel

-

- security plan

-

- list of security controls required for alternate work sites

-

- assessments of security controls at alternate work sites

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel approving use of alternate work sites

-

- organizational personnel using alternate work sites

-

- organizational personnel assessing controls at alternate work sites

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security at alternate work sites

-

- automated mechanisms supporting alternate work sites

-

- security controls employed at alternate work sites

-

- means of communications between personnel at alternate work sites and security personnel

-
-
-

References

-
-

NIST Special Publication 800-46

-
-
-
-
-
-

PLANNING

-
-

- PL-1 SECURITY PLANNING POLICY AND PROCEDURES

-
-

- Parameter: - pl-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - pl-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - pl-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Security planning policy - - pl-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Security planning procedures - - pl-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a planning policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the planning policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the planning policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current planning procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current planning procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Planning policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with planning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-18

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PL-2 SYSTEM SECURITY PLAN

-
-

- Parameter: - pl-2_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - pl-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops a security plan for the information system that:

-
- - - - - - - -
-

1.

-
-

Is consistent with the organization�s enterprise architecture;

-
-
-
- - - - - - - -
-

2.

-
-

Explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

3.

-
-

Describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

4.

-
-

Provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

5.

-
-

Describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

6.

-
-

Provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

7.

-
-

Identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

8.

-
-

Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and

-
-
-
- - - - - - - -
-

9.

-
-

Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Distributes copies of the security plan and communicates subsequent changes to the plan to - - pl-2_a - - organization-defined personnel or roles - organization-defined personnel or roles - ;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews the security plan for the information system - - pl-2_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

-
-
-
- - - - - - - -
-

e.

-
-

Protects the security plan from unauthorized disclosure and modification.

-
-
-
-
-
-

Supplemental guidance

-

Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. -Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.

- - - - - - - - - - - - - - - - - - - - - - - - -
-
-

- PL-2 (3) PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES

-
-

- Parameter: - pl-2_c organization-defined individuals or groups

-

- Value: organization-defined individuals or groups

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization plans and coordinates security-related activities affecting the information system with - - pl-2_c - - organization-defined individuals or groups - organization-defined individuals or groups - before conducting such activities in order to reduce the impact on other organizational entities.

-
-
-
-

Supplemental guidance

-

Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and

-
-
-
- - - - - - - -
-

[2]

-
-

plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- access control policy

-

- contingency planning policy

-

- procedures addressing security-related activity planning for the information system

-

- security plan for the information system

-

- contingency plan for the information system

-

- information system design documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational individuals or groups with whom security-related activities are to be planned and coordinated

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops a security plan for the information system that:

-
- - - - - - - -
-

(1)

-
-

is consistent with the organization’s enterprise architecture;

-
-
-
- - - - - - - -
-

(2)

-
-

explicitly defines the authorization boundary for the system;

-
-
-
- - - - - - - -
-

(3)

-
-

describes the operational context of the information system in terms of missions and business processes;

-
-
-
- - - - - - - -
-

(4)

-
-

provides the security categorization of the information system including supporting rationale;

-
-
-
- - - - - - - -
-

(5)

-
-

describes the operational environment for the information system and relationships with or connections to other information systems;

-
-
-
- - - - - - - -
-

(6)

-
-

provides an overview of the security requirements for the system;

-
-
-
- - - - - - - -
-

(7)

-
-

identifies any relevant overlays, if applicable;

-
-
-
- - - - - - - -
-

(8)

-
-

describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;

-
-
-
- - - - - - - -
-

(9)

-
-

is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;

-
-
-
- - - - - - - -
-

[2]

-
-

distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review the security plan for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews the security plan for the information system with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

updates the plan to address:

-
- - - - - - - -
-

[1]

-
-

changes to the information system/environment of operation;

-
-
-
- - - - - - - -
-

[2]

-
-

problems identified during plan implementation;

-
-
-
- - - - - - - -
-

[3]

-
-

problems identified during security control assessments;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

protects the security plan from unauthorized:

-
- - - - - - - -
-

[1]

-
-

disclosure; and

-
-
-
- - - - - - - -
-

[2]

-
-

modification.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing security plan development and implementation

-

- procedures addressing security plan reviews and updates

-

- enterprise architecture documentation

-

- security plan for the information system

-

- records of security plan reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security plan development/review/update/approval

-

- automated mechanisms supporting the information system security plan

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-

- PL-4 RULES OF BEHAVIOR

-
-

- Parameter: - pl-4_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

b.

-
-

Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates the rules of behavior - - pl-4_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

d.

-
-

Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Supplemental guidance

-

This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.

- - - - - - - - - - - - - - - - - - -
-
-

- PL-4 (1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

-
-
-
-

Supplemental guidance

-

This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes the following in the rules of behavior:

-
- - - - - - - -
-

[1]

-
-

explicit restrictions on the use of social media/networking sites; and

-
-
-
- - - - - - - -
-

[2]

-
-

posting organizational information on public websites.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing rules of behavior for information system users

-

- rules of behavior

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

-

- organizational personnel who are authorized users of the information system and have signed rules of behavior

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for establishing rules of behavior

-

- automated mechanisms supporting and/or implementing the establishment of rules of behavior

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
- - - - - - - -
-

[2]

-
-

makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the rules of behavior;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the rules of behavior with the organization-defined frequency; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing rules of behavior for information system users

-

- rules of behavior

-

- signed acknowledgements

-

- records for rules of behavior reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

-

- organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

-

- automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

-
-
-

References

-
-

NIST Special Publication 800-18

-
-
-
-
-

- PL-8 INFORMATION SECURITY ARCHITECTURE

-
-

- Parameter: - pl-8_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops an information security architecture for the information system that:

-
- - - - - - - -
-

1.

-
-

Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

-
-
-
- - - - - - - -
-

2.

-
-

Describes how the information security architecture is integrated into and supports the enterprise architecture; and

-
-
-
- - - - - - - -
-

3.

-
-

Describes any information security assumptions about, and dependencies on, external services;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the information security architecture - - pl-8_a - - organization-defined frequency - organization-defined frequency - to reflect updates in the enterprise architecture; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

-
-
-
-
-
-

Supplemental guidance

-

This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. -In today�s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization�s enterprise architecture and information security architecture.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops an information security architecture for the information system that describes:

-
- - - - - - - -
-

(1)

-
-

the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

-
-
-
- - - - - - - -
-

(2)

-
-

how the information security architecture is integrated into and supports the enterprise architecture;

-
-
-
- - - - - - - -
-

(3)

-
-

any information security assumptions about, and dependencies on, external services;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the information security architecture;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

ensures that planned information security architecture changes are reflected in:

-
- - - - - - - -
-

[1]

-
-

the security plan;

-
-
-
- - - - - - - -
-

[2]

-
-

the security Concept of Operations (CONOPS); and

-
-
-
- - - - - - - -
-

[3]

-
-

the organizational procurements/acquisitions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Security planning policy

-

- procedures addressing information security architecture development

-

- procedures addressing information security architecture reviews and updates

-

- enterprise architecture documentation

-

- information security architecture documentation

-

- security plan for the information system

-

- security CONOPS for the information system

-

- records of information security architecture reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security planning and plan implementation responsibilities

-

- organizational personnel with information security architecture development responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for developing, reviewing, and updating the information security architecture

-

- automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture

-
-

References: None -

-
-
-
-

PERSONNEL SECURITY

-
-

- PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES

-
-

- Parameter: - ps-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ps-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Personnel security policy - - ps-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Personnel security procedures - - ps-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents an personnel security policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the personnel security policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the personnel security policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current personnel security procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current personnel security procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with access control responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- PS-2 POSITION RISK DESIGNATION

-
-

- Parameter: - ps-2_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes screening criteria for individuals filling those positions; and

-
-
-
- - - - - - - -
-

c.

-
-

Reviews and updates position risk designations - - ps-2_a - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-

Supplemental guidance

-

Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

assigns a risk designation to all organizational positions;

-
-
-
- - - - - - - -
-

(b)

-
-

establishes screening criteria for individuals filling those positions;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update position risk designations; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates position risk designations with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing position categorization

-

- appropriate codes of federal regulations

-

- list of risk designations for organizational positions

-

- security plan

-

- records of position risk designation reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for assigning, reviewing, and updating position risk designations

-

- organizational processes for establishing screening criteria

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-
-
-

- PS-3 PERSONNEL SCREENING

-
-

- Parameter: - ps-3_a organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-

- Value: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Screens individuals prior to authorizing access to the information system; and

-
-
-
- - - - - - - -
-

b.

-
-

Rescreens individuals according to - - ps-3_a - - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - .

-
-
-
-
-
-

Supplemental guidance

-

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

screens individuals prior to authorizing access to the information system;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines conditions requiring re-screening;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the frequency of re-screening where it is so indicated; and

-
-
-
- - - - - - - -
-

[3]

-
-

re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel screening

-

- records of screened personnel

-

- security plan

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel screening

-
-
-

References

-
-

5 C.F.R. 731.106

-
-
-

FIPS Publication 199

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-60

-
-
-

NIST Special Publication 800-73

-
-
-

NIST Special Publication 800-76

-
-
-

NIST Special Publication 800-78

-
-
-

ICD 704

-
-
-
-
-

- PS-4 PERSONNEL TERMINATION

-
-

- Parameter: - ps-4_a organization-defined time period

-

- Value: organization-defined time period

-
-
-

- Parameter: - ps-4_b organization-defined information security topics

-

- Value: organization-defined information security topics

-
-
-

- Parameter: - ps-4_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-4_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization, upon termination of individual employment:

-
- - - - - - - -
-

a.

-
-

Disables information system access within - - ps-4_a - - organization-defined time period - organization-defined time period - ;

-
-
-
- - - - - - - -
-

b.

-
-

Terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

c.

-
-

Conducts exit interviews that include a discussion of - - ps-4_b - - organization-defined information security topics - organization-defined information security topics - ;

-
-
-
- - - - - - - -
-

d.

-
-

Retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

e.

-
-

Retains access to organizational information and information systems formerly controlled by terminated individual; and

-
-
-
- - - - - - - -
-

f.

-
-

Notifies - - ps-4_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-4_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, upon termination of individual employment,:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a time period within which to disable information system access;

-
-
-
- - - - - - - -
-

[2]

-
-

disables information system access within the organization-defined time period;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

terminates/revokes any authenticators/credentials associated with the individual;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines information security topics to be discussed when conducting exit interviews;

-
-
-
- - - - - - - -
-

[2]

-
-

conducts exit interviews that include a discussion of organization-defined information security topics;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

retrieves all security-related organizational information system-related property;

-
-
-
- - - - - - - -
-

(e)

-
-

retains access to organizational information and information systems formerly controlled by the terminated individual;

-
-
-
- - - - - - - -
-

(f)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of the termination;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel termination

-

- records of personnel termination actions

-

- list of information system accounts

-

- records of terminated or revoked authenticators/credentials

-

- records of exit interviews

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel termination

-

- automated mechanisms supporting and/or implementing personnel termination notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-

References: None -

-
-
-

- PS-5 PERSONNEL TRANSFER

-
-

- Parameter: - ps-5_a organization-defined transfer or reassignment actions

-

- Value: organization-defined transfer or reassignment actions

-
-
-

- Parameter: - ps-5_b organization-defined time period following the formal transfer action

-

- Value: organization-defined time period following the formal transfer action

-
-
-

- Parameter: - ps-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-5_d organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

b.

-
-

Initiates - - ps-5_a - - organization-defined transfer or reassignment actions - organization-defined transfer or reassignment actions - within - - ps-5_b - - organization-defined time period following the formal transfer action - organization-defined time period following the formal transfer action - ;

-
-
-
- - - - - - - -
-

c.

-
-

Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

-
-
-
- - - - - - - -
-

d.

-
-

Notifies - - ps-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-5_d - - organization-defined time period - organization-defined time period - .

-
-
-
-
-
-

Supplemental guidance

-

This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:

-
- - - - - - - -
-

[1]

-
-

logical access authorizations to information systems;

-
-
-
- - - - - - - -
-

[2]

-
-

physical access authorizations to information systems and facilities;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines transfer or reassignment actions to be initiated following transfer or reassignment;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;

-
-
-
- - - - - - - -
-

[3]

-
-

initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel transfer

-

- security plan

-

- records of personnel transfer actions

-

- list of information system and facility access authorizations

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for personnel transfer

-

- automated mechanisms supporting and/or implementing personnel transfer notifications

-

- automated mechanisms for disabling information system access/revoking authenticators

-
-

References: None -

-
-
-

- PS-6 ACCESS AGREEMENTS

-
-

- Parameter: - ps-6_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ps-6_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the access agreements - - ps-6_a - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that individuals requiring access to organizational information and information systems:

-
- - - - - - - -
-

1.

-
-

Sign appropriate access agreements prior to being granted access; and

-
-
-
- - - - - - - -
-

2.

-
-

Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or - - ps-6_b - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

develops and documents access agreements for organizational information systems;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the access agreements;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the access agreements with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

(1)

-
-

ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;

-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;

-
-
-
- - - - - - - -
-

[2]

-
-

ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing access agreements for organizational information and information systems

-

- security plan

-

- access agreements

-

- records of access agreement reviews and updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel who have signed/resigned access agreements

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for access agreements

-

- automated mechanisms supporting access agreements

-
-

References: None -

-
-
-

- PS-7 THIRD-PARTY PERSONNEL SECURITY

-
-

- Parameter: - ps-7_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-7_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes personnel security requirements including security roles and responsibilities for third-party providers;

-
-
-
- - - - - - - -
-

b.

-
-

Requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

c.

-
-

Documents personnel security requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Requires third-party providers to notify - - ps-7_a - - organization-defined personnel or roles - organization-defined personnel or roles - of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within - - ps-7_b - - organization-defined time period - organization-defined time period - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Monitors provider compliance.

-
-
-
-
-
-

Supplemental guidance

-

Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

establishes personnel security requirements, including security roles and responsibilities, for third-party providers;

-
-
-
- - - - - - - -
-

(b)

-
-

requires third-party providers to comply with personnel security policies and procedures established by the organization;

-
-
-
- - - - - - - -
-

(c)

-
-

documents personnel security requirements;

-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

-
-
-
- - - - - - - -
-

[3]

-
-

requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

monitors provider compliance.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing third-party personnel security

-

- list of personnel security requirements

-

- acquisition documents

-

- service-level agreements

-

- compliance monitoring process

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- third-party providers

-

- system/network administrators

-

- organizational personnel with account management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing and monitoring third-party personnel security

-

- automated mechanisms supporting and/or implementing monitoring of provider compliance

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-

- PS-8 PERSONNEL SANCTIONS

-
-

- Parameter: - ps-8_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ps-8_b organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P3

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

-
-
-
- - - - - - - -
-

b.

-
-

Notifies - - ps-8_a - - organization-defined personnel or roles - organization-defined personnel or roles - within - - ps-8_b - - organization-defined time period - organization-defined time period - when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-

Supplemental guidance

-

Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to be notified when a formal employee sanctions process is initiated;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and

-
-
-
- - - - - - - -
-

[3]

-
-

notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Personnel security policy

-

- procedures addressing personnel sanctions

-

- rules of behavior

-

- records of formal sanctions

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with personnel security responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for managing personnel sanctions

-

- automated mechanisms supporting and/or implementing notifications

-
-

References: None -

-
-
-
-

RISK ASSESSMENT

-
-

- RA-1 RISK ASSESSMENT POLICY AND PROCEDURES

-
-

- Parameter: - ra-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - ra-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

Risk assessment policy - - ra-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Risk assessment procedures - - ra-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a risk assessment policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the risk assessment policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the risk assessment policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current risk assessment procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current risk assessment procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- risk assessment policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- RA-2 SECURITY CATEGORIZATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

c.

-
-

Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

(b)

-
-

documents the security categorization results (including supporting rationale) in the security plan for the information system; and

-
-
-
- - - - - - - -
-

(c)

-
-

ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing security categorization of organizational information and information systems

-

- security plan

-

- security categorization documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security categorization and risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for security categorization

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

NIST Special Publication 800-60

-
-
-
-
-

- RA-3 RISK ASSESSMENT

-
-

- Parameter: - ra-3_a organization-defined document

-

- Value: organization-defined document

-
-
-

- Parameter: - ra-3_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - ra-3_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - ra-3_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

-
-
-
- - - - - - - -
-

b.

-
-

Documents risk assessment results in [Selection: security plan; risk assessment report; - - ra-3_a - - organization-defined document - organization-defined document - ];

-
-
-
- - - - - - - -
-

c.

-
-

Reviews risk assessment results - - ra-3_b - - organization-defined frequency - organization-defined frequency - ;

-
-
-
- - - - - - - -
-

d.

-
-

Disseminates risk assessment results to - - ra-3_c - - organization-defined personnel or roles - organization-defined personnel or roles - ; and

-
-
-
- - - - - - - -
-

e.

-
-

Updates the risk assessment - - ra-3_d - - organization-defined frequency - organization-defined frequency - or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

-
-
-
-
-
-

Supplemental guidance

-

Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. -Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:

-
- - - - - - - -
-

[1]

-
-

the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the information the system processes, stores, or transmits;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);

-
-
-
- - - - - - - -
-

[2]

-
-

documents risk assessment results in one of the following:

-
- - - - - - - -
-

[a]

-
-

the security plan;

-
-
-
- - - - - - - -
-

[b]

-
-

the risk assessment report; or

-
-
-
- - - - - - - -
-

[c]

-
-

the organization-defined document;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review risk assessment results;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews risk assessment results with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom risk assessment results are to be disseminated;

-
-
-
- - - - - - - -
-

[2]

-
-

disseminates risk assessment results to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the risk assessment;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the risk assessment:

-
- - - - - - - -
-

[a]

-
-

with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and

-
-
-
- - - - - - - -
-

[c]

-
-

whenever there are other conditions that may impact the security state of the system.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- security planning policy and procedures

-

- procedures addressing organizational assessments of risk

-

- security plan

-

- risk assessment

-

- risk assessment results

-

- risk assessment reviews

-

- risk assessment updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for risk assessment

-

- automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment

-
-
-

References

-
-

OMB Memorandum 04-04

-
-
-

NIST Special Publication 800-30

-
-
-

NIST Special Publication 800-39

-
-
-

http://idmanagement.gov

-
-
-
-
-

- RA-5 VULNERABILITY SCANNING

-
-

- Parameter: - ra-5_a organization-defined frequency and/or randomly in accordance with organization-defined process

-

- Value: organization-defined frequency and/or randomly in accordance with organization-defined process

-
-
-

- Parameter: - ra-5_b organization-defined response times

-

- Value: organization-defined response times

-
-
-

- Parameter: - ra-5_c organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Scans for vulnerabilities in the information system and hosted applications - - ra-5_a - - organization-defined frequency and/or randomly in accordance with organization-defined process - organization-defined frequency and/or randomly in accordance with organization-defined process - and when new vulnerabilities potentially affecting the system/applications are identified and reported;

-
-
-
- - - - - - - -
-

b.

-
-

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

1.

-
-

Enumerating platforms, software flaws, and improper configurations;

-
-
-
- - - - - - - -
-

2.

-
-

Formatting checklists and test procedures; and

-
-
-
- - - - - - - -
-

3.

-
-

Measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Analyzes vulnerability scan reports and results from security control assessments;

-
-
-
- - - - - - - -
-

d.

-
-

Remediates legitimate vulnerabilities - - ra-5_b - - organization-defined response times - organization-defined response times - in accordance with an organizational assessment of risk; and

-
-
-
- - - - - - - -
-

e.

-
-

Shares information obtained from the vulnerability scanning process and security control assessments with - - ra-5_c - - organization-defined personnel or roles - organization-defined personnel or roles - to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-

Supplemental guidance

-

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

- - - - - - - - -
-
-

- RA-5 (1) UPDATE TOOL CAPABILITY

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

-
-
-
-

Supplemental guidance

-

The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-

References: None -

-
-
-

- RA-5 (2) UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED

-
-

- Parameter: - ra-5_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization updates the information system vulnerabilities scanned [Selection (one or more): - - ra-5_d - - organization-defined frequency - organization-defined frequency - ; prior to a new scan; when new vulnerabilities are identified and reported].

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines the frequency to update the information system vulnerabilities scanned;

-
-
-
- - - - - - - -
-

[2]

-
-

updates the information system vulnerabilities scanned one or more of the following:

-
- - - - - - - -
-

[a]

-
-

with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

prior to a new scan; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

when new vulnerabilities are identified and reported.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Procedures addressing vulnerability scanning

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-

References: None -

-
-
-

- RA-5 (5) PRIVILEGED ACCESS

-
-

- Parameter: - ra-5_f organization-identified information system components

-

- Value: organization-identified information system components

-
-
-

- Parameter: - ra-5_g organization-defined vulnerability scanning activities

-

- Value: organization-defined vulnerability scanning activities

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements privileged access authorization to - - ra-5_f - - organization-identified information system components - organization-identified information system components - for selected - - ra-5_g - - organization-defined vulnerability scanning activities - organization-defined vulnerability scanning activities - .

-
-
-
-

Supplemental guidance

-

In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- procedures addressing vulnerability scanning

-

- security plan

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of information system components for vulnerability scanning

-

- personnel access authorization list

-

- authorization credentials

-

- access authorization records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with vulnerability scanning responsibilities

-

- system/network administrators

-

- organizational personnel responsible for access control to the information system

-

- organizational personnel responsible for configuration management of the information system

-

- system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning

-

- organizational processes for access control

-

- automated mechanisms supporting and/or implementing access control

-

- automated mechanisms/tools supporting and/or implementing vulnerability scanning

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

defines the process for conducting random vulnerability scans on the information system and hosted applications;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:

-
- - - - - - - -
-

[a]

-
-

the information system;

-
-
-
- - - - - - - -
-

[b]

-
-

hosted applications;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-

employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

enumerating platforms;

-
-
-
- - - - - - - -
-

[2]

-
-

enumerating software flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

enumerating improper configurations;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

formatting checklists;

-
-
-
- - - - - - - -
-

[2]

-
-

formatting test procedures;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

measuring vulnerability impact;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

analyzes vulnerability scan reports;

-
-
-
- - - - - - - -
-

[2]

-
-

analyzes results from security control assessments;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

-
-
-
- - - - - - - -
-

[2]

-
-

remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;

-
-
-
- - - - - - - -
-

[2]

-
-

shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and

-
-
-
- - - - - - - -
-

[3]

-
-

shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Risk assessment policy

-

- procedures addressing vulnerability scanning

-

- risk assessment

-

- security plan

-

- security assessment report

-

- vulnerability scanning tools and associated configuration documentation

-

- vulnerability scanning results

-

- patch and vulnerability management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities

-

- organizational personnel with vulnerability scan analysis responsibilities

-

- organizational personnel with vulnerability remediation responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

-

- automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-115

-
-
-

http://cwe.mitre.org

-
-
-

http://nvd.nist.gov

-
-
-
-
-
-

SYSTEM AND SERVICES ACQUISITION

-
-

- SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES

-
-

- Parameter: - sa-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sa-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sa-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sa-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and services acquisition policy - - sa-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and services acquisition procedures - - sa-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and services acquisition policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and services acquisition policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and services acquisition policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and services acquisition procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and services acquisition procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SA-2 ALLOCATION OF RESOURCES

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

b.

-
-

Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and

-
-
-
- - - - - - - -
-

c.

-
-

Establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Supplemental guidance

-

Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

determines information security requirements for the information system or information system service in mission/business process planning;

-
-
-
- - - - - - - -
-

(b)

-
-

to protect the information system or information system service as part of its capital planning and investment control process:

-
- - - - - - - -
-

[1]

-
-

determines the resources required;

-
-
-
- - - - - - - -
-

[2]

-
-

documents the resources required;

-
-
-
- - - - - - - -
-

[3]

-
-

allocates the resources required; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

establishes a discrete line item for information security in organizational programming and budgeting documentation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the allocation of resources to information security requirements

-

- procedures addressing capital planning and investment control

-

- organizational programming and budgeting documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities

-

- organizational personnel responsible for determining information security requirements for information systems/services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information security requirements

-

- organizational processes for capital planning, programming, and budgeting

-

- automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

-
-
-

References

-
-

NIST Special Publication 800-65

-
-
-
-
-

- SA-3 SYSTEM DEVELOPMENT LIFE CYCLE

-
-

- Parameter: - sa-3_a organization-defined system development life cycle

-

- Value: organization-defined system development life cycle

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Manages the information system using - - sa-3_a - - organization-defined system development life cycle - organization-defined system development life cycle - that incorporates information security considerations;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

c.

-
-

Identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

d.

-
-

Integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Supplemental guidance

-

A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines a system development life cycle that incorporates information security considerations to be used to manage the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

manages the information system using the organization-defined system development life cycle;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

defines and documents information security roles and responsibilities throughout the system development life cycle;

-
-
-
- - - - - - - -
-

(c)

-
-

identifies individuals having information security roles and responsibilities; and

-
-
-
- - - - - - - -
-

(d)

-
-

integrates the organizational information security risk management process into system development life cycle activities.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security into the system development life cycle process

-

- information system development life cycle documentation

-

- information security risk management strategy/program documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with information security and system life cycle development responsibilities

-

- organizational personnel with information security risk management responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining and documenting the SDLC

-

- organizational processes for identifying SDLC roles and responsibilities

-

- organizational process for integrating information security risk management into the SDLC

-

- automated mechanisms supporting and/or implementing the SDLC

-
-
-

References

-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-
-
-

- SA-4 ACQUISITION PROCESS

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

a.

-
-

Security functional requirements;

-
-
-
- - - - - - - -
-

b.

-
-

Security strength requirements;

-
-
-
- - - - - - - -
-

c.

-
-

Security assurance requirements;

-
-
-
- - - - - - - -
-

d.

-
-

Security-related documentation requirements;

-
-
-
- - - - - - - -
-

e.

-
-

Requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

f.

-
-

Description of the information system development environment and environment in which the system is intended to operate; and

-
-
-
- - - - - - - -
-

g.

-
-

Acceptance criteria.

-
-
-
-
-
-

Supplemental guidance

-

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. -Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

- - - - - - - - -
-
-

- SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

-
-
-
-

Supplemental guidance

-

Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

- -
-
-

Objective

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documents

-

- acquisition documentation

-

- acquisition contracts for the information system, system component, or information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security functional requirements

-

- information system developer or service provider

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information system security functional, requirements

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

-
-

References: None -

-
-
-

- SA-4 (2) DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS

-
-

- Parameter: - sa-4_a organization-defined design/implementation information

-

- Value: organization-defined design/implementation information

-
-
-

- Parameter: - sa-4_b organization-defined level of detail

-

- Value: organization-defined level of detail

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; - - sa-4_a - - organization-defined design/implementation information - organization-defined design/implementation information - ] at - - sa-4_b - - organization-defined level of detail - organization-defined level of detail - .

-
-
-
-

Supplemental guidance

-

Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[2]

-
-

defines design/implementation information that the developer is to provide for the security controls to be employed (if selected);

-
-
-
- - - - - - - -
-

[3]

-
-

requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:

-
- - - - - - - -
-

[a]

-
-

security-relevant external system interfaces;

-
-
-
- - - - - - - -
-

[b]

-
-

high-level design;

-
-
-
- - - - - - - -
-

[c]

-
-

low-level design;

-
-
-
- - - - - - - -
-

[d]

-
-

source code;

-
-
-
- - - - - - - -
-

[e]

-
-

hardware schematics; and/or

-
-
-
- - - - - - - -
-

[f]

-
-

organization-defined design/implementation information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documents

-

- acquisition documentation

-

- acquisition contracts for the information system, system components, or information system services

-

- design and implementation information for security controls employed in the information system, system component, or information system service

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- information system developer or service provider

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining level of detail for system design and security controls

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing development of system design details

-
-

References: None -

-
-
-

- SA-4 (9) FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

-
-
-
-

Supplemental guidance

-

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:

-
- - - - - - - -
-

[1]

-
-

the functions intended for organizational use;

-
-
-
- - - - - - - -
-

[2]

-
-

the ports intended for organizational use;

-
-
-
- - - - - - - -
-

[3]

-
-

the protocols intended for organizational use; and

-
-
-
- - - - - - - -
-

[4]

-
-

the services intended for organizational use.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- information system design documentation

-

- information system documentation including functions, ports, protocols, and services intended for organizational use

-

- acquisition contracts for information systems or services

-

- acquisition documentation

-

- solicitation documentation

-

- service-level agreements

-

- organizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- system/network administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-

References: None -

-
-
-

- SA-4 (10) USE OF APPROVED PIV PRODUCTS

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Supplemental guidance

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- solicitation documentation

-

- acquisition documentation

-

- acquisition contracts for the information system, system component, or information system service

-

- service-level agreements

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- organizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for selecting and employing FIPS 201-approved products

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

-
- - - - - - - -
-

(a)

-
-

security functional requirements;

-
-
-
- - - - - - - -
-

(b)

-
-

security strength requirements;

-
-
-
- - - - - - - -
-

(c)

-
-

security assurance requirements;

-
-
-
- - - - - - - -
-

(d)

-
-

security-related documentation requirements;

-
-
-
- - - - - - - -
-

(e)

-
-

requirements for protecting security-related documentation;

-
-
-
- - - - - - - -
-

(f)

-
-

description of:

-
- - - - - - - -
-

[1]

-
-

the information system development environment;

-
-
-
- - - - - - - -
-

[2]

-
-

the environment in which the system is intended to operate; and

-
-
-
-
-
- - - - - - - -
-

(g)

-
-

acceptance criteria.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

-

- acquisition contracts for the information system, system component, or information system service

-

- information system design documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for determining information system security functional, strength, and assurance requirements

-

- organizational processes for developing acquisition contracts

-

- automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

-
-
-

References

-
-

HSPD-12

-
-
-

ISO/IEC 15408

-
-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 201

-
-
-

NIST Special Publication 800-23

-
-
-

NIST Special Publication 800-35

-
-
-

NIST Special Publication 800-36

-
-
-

NIST Special Publication 800-37

-
-
-

NIST Special Publication 800-64

-
-
-

NIST Special Publication 800-70

-
-
-

NIST Special Publication 800-137

-
-
-

Federal Acquisition Regulation

-
-
-

http://www.niap-ccevs.org

-
-
-

http://fips201ep.cio.gov

-
-
-

http://www.acquisition.gov/far

-
-
-
-
-

- SA-5 INFORMATION SYSTEM DOCUMENTATION

-
-

- Parameter: - sa-5_a organization-defined actions

-

- Value: organization-defined actions

-
-
-

- Parameter: - sa-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

Secure configuration, installation, and operation of the system, component, or service;

-
-
-
- - - - - - - -
-

2.

-
-

Effective use and maintenance of security functions/mechanisms; and

-
-
-
- - - - - - - -
-

3.

-
-

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

1.

-
-

User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

-
-
-
- - - - - - - -
-

2.

-
-

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

-
-
-
- - - - - - - -
-

3.

-
-

User responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

c.

-
-

Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes - - sa-5_a - - organization-defined actions - organization-defined actions - in response;

-
-
-
- - - - - - - -
-

d.

-
-

Protects documentation as required, in accordance with the risk management strategy; and

-
-
-
- - - - - - - -
-

e.

-
-

Distributes documentation to - - sa-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.

- - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

obtains administrator documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

secure configuration of the system, system component, or service;

-
-
-
- - - - - - - -
-

[2]

-
-

secure installation of the system, system component, or service;

-
-
-
- - - - - - - -
-

[3]

-
-

secure operation of the system, system component, or service;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-
- - - - - - - -
-

[1]

-
-

effective use of the security features/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

effective maintenance of the security features/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(3)

-
-

known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

obtains user documentation for the information system, system component, or information system service that describes:

-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

user-accessible security functions/mechanisms;

-
-
-
- - - - - - - -
-

[2]

-
-

how to effectively use those functions/mechanisms;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;

-
-
-
- - - - - - - -
-

(3)

-
-

user responsibilities in maintaining the security of the system, component, or service;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[2]

-
-

documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

-
-
-
- - - - - - - -
-

[3]

-
-

takes organization-defined actions in response;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects documentation as required, in accordance with the risk management strategy;

-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom documentation is to be distributed; and

-
-
-
- - - - - - - -
-

[2]

-
-

distributes documentation to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing information system documentation

-

- information system documentation including administrator and user guides

-

- records documenting attempts to obtain unavailable or nonexistent information system documentation

-

- list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation

-

- risk management strategy documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- system administrators

-

- organizational personnel operating, using, and/or maintaining the information system

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation

-
-

References: None -

-
-
-

- SA-8 SECURITY ENGINEERING PRINCIPLES

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

-
-
-
-

Supplemental guidance

-

Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization applies information system security engineering principles in:

-
- - - - - - - -
-

[1]

-
-

the specification of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the design of the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

the development of the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

the implementation of the information system; and

-
-
-
- - - - - - - -
-

[5]

-
-

the modification of the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system

-

- information system design documentation

-

- information security requirements and specifications for the information system

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with acquisition/contracting responsibilities

-

- organizational personnel with responsibility for determining information system security requirements

-

- organizational personnel with information system specification, design, development, implementation, and modification responsibilities

-

- information system developers

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification

-

- automated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification

-
-
-

References

-
-

NIST Special Publication 800-27

-
-
-
-
-

- SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

-
-

- Parameter: - sa-9_a organization-defined security controls

-

- Value: organization-defined security controls

-
-
-

- Parameter: - sa-9_b organization-defined processes, methods, and techniques

-

- Value: organization-defined processes, methods, and techniques

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Requires that providers of external information system services comply with organizational information security requirements and employ - - sa-9_a - - organization-defined security controls - organization-defined security controls - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
- - - - - - - -
-

b.

-
-

Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

-
-
-
- - - - - - - -
-

c.

-
-

Employs - - sa-9_b - - organization-defined processes, methods, and techniques - organization-defined processes, methods, and techniques - to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-

Supplemental guidance

-

External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

- - - -
-
-

- SA-9 (2) IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES

-
-

- Parameter: - sa-9_d organization-defined external information system services

-

- Value: organization-defined external information system services

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires providers of - - sa-9_d - - organization-defined external information system services - organization-defined external information system services - to identify the functions, ports, protocols, and other services required for the use of such services.

-
-
-
-

Supplemental guidance

-

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;

-
-
-
- - - - - - - -
-

[2]

-
-

requires providers of organization-defined external information system services to identify:

-
- - - - - - - -
-

[a]

-
-

the functions required for the use of such services;

-
-
-
- - - - - - - -
-

[b]

-
-

the ports required for the use of such services;

-
-
-
- - - - - - - -
-

[c]

-
-

the protocols required for the use of such services; and

-
-
-
- - - - - - - -
-

[d]

-
-

the other services required for the use of such services.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing external information system services

-

- acquisition contracts for the information system, system component, or information system service

-

- acquisition documentation

-

- solicitation documentation, service-level agreements

-

- organizational security requirements and security specifications for external service providers

-

- list of required functions, ports, protocols, and other services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- external providers of information system services

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines security controls to be employed by providers of external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

requires that providers of external information system services comply with organizational information security requirements;

-
-
-
- - - - - - - -
-

[3]

-
-

requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines and documents government oversight with regard to external information system services;

-
-
-
- - - - - - - -
-

[2]

-
-

defines and documents user roles and responsibilities with regard to external information system services;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing external information system services

-

- procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services

-

- acquisition contracts, service-level agreements

-

- organizational security requirements and security specifications for external provider services

-

- security control assessment evidence from external providers of information system services

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- external providers of information system services

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring security control compliance by external service providers on an ongoing basis

-

- automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis

-
-
-

References

-
-

NIST Special Publication 800-35

-
-
-
-
-

- SA-10 DEVELOPER CONFIGURATION MANAGEMENT

-
-

- Parameter: - sa-10_a organization-defined configuration items under configuration management

-

- Value: organization-defined configuration items under configuration management

-
-
-

- Parameter: - sa-10_b organization-defined personnel

-

- Value: organization-defined personnel

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

a.

-
-

Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];

-
-
-
- - - - - - - -
-

b.

-
-

Document, manage, and control the integrity of changes to - - sa-10_a - - organization-defined configuration items under configuration management - organization-defined configuration items under configuration management - ;

-
-
-
- - - - - - - -
-

c.

-
-

Implement only organization-approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

d.

-
-

Document approved changes to the system, component, or service and the potential security impacts of such changes; and

-
-
-
- - - - - - - -
-

e.

-
-

Track security flaws and flaw resolution within the system, component, or service and report findings to - - sa-10_b - - organization-defined personnel - organization-defined personnel - .

-
-
-
-
-
-

Supplemental guidance

-

This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:

-
- - - - - - - -
-

[1]

-
-

system, component, or service design;

-
-
-
- - - - - - - -
-

[2]

-
-

system, component, or service development;

-
-
-
- - - - - - - -
-

[3]

-
-

system, component, or service implementation; and/or

-
-
-
- - - - - - - -
-

[4]

-
-

system, component, or service operation;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines configuration items to be placed under configuration management;

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

[a]

-
-

document the integrity of changes to organization-defined items under configuration management;

-
-
-
- - - - - - - -
-

[b]

-
-

manage the integrity of changes to organization-defined items under configuration management;

-
-
-
- - - - - - - -
-

[c]

-
-

control the integrity of changes to organization-defined items under configuration management;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-

requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

(d)

-
-

requires the developer of the information system, system component, or information system service to document:

-
- - - - - - - -
-

[1]

-
-

approved changes to the system, component, or service;

-
-
-
- - - - - - - -
-

[2]

-
-

the potential security impacts of such changes;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;

-
-
-
- - - - - - - -
-

[2]

-
-

requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

[a]

-
-

track security flaws within the system, component, or service;

-
-
-
- - - - - - - -
-

[b]

-
-

track security flaw resolution within the system, component, or service; and

-
-
-
- - - - - - - -
-

[c]

-
-

report findings to organization-defined personnel.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing system developer configuration management

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer configuration management plan

-

- security flaw and flaw resolution tracking records

-

- system change authorization records

-

- change control records

-

- configuration management records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with configuration management responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring developer configuration management

-

- automated mechanisms supporting and/or implementing the monitoring of developer configuration management

-
-
-

References

-
-

NIST Special Publication 800-128

-
-
-
-
-

- SA-11 DEVELOPER SECURITY TESTING AND EVALUATION

-
-

- Parameter: - sa-11_a organization-defined depth and coverage

-

- Value: organization-defined depth and coverage

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization requires the developer of the information system, system component, or information system service to:

-
- - - - - - - -
-

a.

-
-

Create and implement a security assessment plan;

-
-
-
- - - - - - - -
-

b.

-
-

Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at - - sa-11_a - - organization-defined depth and coverage - organization-defined depth and coverage - ;

-
-
-
- - - - - - - -
-

c.

-
-

Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

-
-
-
- - - - - - - -
-

d.

-
-

Implement a verifiable flaw remediation process; and

-
-
-
- - - - - - - -
-

e.

-
-

Correct flaws identified during security testing/evaluation.

-
-
-
-
-
-

Supplemental guidance

-

Developmental security testing/evaluation occurs at all post-design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

requires the developer of the information system, system component, or information system service to create and implement a security plan;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service;

-
-
-
- - - - - - - -
-

[3]

-
-

requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage:

-
- - - - - - - -
-

[a]

-
-

unit testing/evaluation;

-
-
-
- - - - - - - -
-

[b]

-
-

integration testing/evaluation;

-
-
-
- - - - - - - -
-

[c]

-
-

system testing/evaluation; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

regression testing/evaluation;

-
-
-
-
-
-
-
- - - - - - - -
-

(c)

-
-

requires the developer of the information system, system component, or information system service to produce evidence of:

-
- - - - - - - -
-

[1]

-
-

the execution of the security assessment plan;

-
-
-
- - - - - - - -
-

[2]

-
-

the results of the security testing/evaluation;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and

-
-
-
- - - - - - - -
-

(e)

-
-

requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and services acquisition policy

-

- procedures addressing system developer security testing

-

- procedures addressing flaw remediation

-

- solicitation documentation

-

- acquisition documentation

-

- service-level agreements

-

- acquisition contracts for the information system, system component, or information system service

-

- system developer security test plans

-

- records of developer security testing results for the information system, system component, or information system service

-

- security flaw and remediation tracking records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and services acquisition responsibilities

-

- organizational personnel with information security responsibilities

-

- organizational personnel with developer security testing responsibilities

-

- system developers

-
-
-

Assessment: TEST

-

- Organizational processes for monitoring developer security testing and evaluation

-

- automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

-
-
-

References

-
-

ISO/IEC 15408

-
-
-

NIST Special Publication 800-53A

-
-
-

http://nvd.nist.gov

-
-
-

http://cwe.mitre.org

-
-
-

http://cve.mitre.org

-
-
-

http://capec.mitre.org

-
-
-
-
-
-

SYSTEM AND COMMUNICATIONS PROTECTION

-
-

- SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

-
-

- Parameter: - sc-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - sc-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - sc-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - sc-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and communications protection policy - - sc-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and communications protection procedures - - sc-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and communications protection policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and communications protection policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and communications protection policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and communications protection procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and communications protection procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and communications protection responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SC-2 APPLICATION PARTITIONING

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system separates user functionality (including user interface services) from information system management functionality.

-
-
-
-

Supplemental guidance

-

Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system separates user functionality (including user interface services) from information system management functionality.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing application partitioning

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Separation of user functionality from information system management functionality

-
-

References: None -

-
-
-

- SC-4 INFORMATION IN SHARED RESOURCES

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system prevents unauthorized and unintended information transfer via shared system resources.

-
-
-
-

Supplemental guidance

-

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system prevents unauthorized and unintended information transfer via shared system resources.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing information protection in shared system resources

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources

-
-

References: None -

-
-
-

- SC-5 DENIAL OF SERVICE PROTECTION

-
-

- Parameter: - sc-5_a organization-defined types of denial of service attacks or references to sources for such information

-

- Value: organization-defined types of denial of service attacks or references to sources for such information

-
-
-

- Parameter: - sc-5_b organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects against or limits the effects of the following types of denial of service attacks: - - sc-5_a - - organization-defined types of denial of service attacks or references to sources for such information - organization-defined types of denial of service attacks or references to sources for such information - by employing - - sc-5_b - - organization-defined security safeguards - organization-defined security safeguards - .

-
-
-
-

Supplemental guidance

-

A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing denial of service protection

-

- information system design documentation

-

- security plan

-

- list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks

-

- list of security safeguards protecting against or limiting the effects of denial of service attacks

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with incident response responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms protecting against or limiting the effects of denial of service attacks

-
-

References: None -

-
-
-

- SC-7 BOUNDARY PROTECTION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

b.

-
-

Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and

-
-
-
- - - - - - - -
-

c.

-
-

Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Supplemental guidance

-

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

- - - - - - - - - -
-
-

- SC-7 (3) ACCESS POINTS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization limits the number of external network connections to the information system.

-
-
-
-

Supplemental guidance

-

Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization limits the number of external network connections to the information system.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- communications and network traffic monitoring logs

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-

- automated mechanisms limiting the number of external network connections to the information system

-
-

References: None -

-
-
-

- SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES

-
-

- Parameter: - sc-7_a organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

(a)

-
-

Implements a managed interface for each external telecommunication service;

-
-
-
- - - - - - - -
-

(b)

-
-

Establishes a traffic flow policy for each managed interface;

-
-
-
- - - - - - - -
-

(c)

-
-

Protects the confidentiality and integrity of the information being transmitted across each interface;

-
-
-
- - - - - - - -
-

(d)

-
-

Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and

-
-
-
- - - - - - - -
-

(e)

-
-

Reviews exceptions to the traffic flow policy - - sc-7_a - - organization-defined frequency - organization-defined frequency - and removes exceptions that are no longer supported by an explicit mission/business need.

-
-
-
-
-
-

Supplemental guidance

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

implements a managed interface for each external telecommunication service;

-
-
-
- - - - - - - -
-

(b)

-
-

establishes a traffic flow policy for each managed interface;

-
-
-
- - - - - - - -
-

(c)

-
-

protects the confidentiality and integrity of the information being transmitted across each interface;

-
-
-
- - - - - - - -
-

(d)

-
-

documents each exception to the traffic flow policy with:

-
- - - - - - - -
-

[1]

-
-

a supporting mission/business need;

-
-
-
- - - - - - - -
-

[2]

-
-

duration of that need;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency to review exceptions to traffic flow policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews exceptions to the traffic flow policy with the organization-defined frequency; and

-
-
-
- - - - - - - -
-

[3]

-
-

removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- traffic flow policy

-

- information flow control policy

-

- procedures addressing boundary protection

-

- information system security architecture

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system architecture and configuration documentation

-

- information system configuration settings and associated documentation

-

- records of traffic flow policy exceptions

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for documenting and reviewing exceptions to the traffic flow policy

-

- organizational processes for removing exceptions to the traffic flow policy

-

- automated mechanisms implementing boundary protection capability

-

- managed interfaces implementing traffic flow policy

-
-

References: None -

-
-
-

- SC-7 (5) DENY BY DEFAULT / ALLOW BY EXCEPTION

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

-
-
-
-

Supplemental guidance

-

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system, at managed interfaces:

-
- - - - - - - -
-

[1]

-
-

denies network traffic by default; and

-
-
-
- - - - - - - -
-

[2]

-
-

allows network traffic by exception.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing traffic management at managed interfaces

-
-

References: None -

-
-
-

- SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

-
-
-
-

Supplemental guidance

-

This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

-
-
-

Objective

- - - - - - -
- -

Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- information system design documentation

-

- information system hardware and software

-

- information system architecture

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-

- automated mechanisms supporting/restricting non-remote connections

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

monitors communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors communications at key internal boundaries within the system;

-
-
-
- - - - - - - -
-

[3]

-
-

controls communications at the external boundary of the information system;

-
-
-
- - - - - - - -
-

[4]

-
-

controls communications at key internal boundaries within the system;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

implements subnetworks for publicly accessible system components that are either:

-
- - - - - - - -
-

[1]

-
-

physically separated from internal organizational networks; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

logically separated from internal organizational networks; and

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing boundary protection

-

- list of key internal boundaries of the information system

-

- information system design documentation

-

- boundary protection hardware and software

-

- information system configuration settings and associated documentation

-

- enterprise security architecture documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with boundary protection responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms implementing boundary protection capability

-
-
-

References

-
-

FIPS Publication 199

-
-
-

NIST Special Publication 800-41

-
-
-

NIST Special Publication 800-77

-
-
-
-
-

- SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

-
-
-
-

Supplemental guidance

-

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.

- - -
-
-

- SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION

-
-

- Parameter: - sc-8_a organization-defined alternative physical safeguards

-

- Value: organization-defined alternative physical safeguards

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by - - sc-8_a - - organization-defined alternative physical safeguards - organization-defined alternative physical safeguards - .

-
-
-
-

Supplemental guidance

-

Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:

-
- - - - - - - -
-

[a]

-
-

prevent unauthorized disclosure of information; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

detect changes to information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing transmission confidentiality and integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity

-

- automated mechanisms supporting and/or implementing alternative physical safeguards

-

- organizational processes for defining and implementing alternative physical safeguards

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the information system protects one or more of the following:

-
- - - - - - - -
-

[1]

-
-

confidentiality of transmitted information; and/or

-
-
-
- - - - - - - -
-

[2]

-
-

integrity of transmitted information.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing transmission confidentiality and integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity

-
-
-

References

-
-

FIPS Publication 140-2

-
-
-

FIPS Publication 197

-
-
-

NIST Special Publication 800-52

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-81

-
-
-

NIST Special Publication 800-113

-
-
-

CNSS Policy 15

-
-
-

NSTISSI No. 7003

-
-
-
-
-

- SC-10 NETWORK DISCONNECT

-
-

- Parameter: - sc-10_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system terminates the network connection associated with a communications session at the end of the session or after - - sc-10_a - - organization-defined time period - organization-defined time period - of inactivity.

-
-
-
-

Supplemental guidance

-

This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing network disconnect

-

- information system design documentation

-

- security plan

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing network disconnect capability

-
-

References: None -

-
-
-

- SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

-
-

- Parameter: - sc-12_a organization-defined requirements for key generation, distribution, storage, access, and destruction

-

- Value: organization-defined requirements for key generation, distribution, storage, access, and destruction

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with - - sc-12_a - - organization-defined requirements for key generation, distribution, storage, access, and destruction - organization-defined requirements for key generation, distribution, storage, access, and destruction - .

-
-
-
-

Supplemental guidance

-

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines requirements for cryptographic key:

-
- - - - - - - -
-

[a]

-
-

generation;

-
-
-
- - - - - - - -
-

[b]

-
-

distribution;

-
-
-
- - - - - - - -
-

[c]

-
-

storage;

-
-
-
- - - - - - - -
-

[d]

-
-

access;

-
-
-
- - - - - - - -
-

[e]

-
-

destruction; and

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic key establishment and management

-

- information system design documentation

-

- cryptographic mechanisms

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for cryptographic key establishment and/or management

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic key establishment and management

-
-
-

References

-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-
-
-

- SC-13 CRYPTOGRAPHIC PROTECTION

-
-

- Parameter: - sc-13_a organization-defined cryptographic uses and type of cryptography required for each use

-

- Value: organization-defined cryptographic uses and type of cryptography required for each use

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements - - sc-13_a - - organization-defined cryptographic uses and type of cryptography required for each use - organization-defined cryptographic uses and type of cryptography required for each use - in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-

Supplemental guidance

-

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

- - - - - - - - - - - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines cryptographic uses; and

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines the type of cryptography required for each use; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing cryptographic protection

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic module validation certificates

-

- list of FIPS validated cryptographic modules

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for cryptographic protection

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing cryptographic protection

-
-
-

References

-
-

FIPS Publication 140

-
-
-

http://csrc.nist.gov/cryptval

-
-
-

http://www.cnss.gov

-
-
-
-
-

- SC-15 COLLABORATIVE COMPUTING DEVICES

-
-

- Parameter: - sc-15_a organization-defined exceptions where remote activation is to be allowed

-

- Value: organization-defined exceptions where remote activation is to be allowed

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Prohibits remote activation of collaborative computing devices with the following exceptions: - - sc-15_a - - organization-defined exceptions where remote activation is to be allowed - organization-defined exceptions where remote activation is to be allowed - ; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Supplemental guidance

-

Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.

- -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;

-
-
-
- - - - - - - -
-

[2]

-
-

the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

the information system provides an explicit indication of use to users physically present at the devices.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing collaborative computing

-

- access control policy and procedures

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-

- organizational personnel with responsibilities for managing collaborative computing devices

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing management of remote activation of collaborative computing devices

-

- automated mechanisms providing an indication of use of collaborative computing devices

-
-

References: None -

-
-
-

- SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES

-
-

- Parameter: - sc-17_a organization-defined certificate policy

-

- Value: organization-defined certificate policy

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization issues public key certificates under an - - sc-17_a - - organization-defined certificate policy - organization-defined certificate policy - or obtains public key certificates from an approved service provider.

-
-
-
-

Supplemental guidance

-

For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a certificate policy for issuing public key certificates;

-
-
-
- - - - - - - -
-

[2]

-
-

issues public key certificates:

-
- - - - - - - -
-

[a]

-
-

under an organization-defined certificate policy: or

-
-
-
- - - - - - - -
-

[b]

-
-

obtains public key certificates from an approved service provider.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing public key infrastructure certificates

-

- public key certificate policy or policies

-

- public key issuing process

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for issuing public key certificates

-

- service providers

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing the management of public key infrastructure certificates

-
-
-

References

-
-

OMB Memorandum 05-24

-
-
-

NIST Special Publication 800-32

-
-
-

NIST Special Publication 800-63

-
-
-
-
-

- SC-18 MOBILE CODE

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Defines acceptable and unacceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

b.

-
-

Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and

-
-
-
- - - - - - - -
-

c.

-
-

Authorizes, monitors, and controls the use of mobile code within the information system.

-
-
-
-
-
-

Supplemental guidance

-

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

defines acceptable and unacceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

establishes usage restrictions for acceptable mobile code and mobile code technologies;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes implementation guidance for acceptable mobile code and mobile code technologies;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

authorizes the use of mobile code within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the use of mobile code within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls the use of mobile code within the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing mobile code

-

- mobile code usage restrictions, mobile code implementation policy and procedures

-

- list of acceptable mobile code and mobile code technologies

-

- list of unacceptable mobile code and mobile technologies

-

- authorization records

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing mobile code

-
-
-

Assessment: TEST

-

- Organizational process for controlling, authorizing, monitoring, and restricting mobile code

-

- automated mechanisms supporting and/or implementing the management of mobile code

-

- automated mechanisms supporting and/or implementing the monitoring of mobile code

-
-
-

References

-
-

NIST Special Publication 800-28

-
-
-

DoD Instruction 8552.01

-
-
-
-
-

- SC-19 VOICE OVER INTERNET PROTOCOL

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and

-
-
-
- - - - - - - -
-

b.

-
-

Authorizes, monitors, and controls the use of VoIP within the information system.

-
-
-
-
-
-

Supplemental guidance

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

-
-
-
- - - - - - - -
-

[2]

-
-

establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

authorizes the use of VoIP within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the use of VoIP within the information system; and

-
-
-
- - - - - - - -
-

[3]

-
-

controls the use of VoIP within the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing VoIP

-

- VoIP usage restrictions

-

- VoIP implementation guidance

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system monitoring records

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing VoIP

-
-
-

Assessment: TEST

-

- Organizational process for authorizing, monitoring, and controlling VoIP

-

- automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling VoIP

-
-
-

References

-
-

NIST Special Publication 800-58

-
-
-
-
-

- SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

-
-
-
- - - - - - - -
-

b.

-
-

Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

-
-
-
-
-
-

Supplemental guidance

-

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

- - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

(a)

-
-

provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;

-
-
-
- - - - - - - -
-

(b)

-
-

provides the means to, when operating as part of a distributed, hierarchical namespace:

-
- - - - - - - -
-

[1]

-
-

indicate the security status of child zones; and

-
-
-
- - - - - - - -
-

[2]

-
-

enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (authoritative source)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing secure name/address resolution service

-
-
-

References

-
-

OMB Memorandum 08-23

-
-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-

Supplemental guidance

-

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the information system:

-
- - - - - - - -
-

[1]

-
-

requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[2]

-
-

requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;

-
-
-
- - - - - - - -
-

[3]

-
-

performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and

-
-
-
- - - - - - - -
-

[4]

-
-

performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing secure name/address resolution service (recursive or caching resolver)

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

-
-
-
-

Supplemental guidance

-

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

- - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the information systems that collectively provide name/address resolution service for an organization:

-
- - - - - - - -
-

[1]

-
-

are fault tolerant; and

-
-
-
- - - - - - - -
-

[2]

-
-

implement internal/external role separation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing architecture and provisioning for name/address resolution service

-

- access control policy and procedures

-

- information system design documentation

-

- assessment results from independent, testing organizations

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel with responsibilities for managing DNS

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing name/address resolution service for fault tolerance and role separation

-
-
-

References

-
-

NIST Special Publication 800-81

-
-
-
-
-

- SC-23 SESSION AUTHENTICITY

-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the authenticity of communications sessions.

-
-
-
-

Supplemental guidance

-

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system protects the authenticity of communications sessions.

-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing session authenticity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing session authenticity

-
-
-

References

-
-

NIST Special Publication 800-52

-
-
-

NIST Special Publication 800-77

-
-
-

NIST Special Publication 800-95

-
-
-
-
-

- SC-28 PROTECTION OF INFORMATION AT REST

-
-

- Parameter: - sc-28_a organization-defined information at rest

-

- Value: organization-defined information at rest

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system protects the [Selection (one or more): confidentiality; integrity] of - - sc-28_a - - organization-defined information at rest - organization-defined information at rest - .

-
-
-
-

Supplemental guidance

-

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

- - - - - - - - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information at rest requiring one or more of the following:

-
- - - - - - - -
-

[a]

-
-

confidentiality protection; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

integrity protection;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the information system protects:

-
- - - - - - - -
-

[a]

-
-

the confidentiality of organization-defined information at rest; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

the integrity of organization-defined information at rest.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and communications protection policy

-

- procedures addressing protection of information at rest

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- cryptographic mechanisms and associated configuration documentation

-

- list of information at rest requiring confidentiality and integrity protections

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest

-
-
-

References

-
-

NIST Special Publication 800-56

-
-
-

NIST Special Publication 800-57

-
-
-

NIST Special Publication 800-111

-
-
-
-
-

- SC-39 PROCESS ISOLATION

-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system maintains a separate execution domain for each executing process.

-
-
-
-

Supplemental guidance

-

Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.

- - - - - - - - -
-
-

Objective

- - - - - - -
- -

Determine if the information system maintains a separate execution domain for each executing process.

-
-
-
-

Assessment: EXAMINE

-

- Information system design documentation

-

- information system architecture

-

- independent verification and validation documentation

-

- testing and evaluation documentation, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Information system developers/integrators

-

- information system security architect

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing separate execution domains for each executing process

-
-

References: None -

-
-
-
-

SYSTEM AND INFORMATION INTEGRITY

-
-

- SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES

-
-

- Parameter: - si-1_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-1_b organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-1_c organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Develops, documents, and disseminates to - - si-1_a - - organization-defined personnel or roles - organization-defined personnel or roles - :

-
- - - - - - - -
-

1.

-
-

A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

-
-
-
- - - - - - - -
-

2.

-
-

Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Reviews and updates the current:

-
- - - - - - - -
-

1.

-
-

System and information integrity policy - - si-1_b - - organization-defined frequency - organization-defined frequency - ; and

-
-
-
- - - - - - - -
-

2.

-
-

System and information integrity procedures - - si-1_c - - organization-defined frequency - organization-defined frequency - .

-
-
-
-
-
-
-
-

Supplemental guidance

-

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)(1)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents a system and information integrity policy that addresses:

-
- - - - - - - -
-

[a]

-
-

purpose;

-
-
-
- - - - - - - -
-

[b]

-
-

scope;

-
-
-
- - - - - - - -
-

[c]

-
-

roles;

-
-
-
- - - - - - - -
-

[d]

-
-

responsibilities;

-
-
-
- - - - - - - -
-

[e]

-
-

management commitment;

-
-
-
- - - - - - - -
-

[f]

-
-

coordination among organizational entities;

-
-
-
- - - - - - - -
-

[g]

-
-

compliance;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the system and information integrity policy is to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the system and information integrity policy to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(a)(2)

-
-
- - - - - - - -
-

[1]

-
-

develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;

-
-
-
- - - - - - - -
-

[2]

-
-

defines personnel or roles to whom the procedures are to be disseminated;

-
-
-
- - - - - - - -
-

[3]

-
-

disseminates the procedures to organization-defined personnel or roles;

-
-
-
-
-
- - - - - - - -
-

(b)(1)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity policy;

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity policy with the organization-defined frequency;

-
-
-
-
-
- - - - - - - -
-

(b)(2)

-
-
- - - - - - - -
-

[1]

-
-

defines the frequency to review and update the current system and information integrity procedures; and

-
-
-
- - - - - - - -
-

[2]

-
-

reviews and updates the current system and information integrity procedures with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy and procedures

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with system and information integrity responsibilities

-

- organizational personnel with information security responsibilities

-
-
-

References

-
-

NIST Special Publication 800-12

-
-
-

NIST Special Publication 800-100

-
-
-
-
-

- SI-2 FLAW REMEDIATION

-
-

- Parameter: - si-2_a organization-defined time period

-

- Value: organization-defined time period

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Identifies, reports, and corrects information system flaws;

-
-
-
- - - - - - - -
-

b.

-
-

Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

c.

-
-

Installs security-relevant software and firmware updates within - - si-2_a - - organization-defined time period - organization-defined time period - of the release of the updates; and

-
-
-
- - - - - - - -
-

d.

-
-

Incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Supplemental guidance

-

Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - - - - - - - - - -
-
-

- SI-2 (2) AUTOMATED FLAW REMEDIATION STATUS

-
-

- Parameter: - si-2_b organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated mechanisms - - si-2_b - - organization-defined frequency - organization-defined frequency - to determine the state of information system components with regard to flaw remediation.

-
-
-
-

Supplemental guidance

- - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and

-
-
-
- - - - - - - -
-

[2]

-
-

employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- automated mechanisms supporting centralized management of flaw remediation

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-
-
-

Assessment: TEST

-

- Automated mechanisms used to determine the state of information system components with regard to flaw remediation

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

identifies information system flaws;

-
-
-
- - - - - - - -
-

[2]

-
-

reports information system flaws;

-
-
-
- - - - - - - -
-

[3]

-
-

corrects information system flaws;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

tests software updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
- - - - - - - -
-

[2]

-
-

tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines the time period within which to install security-relevant software updates after the release of the updates;

-
-
-
- - - - - - - -
-

[2]

-
-

defines the time period within which to install security-relevant firmware updates after the release of the updates;

-
-
-
- - - - - - - -
-

[3]

-
-

installs software updates within the organization-defined time period of the release of the updates;

-
-
-
- - - - - - - -
-

[4]

-
-

installs firmware updates within the organization-defined time period of the release of the updates; and

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

incorporates flaw remediation into the organizational configuration management process.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing flaw remediation

-

- procedures addressing configuration management

-

- list of flaws and vulnerabilities potentially affecting the information system

-

- list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)

-

- test results from the installation of software and firmware updates to correct information system flaws

-

- installation/change control records for security-relevant software and firmware updates

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for flaw remediation

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for identifying, reporting, and correcting information system flaws

-

- organizational process for installing software and firmware updates

-

- automated mechanisms supporting and/or implementing reporting, and correcting information system flaws

-

- automated mechanisms supporting and/or implementing testing software and firmware updates

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-

NIST Special Publication 800-128

-
-
-
-
-

- SI-3 MALICIOUS CODE PROTECTION

-
-

- Parameter: - si-3_a organization-defined frequency

-

- Value: organization-defined frequency

-
-
-

- Parameter: - si-3_b organization-defined action

-

- Value: organization-defined action

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

-
-
-
- - - - - - - -
-

b.

-
-

Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

-
-
-
- - - - - - - -
-

c.

-
-

Configures malicious code protection mechanisms to:

-
- - - - - - - -
-

1.

-
-

Perform periodic scans of the information system - - si-3_a - - organization-defined frequency - organization-defined frequency - and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and

-
-
-
- - - - - - - -
-

2.

-
-

[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; - - si-3_b - - organization-defined action - organization-defined action - ] in response to malicious code detection; and

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

-
-
-
-
-
-

Supplemental guidance

-

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files.

- - - - - - - - - - - - -
-
-

- SI-3 (1) CENTRAL MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages malicious code protection mechanisms.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.

- - -
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages malicious code protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing malicious code protection

-

- automated mechanisms supporting centralized management of malicious code protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-
-
-

Assessment: TEST

-

- Organizational processes for central management of malicious code protection mechanisms

-

- automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms

-
-

References: None -

-
-
-

- SI-3 (2) AUTOMATIC UPDATES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically updates malicious code protection mechanisms.

-
-
-
-

Supplemental guidance

-

Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.

- -
-
-

Objective

- - - - - - -
- -

Determine if the information system automatically updates malicious code protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing malicious code protection

-

- automated mechanisms supporting centralized management of malicious code protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs malicious code protection mechanisms to detect and eradicate malicious code at information system:

-
- - - - - - - -
-

[1]

-
-

entry points;

-
-
-
- - - - - - - -
-

[2]

-
-

exit points;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

defines action to be initiated by malicious protection mechanisms in response to malicious code detection;

-
-
-
- - - - - - - -
-

[3]

-
-
- - - - - - - -
-

(1)

-
-

configures malicious code protection mechanisms to:

-
- - - - - - - -
-

[a]

-
-

perform periodic scans of the information system with the organization-defined frequency;

-
-
-
- - - - - - - -
-

[b]

-
-

perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;

-
-
-
-
-
- - - - - - - -
-

(2)

-
-

configures malicious code protection mechanisms to do one or more of the following:

-
- - - - - - - -
-

[a]

-
-

block malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[b]

-
-

quarantine malicious code in response to malicious code detection;

-
-
-
- - - - - - - -
-

[c]

-
-

send alert to administrator in response to malicious code detection; and/or

-
-
-
- - - - - - - -
-

[d]

-
-

initiate organization-defined action in response to malicious code detection;

-
-
-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

addresses the receipt of false positives during malicious code detection and eradication; and

-
-
-
- - - - - - - -
-

[2]

-
-

addresses the resulting potential impact on the availability of the information system.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- configuration management policy and procedures

-

- procedures addressing malicious code protection

-

- malicious code protection mechanisms

-

- records of malicious code protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- scan results from malicious code protection mechanisms

-

- record of actions initiated by malicious code protection mechanisms in response to malicious code detection

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for malicious code protection

-

- organizational personnel with configuration management responsibility

-
-
-

Assessment: TEST

-

- Organizational processes for employing, updating, and configuring malicious code protection mechanisms

-

- organizational process for addressing false positives and resulting potential impact

-

- automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms

-

- automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions

-
-
-

References

-
-

NIST Special Publication 800-83

-
-
-
-
-

- SI-4 INFORMATION SYSTEM MONITORING

-
-

- Parameter: - si-4_a organization-defined monitoring objectives

-

- Value: organization-defined monitoring objectives

-
-
-

- Parameter: - si-4_b organization-defined techniques and methods

-

- Value: organization-defined techniques and methods

-
-
-

- Parameter: - si-4_c organization-defined information system monitoring information

-

- Value: organization-defined information system monitoring information

-
-
-

- Parameter: - si-4_d organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-4_e organization-defined frequency

-

- Value: organization-defined frequency

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Monitors the information system to detect:

-
- - - - - - - -
-

1.

-
-

Attacks and indicators of potential attacks in accordance with - - si-4_a - - organization-defined monitoring objectives - organization-defined monitoring objectives - ; and

-
-
-
- - - - - - - -
-

2.

-
-

Unauthorized local, network, and remote connections;

-
-
-
-
-
- - - - - - - -
-

b.

-
-

Identifies unauthorized use of the information system through - - si-4_b - - organization-defined techniques and methods - organization-defined techniques and methods - ;

-
-
-
- - - - - - - -
-

c.

-
-

Deploys monitoring devices:

-
- - - - - - - -
-

1.

-
-

Strategically within the information system to collect organization-determined essential information; and

-
-
-
- - - - - - - -
-

2.

-
-

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

d.

-
-

Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

-
-
-
- - - - - - - -
-

e.

-
-

Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

f.

-
-

Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

-
-
-
- - - - - - - -
-

g.

-
-

Provides - - si-4_c - - organization-defined information system monitoring information - organization-defined information system monitoring information - to - - si-4_d - - organization-defined personnel or roles - organization-defined personnel or roles - [Selection (one or more): as needed; - - si-4_e - - organization-defined frequency - organization-defined frequency - ].

-
-
-
-
-
-

Supplemental guidance

-

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

- - - - - - - - - - - - - - - - - - -
-
-

- SI-4 (2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs automated tools to support near real-time analysis of events.

-
-
-
-

Supplemental guidance

-

Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.

-
-
-

Objective

- - - - - - -
- -

Determine if the organization employs automated tools to support near real-time analysis of events.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for incident response/management

-
-
-

Assessment: TEST

-

- Organizational processes for near real-time analysis of events

-

- organizational processes for information system monitoring

-

- automated mechanisms supporting and/or implementing information system monitoring

-

- automated mechanisms/tools supporting and/or implementing analysis of events

-
-

References: None -

-
-
-

- SI-4 (4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC

-
-

- Parameter: - si-4_f organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system monitors inbound and outbound communications traffic - - si-4_f - - organization-defined frequency - organization-defined frequency - for unusual or unauthorized activities or conditions.

-
-
-
-

Supplemental guidance

-

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines a frequency to monitor:

-
- - - - - - - -
-

[a]

-
-

inbound communications traffic for unusual or unauthorized activities or conditions;

-
-
-
- - - - - - - -
-

[b]

-
-

outbound communications traffic for unusual or unauthorized activities or conditions;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

monitors, with the organization-defined frequency:

-
- - - - - - - -
-

[a]

-
-

inbound communications traffic for unusual or unauthorized activities or conditions; and

-
-
-
- - - - - - - -
-

[b]

-
-

outbound communications traffic for unusual or unauthorized activities or conditions.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- information system protocols

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for the intrusion detection system

-
-
-

Assessment: TEST

-

- Organizational processes for intrusion detection/information system monitoring

-

- automated mechanisms supporting and/or implementing intrusion detection capability/information system monitoring

-

- automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic

-
-

References: None -

-
-
-

- SI-4 (5) SYSTEM-GENERATED ALERTS

-
-

- Parameter: - si-4_g organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-4_h organization-defined compromise indicators

-

- Value: organization-defined compromise indicators

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system alerts - - si-4_g - - organization-defined personnel or roles - organization-defined personnel or roles - when the following indications of compromise or potential compromise occur: - - si-4_h - - organization-defined compromise indicators - organization-defined compromise indicators - .

-
-
-
-

Supplemental guidance

-

Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines compromise indicators for the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and

-
-
-
- - - - - - - -
-

[3]

-
-

the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- information system monitoring tools and techniques documentation

-

- information system configuration settings and associated documentation

-

- alerts/notifications generated based on compromise indicators

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- system developers

-

- -

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility for monitoring the information system

-

- organizational personnel with responsibility for the intrusion detection system

-
-
-

Assessment: TEST

-

- Organizational processes for intrusion detection/information system monitoring

-

- automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability

-

- automated mechanisms supporting and/or implementing alerts for compromise indicators

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

(1)

-
-
- - - - - - - -
-

[1]

-
-

defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

monitors the information system to detect, in accordance with organization-defined monitoring objectives,:

-
- - - - - - - -
-

[a]

-
-

attacks;

-
-
-
- - - - - - - -
-

[b]

-
-

indicators of potential attacks;

-
-
-
-
-
-
-
- - - - - - - -
-

(2)

-
-

monitors the information system to detect unauthorized:

-
- - - - - - - -
-

[1]

-
-

local connections;

-
-
-
- - - - - - - -
-

[2]

-
-

network connections;

-
-
-
- - - - - - - -
-

[3]

-
-

remote connections;

-
-
-
-
-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

(1)

-
-

defines techniques and methods to identify unauthorized use of the information system;

-
-
-
- - - - - - - -
-

(2)

-
-

identifies unauthorized use of the information system through organization-defined techniques and methods;

-
-
-
-
-
- - - - - - - -
-

(c)

-
-

deploys monitoring devices:

-
- - - - - - - -
-

[1]

-
-

strategically within the information system to collect organization-determined essential information;

-
-
-
- - - - - - - -
-

[2]

-
-

at ad hoc locations within the system to track specific types of transactions of interest to the organization;

-
-
-
-
-
- - - - - - - -
-

(d)

-
-

protects information obtained from intrusion-monitoring tools from unauthorized:

-
- - - - - - - -
-

[1]

-
-

access;

-
-
-
- - - - - - - -
-

[2]

-
-

modification;

-
-
-
- - - - - - - -
-

[3]

-
-

deletion;

-
-
-
-
-
- - - - - - - -
-

(e)

-
-

heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

-
-
-
- - - - - - - -
-

(f)

-
-

obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;

-
-
-
- - - - - - - -
-

(g)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom information system monitoring information is to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines information system monitoring information to be provided to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[3]

-
-

defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[4]

-
-

provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:

-
- - - - - - - -
-

[a]

-
-

as needed; and/or

-
-
-
- - - - - - - -
-

[b]

-
-

with the organization-defined frequency.

-
-
-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- Continuous monitoring strategy

-

- system and information integrity policy

-

- procedures addressing information system monitoring tools and techniques

-

- facility diagram/layout

-

- information system design documentation

-

- information system monitoring tools and techniques documentation

-

- locations within information system where monitoring devices are deployed

-

- information system configuration settings and associated documentation

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- System/network administrators

-

- organizational personnel with information security responsibilities

-

- organizational personnel installing, configuring, and/or maintaining the information system

-

- organizational personnel with responsibility monitoring the information system

-
-
-

Assessment: TEST

-

- Organizational processes for information system monitoring

-

- automated mechanisms supporting and/or implementing information system monitoring capability

-
-
-

References

-
-

NIST Special Publication 800-61

-
-
-

NIST Special Publication 800-83

-
-
-

NIST Special Publication 800-92

-
-
-

NIST Special Publication 800-94

-
-
-

NIST Special Publication 800-137

-
-
-
-
-

- SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

-
-

- Parameter: - si-5_a organization-defined external organizations

-

- Value: organization-defined external organizations

-
-
-

- Parameter: - si-5_b organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-
-

- Parameter: - si-5_c organization-defined elements within the organization

-

- Value: organization-defined elements within the organization

-
-
-

- Parameter: - si-5_d organization-defined external organizations

-

- Value: organization-defined external organizations

-
-

- priority: P1

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Receives information system security alerts, advisories, and directives from - - si-5_a - - organization-defined external organizations - organization-defined external organizations - on an ongoing basis;

-
-
-
- - - - - - - -
-

b.

-
-

Generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

c.

-
-

Disseminates security alerts, advisories, and directives to: [Selection (one or more): - - si-5_b - - organization-defined personnel or roles - organization-defined personnel or roles - ; - - si-5_c - - organization-defined elements within the organization - organization-defined elements within the organization - ; - - si-5_d - - organization-defined external organizations - organization-defined external organizations - ]; and

-
-
-
- - - - - - - -
-

d.

-
-

Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-

Supplemental guidance

-

The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations.

- -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-
- - - - - - - -
-

[1]

-
-

defines external organizations from whom information system security alerts, advisories and directives are to be received;

-
-
-
- - - - - - - -
-

[2]

-
-

receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

generates internal security alerts, advisories, and directives as deemed necessary;

-
-
-
- - - - - - - -
-

(c)

-
-
- - - - - - - -
-

[1]

-
-

defines personnel or roles to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[2]

-
-

defines elements within the organization to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[3]

-
-

defines external organizations to whom security alerts, advisories, and directives are to be provided;

-
-
-
- - - - - - - -
-

[4]

-
-

disseminates security alerts, advisories, and directives to one or more of the following:

-
- - - - - - - -
-

[a]

-
-

organization-defined personnel or roles;

-
-
-
- - - - - - - -
-

[b]

-
-

organization-defined elements within the organization; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

organization-defined external organizations; and

-
-
-
-
-
-
-
- - - - - - - -
-

(d)

-
-
- - - - - - - -
-

[1]

-
-

implements security directives in accordance with established time frames; or

-
-
-
- - - - - - - -
-

[2]

-
-

notifies the issuing organization of the degree of noncompliance.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing security alerts, advisories, and directives

-

- records of security alerts and advisories

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with security alert and advisory responsibilities

-

- organizational personnel implementing, operating, maintaining, and using the information system

-

- organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

-

- system/network administrators

-

- organizational personnel with information security responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives

-

- automated mechanisms supporting and/or implementing security directives

-
-
-

References

-
-

NIST Special Publication 800-40

-
-
-
-
-

- SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

-
-

- Parameter: - si-7_a organization-defined software, firmware, and information

-

- Value: organization-defined software, firmware, and information

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization employs integrity verification tools to detect unauthorized changes to - - si-7_a - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - .

-
-
-
-

Supplemental guidance

-

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.

- - - - -
-
-

- SI-7 (1) INTEGRITY CHECKS

-
-

- Parameter: - si-7_b organization-defined software, firmware, and information

-

- Value: organization-defined software, firmware, and information

-
-
-

- Parameter: - si-7_c organization-defined transitional states or security-relevant events

-

- Value: organization-defined transitional states or security-relevant events

-
-
-

- Parameter: - si-7_d organization-defined frequency

-

- Value: organization-defined frequency

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system performs an integrity check of - - si-7_b - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - [Selection (one or more): at startup; at - - si-7_c - - organization-defined transitional states or security-relevant events - organization-defined transitional states or security-relevant events - ; - - si-7_d - - organization-defined frequency - organization-defined frequency - ].

-
-
-
-

Supplemental guidance

-

Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines:

-
- - - - - - - -
-

[a]

-
-

software requiring integrity checks to be performed;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware requiring integrity checks to be performed;

-
-
-
- - - - - - - -
-

[c]

-
-

information requiring integrity checks to be performed;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware;

-
-
-
- - - - - - - -
-

[c]

-
-

information;

-
-
-
-
-
- - - - - - - -
-

[3]

-
-

the organization defines a frequency with which to perform an integrity check of organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware;

-
-
-
- - - - - - - -
-

[c]

-
-

information;

-
-
-
-
-
- - - - - - - -
-

[4]

-
-

the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:

-
- - - - - - - -
-

[a]

-
-

at startup;

-
-
-
- - - - - - - -
-

[b]

-
-

at organization-defined transitional states or security-relevant events; and/or

-
-
-
- - - - - - - -
-

[c]

-
-

with the organization-defined frequency.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records of integrity scans

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-
-

References: None -

-
-
-

- SI-7 (7) INTEGRATION OF DETECTION AND RESPONSE

-
-

- Parameter: - si-7_g organization-defined security-relevant changes to the information system

-

- Value: organization-defined security-relevant changes to the information system

-
-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization incorporates the detection of unauthorized - - si-7_g - - organization-defined security-relevant changes to the information system - organization-defined security-relevant changes to the information system - into the organizational incident response capability.

-
-
-
-

Supplemental guidance

-

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-

defines unauthorized security-relevant changes to the information system; and

-
-
-
- - - - - - - -
-

[2]

-
-

incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- procedures addressing incident response

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- incident response records

-

- information audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- organizational personnel with incident response responsibilities

-
-
-

Assessment: TEST

-

- Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability

-

- software, firmware, and information integrity verification tools

-

- automated mechanisms supporting and/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

[1]

-
-
- - - - - - - -
-

[a]

-
-

defines software requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
- - - - - - - -
-

[b]

-
-

defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
- - - - - - - -
-

[c]

-
-

defines information requiring integrity verification tools to be employed to detect unauthorized changes;

-
-
-
-
-
- - - - - - - -
-

[2]

-
-

employs integrity verification tools to detect unauthorized changes to organization-defined:

-
- - - - - - - -
-

[a]

-
-

software;

-
-
-
- - - - - - - -
-

[b]

-
-

firmware; and

-
-
-
- - - - - - - -
-

[c]

-
-

information.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing software, firmware, and information integrity

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- integrity verification tools and associated documentation

-

- records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for software, firmware, and/or information integrity

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Software, firmware, and information integrity verification tools

-
-
-

References

-
-

NIST Special Publication 800-147

-
-
-

NIST Special Publication 800-155

-
-
-
-
-

- SI-8 SPAM PROTECTION

-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization:

-
- - - - - - - -
-

a.

-
-

Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and

-
-
-
- - - - - - - -
-

b.

-
-

Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

-
-
-
-
-
-

Supplemental guidance

-

Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.

- - - - - -
-
-

- SI-8 (1) CENTRAL MANAGEMENT

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization centrally manages spam protection mechanisms.

-
-
-
-

Supplemental guidance

-

Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.

- - - -
-
-

Objective

- - - - - - -
- -

Determine if the organization centrally manages spam protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for central management of spam protection

-

- automated mechanisms supporting and/or implementing central management of spam protection

-
-

References: None -

-
-
-

- SI-8 (2) AUTOMATIC UPDATES

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system automatically updates spam protection mechanisms.

-
-
-
-

Objective

- - - - - - -
- -

Determine if the information system automatically updates spam protection mechanisms.

-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- records of spam protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for spam protection

-

- automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

-
-

References: None -

-
-
-

Objectives

- - - - - - -
- -

Determine if the organization:

-
- - - - - - - -
-

(a)

-
-

employs spam protection mechanisms:

-
- - - - - - - -
-

[1]

-
-

at information system entry points to detect unsolicited messages;

-
-
-
- - - - - - - -
-

[2]

-
-

at information system entry points to take action on unsolicited messages;

-
-
-
- - - - - - - -
-

[3]

-
-

at information system exit points to detect unsolicited messages;

-
-
-
- - - - - - - -
-

[4]

-
-

at information system exit points to take action on unsolicited messages; and

-
-
-
-
-
- - - - - - - -
-

(b)

-
-

updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- configuration management policy and procedures (CM-1)

-

- procedures addressing spam protection

-

- spam protection mechanisms

-

- records of spam protection updates

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for spam protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for implementing spam protection

-

- automated mechanisms supporting and/or implementing spam protection

-
-
-

References

-
-

NIST Special Publication 800-45

-
-
-
-
-

- SI-10 INFORMATION INPUT VALIDATION

-
-

- Parameter: - si-10_a organization-defined information inputs

-

- Value: organization-defined information inputs

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system checks the validity of - - si-10_a - - organization-defined information inputs - organization-defined information inputs - .

-
-
-
-

Supplemental guidance

-

Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

-
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines information inputs requiring validity checks; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system checks the validity of organization-defined information inputs.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- access control policy and procedures

-

- separation of duties policy and procedures

-

- procedures addressing information input validation

-

- documentation for automated tools and applications to verify validity of information

-

- list of information inputs requiring validity checks

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information input validation

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing validity checks on information inputs

-
-

References: None -

-
-
-

- SI-11 ERROR HANDLING

-
-

- Parameter: - si-11_a organization-defined personnel or roles

-

- Value: organization-defined personnel or roles

-
-

- priority: P2

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system:

-
- - - - - - - -
-

a.

-
-

Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and

-
-
-
- - - - - - - -
-

b.

-
-

Reveals error messages only to - - si-11_a - - organization-defined personnel or roles - organization-defined personnel or roles - .

-
-
-
-
-
-

Supplemental guidance

-

Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.

- - - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

(a)

-
-

the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;

-
-
-
- - - - - - - -
-

(b)

-
-
- - - - - - - -
-

[1]

-
-

the organization defines personnel or roles to whom error messages are to be revealed; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system reveals error messages only to organization-defined personnel or roles.

-
-
-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing information system error handling

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- documentation providing structure/content of error messages

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information input validation

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Organizational processes for error handling

-

- automated mechanisms supporting and/or implementing error handling

-

- automated mechanisms supporting and/or implementing management of error messages

-
-

References: None -

-
-
-

- SI-12 INFORMATION HANDLING AND RETENTION

-

- priority: P2

-

- baseline-impact: LOW

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

-
-
-
-

Supplemental guidance

-

Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

- - - - - -
-
-

Objectives

- - - - - - -
- -

Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:

-
- - - - - - - -
-

[1]

-
-

handles information within the information system;

-
-
-
- - - - - - - -
-

[2]

-
-

handles output from the information system;

-
-
-
- - - - - - - -
-

[3]

-
-

retains information within the information system; and

-
-
-
- - - - - - - -
-

[4]

-
-

retains output from the information system.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention

-

- media protection policy and procedures

-

- procedures addressing information system output handling and retention

-

- information retention records, other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for information handling and retention

-

- organizational personnel with information security responsibilities/network administrators

-
-
-

Assessment: TEST

-

- Organizational processes for information handling and retention

-

- automated mechanisms supporting and/or implementing information handling and retention

-
-

References: None -

-
-
-

- SI-16 MEMORY PROTECTION

-
-

- Parameter: - si-16_a organization-defined security safeguards

-

- Value: organization-defined security safeguards

-
-

- priority: P1

-

- baseline-impact: MODERATE

-

- baseline-impact: HIGH

-
-

Control

- - - - - - -
- -

The information system implements - - si-16_a - - organization-defined security safeguards - organization-defined security safeguards - to protect its memory from unauthorized code execution.

-
-
-
-

Supplemental guidance

-

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

- - -
-
-

Objectives

- - - - - - -
- -

Determine if:

-
- - - - - - - -
-

[1]

-
-

the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and

-
-
-
- - - - - - - -
-

[2]

-
-

the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.

-
-
-
-
-
-

Assessment: EXAMINE

-

- System and information integrity policy

-

- procedures addressing memory protection for the information system

-

- information system design documentation

-

- information system configuration settings and associated documentation

-

- list of security safeguards protecting information system memory from unauthorized code execution

-

- information system audit records

-

- other relevant documents or records

-
-
-

Assessment: INTERVIEW

-

- Organizational personnel with responsibility for memory protection

-

- organizational personnel with information security responsibilities

-

- system/network administrators

-

- system developer

-
-
-

Assessment: TEST

-

- Automated mechanisms supporting and/or implementing safeguards to protect information system memory from unauthorized code execution

-
-

References: None -

-
-
-
-
-
-
- - diff --git a/examples/SP800-53/pub/SP800-53-rev4-catalog-rendered.html b/examples/SP800-53/pub/SP800-53-rev4-catalog-rendered.html index 26b3599618..1243dea01c 100644 --- a/examples/SP800-53/pub/SP800-53-rev4-catalog-rendered.html +++ b/examples/SP800-53/pub/SP800-53-rev4-catalog-rendered.html @@ -1,5 +1,5 @@ - + diff --git a/examples/SP800-53/sample-shot.xml b/examples/SP800-53/sample-shot.xml new file mode 100644 index 0000000000..7c5f0543a5 --- /dev/null +++ b/examples/SP800-53/sample-shot.xml @@ -0,0 +1,48 @@ + + NIST SP800-53 rev 4 + + + ACCESS CONTROL + + ACCESS CONTROL POLICY AND PROCEDURES + AC-1 + P1 + +

The organization:

+ + AC-1a. +

Develops, documents, and disseminates to :

+ + AC-1a.1. +

An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

+
+ + AC-1a.2. +

Procedures to facilitate the implementation of the access control policy and associated access controls; and

+
+
+ + AC-1b. +

Reviews and updates the current:

+ + AC-1b.1. +

Access control policy ; and

+
+ + AC-1b.2. +

Access control procedures .

+
+
+
+ [... snip ...] + + + NIST Special Publication 800-12 + + + NIST Special Publication 800-100 + + +
+
+
diff --git a/examples/migrate-profile.xsl b/examples/migrate-profile.xsl new file mode 100644 index 0000000000..62a96e9a32 --- /dev/null +++ b/examples/migrate-profile.xsl @@ -0,0 +1,71 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/examples/mini-testing/01_identity-profile.xml b/examples/mini-testing/01_identity-profile.xml index 3c328b349d..529e3968a4 100644 --- a/examples/mini-testing/01_identity-profile.xml +++ b/examples/mini-testing/01_identity-profile.xml @@ -1,11 +1,9 @@ - + Identity profile (an entire catalog, implicitly) - - + + \ No newline at end of file diff --git a/examples/mini-testing/01a_param-only-profile.xml b/examples/mini-testing/01a_param-only-profile.xml index cf45d87656..e630071d78 100644 --- a/examples/mini-testing/01a_param-only-profile.xml +++ b/examples/mini-testing/01a_param-only-profile.xml @@ -1,17 +1,16 @@ - + Parameter This - + - + + @@ -21,5 +20,4 @@ BUTCHER; BAKER; CANDLESTICK-MAKER - - + \ No newline at end of file diff --git a/examples/mini-testing/02_all-profile.xml b/examples/mini-testing/02_all-profile.xml index e855d29c4e..744e50d948 100644 --- a/examples/mini-testing/02_all-profile.xml +++ b/examples/mini-testing/02_all-profile.xml @@ -1,15 +1,12 @@ - + Calling All Controls - + - - - + + \ No newline at end of file diff --git a/examples/mini-testing/03_all-with-enh-profile.xml b/examples/mini-testing/03_all-with-enh-profile.xml index 8c76462f9d..522453a4c0 100644 --- a/examples/mini-testing/03_all-with-enh-profile.xml +++ b/examples/mini-testing/03_all-with-enh-profile.xml @@ -1,15 +1,12 @@ - + Once Again, with Feeling - + - - - + + \ No newline at end of file diff --git a/examples/mini-testing/04_exclude1-profile.xml b/examples/mini-testing/04_exclude1-profile.xml index 1fcd5a1e9a..b93dfe6cb3 100644 --- a/examples/mini-testing/04_exclude1-profile.xml +++ b/examples/mini-testing/04_exclude1-profile.xml @@ -1,12 +1,10 @@ - + Being Exclusive - + @@ -15,6 +13,5 @@ - - - + + \ No newline at end of file diff --git a/examples/mini-testing/05_exclude2-profile.xml b/examples/mini-testing/05_exclude2-profile.xml index 4b9b34ea83..066e6efec0 100644 --- a/examples/mini-testing/05_exclude2-profile.xml +++ b/examples/mini-testing/05_exclude2-profile.xml @@ -1,12 +1,10 @@ - + Being More Exclusive - + @@ -14,6 +12,5 @@ - - - + + \ No newline at end of file diff --git a/examples/mini-testing/10_some-params-profile.xml b/examples/mini-testing/10_some-params-profile.xml index 36ef5263bb..a368fad005 100644 --- a/examples/mini-testing/10_some-params-profile.xml +++ b/examples/mini-testing/10_some-params-profile.xml @@ -1,26 +1,27 @@ - + Some Parameters - + - - + + + + + + organization-defined duties of individuals butcher; baker; candlestick-maker - - + \ No newline at end of file diff --git a/examples/mini-testing/11_more-params-profile.xml b/examples/mini-testing/11_more-params-profile.xml index 51ef7b444f..661a40753c 100644 --- a/examples/mini-testing/11_more-params-profile.xml +++ b/examples/mini-testing/11_more-params-profile.xml @@ -3,11 +3,11 @@ - + More Paramters, More - + @@ -18,7 +18,8 @@ - + + organization-defined duties of individuals @@ -66,5 +67,4 @@ organization-defined software --> - - + \ No newline at end of file diff --git a/examples/mini-testing/20_compound-profile-sketch.svg b/examples/mini-testing/20_compound-profile-sketch.svg new file mode 100644 index 0000000000..b09b900558 --- /dev/null +++ b/examples/mini-testing/20_compound-profile-sketch.svg @@ -0,0 +1,19 @@ + + + + A Compound Profile + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/examples/mini-testing/20_compound-profile.xml b/examples/mini-testing/20_compound-profile.xml index 42c4153d4b..12aee7aeda 100644 --- a/examples/mini-testing/20_compound-profile.xml +++ b/examples/mini-testing/20_compound-profile.xml @@ -1,24 +1,25 @@ - + - + A Compound Profile - + - + + + + + + + + organization-defined duties of individuals butcher; baker; candlestick-maker - - - - - + diff --git a/examples/mini-testing/30_patched-profile.xml b/examples/mini-testing/30_patched-profile.xml index a229b8922c..250f9917fd 100644 --- a/examples/mini-testing/30_patched-profile.xml +++ b/examples/mini-testing/30_patched-profile.xml @@ -1,20 +1,19 @@ - + Patching profile example - + - + + @@ -33,5 +32,4 @@ - - + \ No newline at end of file diff --git a/examples/mini-testing/31_patched-messy-profile.xml b/examples/mini-testing/31_patched-messy-profile.xml index 43fe69f706..d0002a54ee 100644 --- a/examples/mini-testing/31_patched-messy-profile.xml +++ b/examples/mini-testing/31_patched-messy-profile.xml @@ -1,16 +1,14 @@ - + - + Patching profile example - + @@ -18,28 +16,36 @@ - - + + + organization-defined duties of individuals butcher; baker; candlestick-maker - + -

Do NOT go back in the water.

+ +

Do NOT go back in the water.

+
SEAL OF APPROVAL (a)

Local organizations may wish to sponsor special events including

    -
  • bake sales,
  • lemonade stands,
  • house-to-house cookie sales,
  • lawn mowing services
  • or other seasonal services etc.
+
  • bake sales,
  • +
  • lemonade stands,
  • +
  • house-to-house cookie sales,
  • +
  • lawn mowing services
  • +
  • or other seasonal services etc.
  • +

    Code green

    -
    -
    + +
    \ No newline at end of file diff --git a/examples/mini-testing/32_invalid-profile.xml b/examples/mini-testing/32_invalid-profile.xml index 1d3b53e44d..f878bc3de7 100644 --- a/examples/mini-testing/32_invalid-profile.xml +++ b/examples/mini-testing/32_invalid-profile.xml @@ -1,9 +1,7 @@ - + Patching profile example - + @@ -24,7 +22,8 @@ - + + @@ -54,5 +53,4 @@ - - + \ No newline at end of file diff --git a/examples/mini-testing/41_exceptions-profile.xml b/examples/mini-testing/41_exceptions-profile.xml index 0511b0c682..66ae74d7d2 100644 --- a/examples/mini-testing/41_exceptions-profile.xml +++ b/examples/mini-testing/41_exceptions-profile.xml @@ -1,15 +1,13 @@ - + Exceptions profile example - + @@ -24,7 +22,12 @@ - + + + + + + @@ -43,9 +46,4 @@ - - - - - - + \ No newline at end of file diff --git a/examples/mini-testing/42_invoke-exceptions-profile.xml b/examples/mini-testing/42_invoke-exceptions-profile.xml index b57f94c0fa..f5a47374e2 100644 --- a/examples/mini-testing/42_invoke-exceptions-profile.xml +++ b/examples/mini-testing/42_invoke-exceptions-profile.xml @@ -1,9 +1,7 @@ - + @@ -16,11 +14,11 @@ For now only @id is being examined; catalogs are expected to have exclusive (nonoverlapping) @id schemes. --> - + - + - + \ No newline at end of file diff --git a/examples/mini-testing/99includeACx2-profile.xml b/examples/mini-testing/99includeACx2-profile.xml index 02b10da18c..dbdf4f8416 100644 --- a/examples/mini-testing/99includeACx2-profile.xml +++ b/examples/mini-testing/99includeACx2-profile.xml @@ -1,12 +1,10 @@ - + Two controls from AC, with parameters on subcontrols - + @@ -20,7 +18,8 @@ - + + [whoever is responsible for caring for the cats] - organization-defined duties of @@ -68,5 +67,4 @@ - - + \ No newline at end of file diff --git a/examples/mini-testing/99includeRAx3-profile.xml b/examples/mini-testing/99includeRAx3-profile.xml index f6cd12b029..8b9662f563 100644 --- a/examples/mini-testing/99includeRAx3-profile.xml +++ b/examples/mini-testing/99includeRAx3-profile.xml @@ -1,13 +1,11 @@ - + Three RA controls with parameters - + @@ -18,7 +16,8 @@ - + + PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services @@ -30,5 +29,4 @@ ON AN ONGOING BASIS (AT LEAST NIGHTLY) - - + \ No newline at end of file diff --git a/examples/mini-testing/dinosaur-catalog.xml b/examples/mini-testing/dinosaur-catalog.xml new file mode 100644 index 0000000000..5a9f5a578e --- /dev/null +++ b/examples/mini-testing/dinosaur-catalog.xml @@ -0,0 +1,45 @@ + + + + + Skeleton catalog +
    + This catalog +

    For use in testing, especially structural transformations.

    +
    + + + Dinosaurs + Predators + + + + + + + Herbivores + + + + Proto-avians + + + + +
    \ No newline at end of file diff --git a/examples/mini-testing/dinosaur-profile.xml b/examples/mini-testing/dinosaur-profile.xml new file mode 100644 index 0000000000..a132e2a268 --- /dev/null +++ b/examples/mini-testing/dinosaur-profile.xml @@ -0,0 +1,16 @@ + + + + + + + Dinosaur Profile + + + + + + + + diff --git a/examples/mini-testing/dinosaur-testing.xml b/examples/mini-testing/dinosaur-testing.xml new file mode 100644 index 0000000000..42422451bb --- /dev/null +++ b/examples/mini-testing/dinosaur-testing.xml @@ -0,0 +1,22 @@ + + + + + + + A Compound Profile + + + + + + + + + + + + + diff --git a/examples/mini-testing/pub/01_identity-profile-rendered.html b/examples/mini-testing/pub/01_identity-profile-rendered.html deleted file mode 100644 index bcb9625b1d..0000000000 --- a/examples/mini-testing/pub/01_identity-profile-rendered.html +++ /dev/null @@ -1,525 +0,0 @@ - - - - - - Identity profile (an entire catalog, implicitly) - - - - - -
    -
    -

    Identity profile (an entire catalog, implicitly)

    -
    -
    -

    mini-testing-catalog.xml ➭

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: organization-defined duties of individuals

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a organization-defined systems, system components, or system services

    -

    - Value: organization-defined systems, system components, or system services

    -
    -
    -

    - Parameter: - ra-9_b organization-defined decision points in the system development life - cycle

    -

    - Value: organization-defined decision points in the system development life cycle

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - organization-defined systems, system components, or system services - organization-defined systems, system components, or system services - at - - ra-9_b - - organization-defined decision points in the system development life - cycle - organization-defined decision points in the system development life cycle - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/01a_param-only-profile-rendered.html b/examples/mini-testing/pub/01a_param-only-profile-rendered.html deleted file mode 100644 index b799e0c2ae..0000000000 --- a/examples/mini-testing/pub/01a_param-only-profile-rendered.html +++ /dev/null @@ -1,529 +0,0 @@ - - - - - - Parameter This - - - - - -
    -
    -

    Parameter This

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - ALL - - Parameter (organization-defined duties of individuals): BUTCHER; BAKER; CANDLESTICK-MAKER -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: BUTCHER; BAKER; CANDLESTICK-MAKER

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - BUTCHER; BAKER; CANDLESTICK-MAKER - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a organization-defined systems, system components, or system services

    -

    - Value: organization-defined systems, system components, or system services

    -
    -
    -

    - Parameter: - ra-9_b organization-defined decision points in the system development life - cycle

    -

    - Value: organization-defined decision points in the system development life cycle

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - organization-defined systems, system components, or system services - organization-defined systems, system components, or system services - at - - ra-9_b - - organization-defined decision points in the system development life - cycle - organization-defined decision points in the system development life cycle - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/02_all-profile-rendered.html b/examples/mini-testing/pub/02_all-profile-rendered.html deleted file mode 100644 index 631b06b776..0000000000 --- a/examples/mini-testing/pub/02_all-profile-rendered.html +++ /dev/null @@ -1,528 +0,0 @@ - - - - - - Calling All Controls - - - - - -
    -
    -

    Calling All Controls

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - - ALL -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: organization-defined duties of individuals

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a organization-defined systems, system components, or system services

    -

    - Value: organization-defined systems, system components, or system services

    -
    -
    -

    - Parameter: - ra-9_b organization-defined decision points in the system development life - cycle

    -

    - Value: organization-defined decision points in the system development life cycle

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - organization-defined systems, system components, or system services - organization-defined systems, system components, or system services - at - - ra-9_b - - organization-defined decision points in the system development life - cycle - organization-defined decision points in the system development life cycle - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/03_all-with-enh-profile-rendered.html b/examples/mini-testing/pub/03_all-with-enh-profile-rendered.html deleted file mode 100644 index 96892ebfec..0000000000 --- a/examples/mini-testing/pub/03_all-with-enh-profile-rendered.html +++ /dev/null @@ -1,1007 +0,0 @@ - - - - - - Once Again, with Feeling - - - - - -
    -
    -

    Once Again, with Feeling

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - ALL -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: organization-defined duties of individuals

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -
    -

    - AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_a organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information

    -

    - Value: organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information

    -
    -
    -

    Control

    - - - - - - -
    - -

    Explicitly authorize access to - - ac-6_a - - organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information - organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Security functions include, for example, establishing system accounts, - configuring access authorizations (i.e., permissions, privileges), setting - events to be audited, and establishing intrusion detection parameters. - Security-relevant information includes, for example, filtering rules for - routers/firewalls, cryptographic key management information, configuration - parameters for security services, and access control lists. Explicitly - authorized personnel include, for example, security administrators, system - and network administrators, system security officers, system maintenance - personnel, system programmers, and other privileged users.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_b organization-defined security functions or security-relevant - information

    -

    - Value: organization-defined security functions or security-relevant - information

    -
    -
    -

    Control

    - - - - - - -
    - -

    Require that users of system accounts, or roles, with - access to - - ac-6_b - - organization-defined security functions or security-relevant - information - organization-defined security functions or security-relevant - information - , use non-privileged accounts or roles, - when accessing nonsecurity functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    This control enhancement limits exposure when operating from within - privileged accounts or roles. The inclusion of roles addresses situations - where organizations implement access control policies such as role-based - access control and where a change of role provides the same degree of - assurance in the change of access authorizations for both the user and all - processes acting on behalf of the user as would be provided by a change - between a privileged and non-privileged account.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS

    -
    -

    - Parameter: - ac-6_c organization-defined privileged commands

    -

    - Value: organization-defined privileged commands

    -
    -
    -

    - Parameter: - ac-6_d organization-defined compelling operational needs

    -

    - Value: organization-defined compelling operational needs

    -
    -
    -

    Control

    - - - - - - -
    - -

    Authorize network access to - - ac-6_c - - organization-defined privileged commands - organization-defined privileged commands - - only for - - ac-6_d - - organization-defined compelling operational needs - organization-defined compelling operational needs - and document the rationale for such - access in the security plan for the system.

    -
    -
    -
    -

    Supplemental guidance

    -

    Network access is any access across a network connection in lieu of local - access (i.e., user being physically present at the device).

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (4) SEPARATE PROCESSING DOMAINS

    -
    -

    Control

    - - - - - - -
    - -

    Provide separate processing domains to enable - finer-grained allocation of user privileges.

    -
    -
    -
    -

    Supplemental guidance

    -

    Providing separate processing domains for finer-grained allocation of user - privileges includes, for example, using virtualization techniques to allow - additional user privileges within a virtual machine while restricting - privileges to other virtual machines or to the underlying actual machine; - employing hardware/software domain separation mechanisms; and implementing - separate physical domains.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (5) PRIVILEGED ACCOUNTS

    -
    -

    - Parameter: - ac-6_e organization-defined personnel or roles

    -

    - Value: organization-defined personnel or roles

    -
    -
    -

    Control

    - - - - - - -
    - -

    Restrict privileged accounts on the system to - - ac-6_e - - organization-defined personnel or roles - organization-defined personnel or roles - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged accounts, including super user accounts, are typically described - as system administrator for various types of commercial off-the-shelf - operating systems. Restricting privileged accounts to specific personnel or - roles prevents day-to-day users from having access to privileged - information/functions. Organizations may differentiate in the application of - this control enhancement between allowed privileges for local accounts and - for domain accounts provided they retain the ability to control system - configurations for key security parameters and as otherwise necessary to - sufficiently mitigate risk.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS

    -
    -

    Control

    - - - - - - -
    - -

    Prohibit privileged access to the system by - non-organizational users.

    -
    -
    -
    -

    Supplemental guidance

    -

    None.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (7) REVIEW OF USER PRIVILEGES

    -
    -

    - Parameter: - ac-6_f organization-defined frequency

    -

    - Value: organization-defined frequency

    -
    -
    -

    - Parameter: - ac-6_g organization-defined roles or classes of users

    -

    - Value: organization-defined roles or classes of users

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    (a)

    -
    -

    Review - - ac-6_f - - organization-defined frequency - organization-defined frequency - the privileges - assigned to - - ac-6_g - - organization-defined roles or classes of users - organization-defined roles or classes of users - to validate the need for such - privileges; and

    -
    -
    -
    - - - - - - - -
    -

    (b)

    -
    -

    Reassign or remove privileges, if necessary, to - correctly reflect organizational mission and business needs.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    The need for certain assigned user privileges may change over time reflecting - changes in organizational missions and business functions, environments of - operation, technologies, or threat. Periodic review of assigned user - privileges is necessary to determine if the rationale for assigning such - privileges remains valid. If the need cannot be revalidated, organizations - take appropriate corrective actions.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION

    -
    -

    - Parameter: - ac-6_h organization-defined software

    -

    - Value: organization-defined software

    -
    -
    -

    Control

    - - - - - - -
    - -

    Prevent the following software from executing at higher - privilege levels than users executing the software: - - ac-6_h - - organization-defined software - organization-defined software - .

    -
    -
    -
    -

    Supplemental guidance

    -

    In certain situations, software applications/programs need to execute with - elevated privileges to perform required functions. However, if the - privileges required for execution are at a higher level than the privileges - assigned to organizational users invoking such applications/programs, those - users are indirectly provided with greater privileges than assigned by - organizations.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS

    -
    -

    Control

    - - - - - - -
    - -

    Audit the execution of privileged functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Misuse of privileged functions, either intentionally or unintentionally by - authorized users, or by unauthorized external entities that have compromised - system accounts, is a serious and ongoing concern and can have significant - adverse impacts on organizations. Auditing the use of privileged functions - is one way to detect such misuse, and in doing so, help mitigate the risk - from insider threats and the advanced persistent threat.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

    -
    -

    Control

    - - - - - - -
    - -

    Prevent non-privileged users from executing privileged - functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged functions include, for example, disabling, circumventing, or - altering implemented security or privacy controls, establishing system - accounts, performing system integrity checks, or administering cryptographic - key management activities. Non-privileged users are individuals that do not - possess appropriate authorizations. Circumventing intrusion detection and - prevention mechanisms or malicious code protection mechanisms are examples - of privileged functions that require protection from non-privileged - users.

    -
    -

    References: None -

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a organization-defined systems, system components, or system services

    -

    - Value: organization-defined systems, system components, or system services

    -
    -
    -

    - Parameter: - ra-9_b organization-defined decision points in the system development life - cycle

    -

    - Value: organization-defined decision points in the system development life cycle

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - organization-defined systems, system components, or system services - organization-defined systems, system components, or system services - at - - ra-9_b - - organization-defined decision points in the system development life - cycle - organization-defined decision points in the system development life cycle - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/04_exclude1-profile-rendered.html b/examples/mini-testing/pub/04_exclude1-profile-rendered.html deleted file mode 100644 index d8dc7e10cd..0000000000 --- a/examples/mini-testing/pub/04_exclude1-profile-rendered.html +++ /dev/null @@ -1,869 +0,0 @@ - - - - - - Being Exclusive - - - - - -
    -
    -

    Being Exclusive

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - ALL - Excluded: - - Control ra.7 - - Control ra.9 -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: organization-defined duties of individuals

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -
    -

    - AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_a organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information

    -

    - Value: organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information

    -
    -
    -

    Control

    - - - - - - -
    - -

    Explicitly authorize access to - - ac-6_a - - organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information - organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Security functions include, for example, establishing system accounts, - configuring access authorizations (i.e., permissions, privileges), setting - events to be audited, and establishing intrusion detection parameters. - Security-relevant information includes, for example, filtering rules for - routers/firewalls, cryptographic key management information, configuration - parameters for security services, and access control lists. Explicitly - authorized personnel include, for example, security administrators, system - and network administrators, system security officers, system maintenance - personnel, system programmers, and other privileged users.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_b organization-defined security functions or security-relevant - information

    -

    - Value: organization-defined security functions or security-relevant - information

    -
    -
    -

    Control

    - - - - - - -
    - -

    Require that users of system accounts, or roles, with - access to - - ac-6_b - - organization-defined security functions or security-relevant - information - organization-defined security functions or security-relevant - information - , use non-privileged accounts or roles, - when accessing nonsecurity functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    This control enhancement limits exposure when operating from within - privileged accounts or roles. The inclusion of roles addresses situations - where organizations implement access control policies such as role-based - access control and where a change of role provides the same degree of - assurance in the change of access authorizations for both the user and all - processes acting on behalf of the user as would be provided by a change - between a privileged and non-privileged account.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS

    -
    -

    - Parameter: - ac-6_c organization-defined privileged commands

    -

    - Value: organization-defined privileged commands

    -
    -
    -

    - Parameter: - ac-6_d organization-defined compelling operational needs

    -

    - Value: organization-defined compelling operational needs

    -
    -
    -

    Control

    - - - - - - -
    - -

    Authorize network access to - - ac-6_c - - organization-defined privileged commands - organization-defined privileged commands - - only for - - ac-6_d - - organization-defined compelling operational needs - organization-defined compelling operational needs - and document the rationale for such - access in the security plan for the system.

    -
    -
    -
    -

    Supplemental guidance

    -

    Network access is any access across a network connection in lieu of local - access (i.e., user being physically present at the device).

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (4) SEPARATE PROCESSING DOMAINS

    -
    -

    Control

    - - - - - - -
    - -

    Provide separate processing domains to enable - finer-grained allocation of user privileges.

    -
    -
    -
    -

    Supplemental guidance

    -

    Providing separate processing domains for finer-grained allocation of user - privileges includes, for example, using virtualization techniques to allow - additional user privileges within a virtual machine while restricting - privileges to other virtual machines or to the underlying actual machine; - employing hardware/software domain separation mechanisms; and implementing - separate physical domains.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (5) PRIVILEGED ACCOUNTS

    -
    -

    - Parameter: - ac-6_e organization-defined personnel or roles

    -

    - Value: organization-defined personnel or roles

    -
    -
    -

    Control

    - - - - - - -
    - -

    Restrict privileged accounts on the system to - - ac-6_e - - organization-defined personnel or roles - organization-defined personnel or roles - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged accounts, including super user accounts, are typically described - as system administrator for various types of commercial off-the-shelf - operating systems. Restricting privileged accounts to specific personnel or - roles prevents day-to-day users from having access to privileged - information/functions. Organizations may differentiate in the application of - this control enhancement between allowed privileges for local accounts and - for domain accounts provided they retain the ability to control system - configurations for key security parameters and as otherwise necessary to - sufficiently mitigate risk.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS

    -
    -

    Control

    - - - - - - -
    - -

    Prohibit privileged access to the system by - non-organizational users.

    -
    -
    -
    -

    Supplemental guidance

    -

    None.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (7) REVIEW OF USER PRIVILEGES

    -
    -

    - Parameter: - ac-6_f organization-defined frequency

    -

    - Value: organization-defined frequency

    -
    -
    -

    - Parameter: - ac-6_g organization-defined roles or classes of users

    -

    - Value: organization-defined roles or classes of users

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    (a)

    -
    -

    Review - - ac-6_f - - organization-defined frequency - organization-defined frequency - the privileges - assigned to - - ac-6_g - - organization-defined roles or classes of users - organization-defined roles or classes of users - to validate the need for such - privileges; and

    -
    -
    -
    - - - - - - - -
    -

    (b)

    -
    -

    Reassign or remove privileges, if necessary, to - correctly reflect organizational mission and business needs.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    The need for certain assigned user privileges may change over time reflecting - changes in organizational missions and business functions, environments of - operation, technologies, or threat. Periodic review of assigned user - privileges is necessary to determine if the rationale for assigning such - privileges remains valid. If the need cannot be revalidated, organizations - take appropriate corrective actions.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION

    -
    -

    - Parameter: - ac-6_h organization-defined software

    -

    - Value: organization-defined software

    -
    -
    -

    Control

    - - - - - - -
    - -

    Prevent the following software from executing at higher - privilege levels than users executing the software: - - ac-6_h - - organization-defined software - organization-defined software - .

    -
    -
    -
    -

    Supplemental guidance

    -

    In certain situations, software applications/programs need to execute with - elevated privileges to perform required functions. However, if the - privileges required for execution are at a higher level than the privileges - assigned to organizational users invoking such applications/programs, those - users are indirectly provided with greater privileges than assigned by - organizations.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS

    -
    -

    Control

    - - - - - - -
    - -

    Audit the execution of privileged functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Misuse of privileged functions, either intentionally or unintentionally by - authorized users, or by unauthorized external entities that have compromised - system accounts, is a serious and ongoing concern and can have significant - adverse impacts on organizations. Auditing the use of privileged functions - is one way to detect such misuse, and in doing so, help mitigate the risk - from insider threats and the advanced persistent threat.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

    -
    -

    Control

    - - - - - - -
    - -

    Prevent non-privileged users from executing privileged - functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged functions include, for example, disabling, circumventing, or - altering implemented security or privacy controls, establishing system - accounts, performing system integrity checks, or administering cryptographic - key management activities. Non-privileged users are individuals that do not - possess appropriate authorizations. Circumventing intrusion detection and - prevention mechanisms or malicious code protection mechanisms are examples - of privileged functions that require protection from non-privileged - users.

    -
    -

    References: None -

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/05_exclude2-profile-rendered.html b/examples/mini-testing/pub/05_exclude2-profile-rendered.html deleted file mode 100644 index 7e007f1cbf..0000000000 --- a/examples/mini-testing/pub/05_exclude2-profile-rendered.html +++ /dev/null @@ -1,759 +0,0 @@ - - - - - - Being More Exclusive - - - - - -
    -
    -

    Being More Exclusive

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - ALL - Excluded: - - Control ra.7 - - Control ra.8 - - Control ra.9 -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: organization-defined duties of individuals

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -
    -

    - AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_a organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information

    -

    - Value: organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information

    -
    -
    -

    Control

    - - - - - - -
    - -

    Explicitly authorize access to - - ac-6_a - - organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information - organization-defined security functions (deployed in hardware, software, - and firmware) and security-relevant information - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Security functions include, for example, establishing system accounts, - configuring access authorizations (i.e., permissions, privileges), setting - events to be audited, and establishing intrusion detection parameters. - Security-relevant information includes, for example, filtering rules for - routers/firewalls, cryptographic key management information, configuration - parameters for security services, and access control lists. Explicitly - authorized personnel include, for example, security administrators, system - and network administrators, system security officers, system maintenance - personnel, system programmers, and other privileged users.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_b organization-defined security functions or security-relevant - information

    -

    - Value: organization-defined security functions or security-relevant - information

    -
    -
    -

    Control

    - - - - - - -
    - -

    Require that users of system accounts, or roles, with - access to - - ac-6_b - - organization-defined security functions or security-relevant - information - organization-defined security functions or security-relevant - information - , use non-privileged accounts or roles, - when accessing nonsecurity functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    This control enhancement limits exposure when operating from within - privileged accounts or roles. The inclusion of roles addresses situations - where organizations implement access control policies such as role-based - access control and where a change of role provides the same degree of - assurance in the change of access authorizations for both the user and all - processes acting on behalf of the user as would be provided by a change - between a privileged and non-privileged account.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS

    -
    -

    - Parameter: - ac-6_c organization-defined privileged commands

    -

    - Value: organization-defined privileged commands

    -
    -
    -

    - Parameter: - ac-6_d organization-defined compelling operational needs

    -

    - Value: organization-defined compelling operational needs

    -
    -
    -

    Control

    - - - - - - -
    - -

    Authorize network access to - - ac-6_c - - organization-defined privileged commands - organization-defined privileged commands - - only for - - ac-6_d - - organization-defined compelling operational needs - organization-defined compelling operational needs - and document the rationale for such - access in the security plan for the system.

    -
    -
    -
    -

    Supplemental guidance

    -

    Network access is any access across a network connection in lieu of local - access (i.e., user being physically present at the device).

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (4) SEPARATE PROCESSING DOMAINS

    -
    -

    Control

    - - - - - - -
    - -

    Provide separate processing domains to enable - finer-grained allocation of user privileges.

    -
    -
    -
    -

    Supplemental guidance

    -

    Providing separate processing domains for finer-grained allocation of user - privileges includes, for example, using virtualization techniques to allow - additional user privileges within a virtual machine while restricting - privileges to other virtual machines or to the underlying actual machine; - employing hardware/software domain separation mechanisms; and implementing - separate physical domains.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (5) PRIVILEGED ACCOUNTS

    -
    -

    - Parameter: - ac-6_e organization-defined personnel or roles

    -

    - Value: organization-defined personnel or roles

    -
    -
    -

    Control

    - - - - - - -
    - -

    Restrict privileged accounts on the system to - - ac-6_e - - organization-defined personnel or roles - organization-defined personnel or roles - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged accounts, including super user accounts, are typically described - as system administrator for various types of commercial off-the-shelf - operating systems. Restricting privileged accounts to specific personnel or - roles prevents day-to-day users from having access to privileged - information/functions. Organizations may differentiate in the application of - this control enhancement between allowed privileges for local accounts and - for domain accounts provided they retain the ability to control system - configurations for key security parameters and as otherwise necessary to - sufficiently mitigate risk.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS

    -
    -

    Control

    - - - - - - -
    - -

    Prohibit privileged access to the system by - non-organizational users.

    -
    -
    -
    -

    Supplemental guidance

    -

    None.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (7) REVIEW OF USER PRIVILEGES

    -
    -

    - Parameter: - ac-6_f organization-defined frequency

    -

    - Value: organization-defined frequency

    -
    -
    -

    - Parameter: - ac-6_g organization-defined roles or classes of users

    -

    - Value: organization-defined roles or classes of users

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    (a)

    -
    -

    Review - - ac-6_f - - organization-defined frequency - organization-defined frequency - the privileges - assigned to - - ac-6_g - - organization-defined roles or classes of users - organization-defined roles or classes of users - to validate the need for such - privileges; and

    -
    -
    -
    - - - - - - - -
    -

    (b)

    -
    -

    Reassign or remove privileges, if necessary, to - correctly reflect organizational mission and business needs.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    The need for certain assigned user privileges may change over time reflecting - changes in organizational missions and business functions, environments of - operation, technologies, or threat. Periodic review of assigned user - privileges is necessary to determine if the rationale for assigning such - privileges remains valid. If the need cannot be revalidated, organizations - take appropriate corrective actions.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION

    -
    -

    - Parameter: - ac-6_h organization-defined software

    -

    - Value: organization-defined software

    -
    -
    -

    Control

    - - - - - - -
    - -

    Prevent the following software from executing at higher - privilege levels than users executing the software: - - ac-6_h - - organization-defined software - organization-defined software - .

    -
    -
    -
    -

    Supplemental guidance

    -

    In certain situations, software applications/programs need to execute with - elevated privileges to perform required functions. However, if the - privileges required for execution are at a higher level than the privileges - assigned to organizational users invoking such applications/programs, those - users are indirectly provided with greater privileges than assigned by - organizations.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS

    -
    -

    Control

    - - - - - - -
    - -

    Audit the execution of privileged functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Misuse of privileged functions, either intentionally or unintentionally by - authorized users, or by unauthorized external entities that have compromised - system accounts, is a serious and ongoing concern and can have significant - adverse impacts on organizations. Auditing the use of privileged functions - is one way to detect such misuse, and in doing so, help mitigate the risk - from insider threats and the advanced persistent threat.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

    -
    -

    Control

    - - - - - - -
    - -

    Prevent non-privileged users from executing privileged - functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged functions include, for example, disabling, circumventing, or - altering implemented security or privacy controls, establishing system - accounts, performing system integrity checks, or administering cryptographic - key management activities. Non-privileged users are individuals that do not - possess appropriate authorizations. Circumventing intrusion detection and - prevention mechanisms or malicious code protection mechanisms are examples - of privileged functions that require protection from non-privileged - users.

    -
    -

    References: None -

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/10_some-params-profile-rendered.html b/examples/mini-testing/pub/10_some-params-profile-rendered.html deleted file mode 100644 index b8e08c48f8..0000000000 --- a/examples/mini-testing/pub/10_some-params-profile-rendered.html +++ /dev/null @@ -1,450 +0,0 @@ - - - - - - Some Parameters - - - - - -
    -
    -

    Some Parameters

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - ALL - Excluded: - - Control ra.9 - - Parameter (organization-defined duties of individuals): butcher; baker; candlestick-maker -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: butcher; baker; candlestick-maker

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - butcher; baker; candlestick-maker - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/11_more-params-profile-rendered.html b/examples/mini-testing/pub/11_more-params-profile-rendered.html deleted file mode 100644 index ad6a740f8c..0000000000 --- a/examples/mini-testing/pub/11_more-params-profile-rendered.html +++ /dev/null @@ -1,778 +0,0 @@ - - - - - - More Paramters, More - - - - - -
    -
    -

    More Paramters, More

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - ALL - Excluded: - - Subcontrol ac.6.7 - - Subcontrol ac.6.8 - - Subcontrol ac.6.9 - - Control ra.9 - - Parameter (organization-defined duties of individuals): BUTCHER; BAKER; CANDLESTICK-MAKER - - Parameter (organization-defined security functions (deployed in hardware, software, and - firmware) and security-relevant information): DOORS, WINDOWS, AND ANY POINTS OF INGRESS; FAUCETS; CABINET DOORS - - Parameter (organization-defined security functions or security-relevant information): EXTRA-SPECIAL, SECRET AND SENSITIVE OPERATIONS SUCH AS PET FEEDING - RESPONSIBILITIES - - Parameter (organization-defined privileged commands): MEDIA REALLOCATION INCLUDING HARD DRIVE REFORMATTING; ANY COMMAND ON ANY - VOICE-OPERATED DEVICE - - Parameter (organization-defined compelling operational needs): EMERGENCIES, OR EARLY IN THE MORNING TO SAVE TIME - - Parameter (organization-defined personnel or roles): CREDENTIALED WIZARDS -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: BUTCHER; BAKER; CANDLESTICK-MAKER

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - BUTCHER; BAKER; CANDLESTICK-MAKER - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -
    -

    - AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_a organization-defined security functions (deployed in hardware, software, and - firmware) and security-relevant information

    -

    - Value: DOORS, WINDOWS, AND ANY POINTS OF INGRESS; FAUCETS; CABINET DOORS

    -
    -
    -

    Control

    - - - - - - -
    - -

    Explicitly authorize access to - - ac-6_a - - organization-defined security functions (deployed in hardware, software, and - firmware) and security-relevant information - DOORS, WINDOWS, AND ANY POINTS OF INGRESS; FAUCETS; CABINET DOORS - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Security functions include, for example, establishing system accounts, - configuring access authorizations (i.e., permissions, privileges), setting - events to be audited, and establishing intrusion detection parameters. - Security-relevant information includes, for example, filtering rules for - routers/firewalls, cryptographic key management information, configuration - parameters for security services, and access control lists. Explicitly - authorized personnel include, for example, security administrators, system - and network administrators, system security officers, system maintenance - personnel, system programmers, and other privileged users.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

    -
    -

    - Parameter: - ac-6_b organization-defined security functions or security-relevant information

    -

    - Value: EXTRA-SPECIAL, SECRET AND SENSITIVE OPERATIONS SUCH AS PET FEEDING - RESPONSIBILITIES

    -
    -
    -

    Control

    - - - - - - -
    - -

    Require that users of system accounts, or roles, with - access to - - ac-6_b - - organization-defined security functions or security-relevant information - EXTRA-SPECIAL, SECRET AND SENSITIVE OPERATIONS SUCH AS PET FEEDING - RESPONSIBILITIES - , use non-privileged accounts or roles, - when accessing nonsecurity functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    This control enhancement limits exposure when operating from within - privileged accounts or roles. The inclusion of roles addresses situations - where organizations implement access control policies such as role-based - access control and where a change of role provides the same degree of - assurance in the change of access authorizations for both the user and all - processes acting on behalf of the user as would be provided by a change - between a privileged and non-privileged account.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS

    -
    -

    - Parameter: - ac-6_c organization-defined privileged commands

    -

    - Value: MEDIA REALLOCATION INCLUDING HARD DRIVE REFORMATTING; ANY COMMAND ON ANY - VOICE-OPERATED DEVICE

    -
    -
    -

    - Parameter: - ac-6_d organization-defined compelling operational needs

    -

    - Value: EMERGENCIES, OR EARLY IN THE MORNING TO SAVE TIME

    -
    -
    -

    Control

    - - - - - - -
    - -

    Authorize network access to - - ac-6_c - - organization-defined privileged commands - MEDIA REALLOCATION INCLUDING HARD DRIVE REFORMATTING; ANY COMMAND ON ANY - VOICE-OPERATED DEVICE - - only for - - ac-6_d - - organization-defined compelling operational needs - EMERGENCIES, OR EARLY IN THE MORNING TO SAVE TIME - and document the rationale for such - access in the security plan for the system.

    -
    -
    -
    -

    Supplemental guidance

    -

    Network access is any access across a network connection in lieu of local - access (i.e., user being physically present at the device).

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (4) SEPARATE PROCESSING DOMAINS

    -
    -

    Control

    - - - - - - -
    - -

    Provide separate processing domains to enable - finer-grained allocation of user privileges.

    -
    -
    -
    -

    Supplemental guidance

    -

    Providing separate processing domains for finer-grained allocation of user - privileges includes, for example, using virtualization techniques to allow - additional user privileges within a virtual machine while restricting - privileges to other virtual machines or to the underlying actual machine; - employing hardware/software domain separation mechanisms; and implementing - separate physical domains.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (5) PRIVILEGED ACCOUNTS

    -
    -

    - Parameter: - ac-6_e organization-defined personnel or roles

    -

    - Value: CREDENTIALED WIZARDS

    -
    -
    -

    Control

    - - - - - - -
    - -

    Restrict privileged accounts on the system to - - ac-6_e - - organization-defined personnel or roles - CREDENTIALED WIZARDS - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged accounts, including super user accounts, are typically described - as system administrator for various types of commercial off-the-shelf - operating systems. Restricting privileged accounts to specific personnel or - roles prevents day-to-day users from having access to privileged - information/functions. Organizations may differentiate in the application of - this control enhancement between allowed privileges for local accounts and - for domain accounts provided they retain the ability to control system - configurations for key security parameters and as otherwise necessary to - sufficiently mitigate risk.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS

    -
    -

    Control

    - - - - - - -
    - -

    Prohibit privileged access to the system by - non-organizational users.

    -
    -
    -
    -

    Supplemental guidance

    -

    None.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

    -
    -

    Control

    - - - - - - -
    - -

    Prevent non-privileged users from executing privileged - functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Privileged functions include, for example, disabling, circumventing, or - altering implemented security or privacy controls, establishing system - accounts, performing system integrity checks, or administering cryptographic - key management activities. Non-privileged users are individuals that do not - possess appropriate authorizations. Circumventing intrusion detection and - prevention mechanisms or malicious code protection mechanisms are examples - of privileged functions that require protection from non-privileged - users.

    -
    -

    References: None -

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/20_compound-profile-rendered.html b/examples/mini-testing/pub/20_compound-profile-rendered.html deleted file mode 100644 index 203a4ee63f..0000000000 --- a/examples/mini-testing/pub/20_compound-profile-rendered.html +++ /dev/null @@ -1,451 +0,0 @@ - - - - - - A Compound Profile - - - - - -
    -
    -

    A Compound Profile

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - - Control ac.5 - - - Parameter (organization-defined duties of individuals): butcher; baker; candlestick-maker -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: butcher; baker; candlestick-maker

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - butcher; baker; candlestick-maker - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    -

    99includeRAx3-profile.xml ➭

    -

    mini-testing-catalog.xml ➭ Included: - - Control ra.7 - - - Control ra.8 - - - Control ra.9 - - - - - - Parameter (PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services): PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - - Parameter (ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle): ON AN ONGOING BASIS (AT LEAST NIGHTLY) -

    -
    -

    -
    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - - Control ra.7 - - - Control ra.8 - - - Control ra.9 - - - - - - Parameter (PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services): PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - - Parameter (ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle): ON AN ONGOING BASIS (AT LEAST NIGHTLY) -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services

    -

    - Value: PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS

    -
    -
    -

    - Parameter: - ra-9_b ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle

    -

    - Value: ON AN ONGOING BASIS (AT LEAST NIGHTLY)

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services - PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - at - - ra-9_b - - ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle - ON AN ONGOING BASIS (AT LEAST NIGHTLY) - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/30_patched-profile-rendered.html b/examples/mini-testing/pub/30_patched-profile-rendered.html deleted file mode 100644 index 2ced715d7e..0000000000 --- a/examples/mini-testing/pub/30_patched-profile-rendered.html +++ /dev/null @@ -1,438 +0,0 @@ - - - - - - Patching profile example - - - - - -
    -
    -

    Patching profile example

    -
    -
    -

    mini-testing-catalog.xml ➭ Excluded: - - Control ra.9 - - Parameter (organization-defined duties of individuals): butcher; baker; candlestick-maker - - - DON'T GO BACK IN THE WATER! - SEAL OF APPROVAL (a) - Local organizations may wish to sponsor special events including bake sales, lemonade stands, house-to-house cookie sales, lawn mowing services or other seasonal services etc. - -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: butcher; baker; candlestick-maker

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - butcher; baker; candlestick-maker - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Supplemental guidance

    -

    DON'T GO BACK IN THE WATER!

    -
    -

    - stamp: SEAL OF APPROVAL (a)

    -
    - notes -

    Local organizations may wish to sponsor special events including bake sales, lemonade stands, house-to-house cookie sales, lawn mowing services or other seasonal services etc.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/31_patched-messy-profile-rendered.html b/examples/mini-testing/pub/31_patched-messy-profile-rendered.html deleted file mode 100644 index c858a12021..0000000000 --- a/examples/mini-testing/pub/31_patched-messy-profile-rendered.html +++ /dev/null @@ -1,452 +0,0 @@ - - - - - - Patching profile example - - - - - -
    -
    -

    Patching profile example

    -
    -
    -

    mini-testing-catalog.xml ➭ Excluded: - - Control ra.9 - - Parameter (organization-defined duties of individuals): butcher; baker; candlestick-maker - - - Do NOT go back in the water. - SEAL OF APPROVAL (a) - Local organizations may wish to sponsor special events including - bake sales, lemonade stands, house-to-house cookie sales, lawn mowing services or other seasonal services etc. - Code green - -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: butcher; baker; candlestick-maker

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - butcher; baker; candlestick-maker - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Supplemental guidance

    -

    Do NOT go back in the water.

    -
    -

    - stamp: SEAL OF APPROVAL (a)

    -
    - notes -

    Local organizations may wish to sponsor special events including

    -
      -
    • bake sales,
    • -
    • lemonade stands,
    • -
    • house-to-house cookie sales,
    • -
    • lawn mowing services
    • -
    • or other seasonal services etc.
    • -
    -
    -
    - special -

    Code green -

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/32_invalid-profile-rendered.html b/examples/mini-testing/pub/32_invalid-profile-rendered.html deleted file mode 100644 index aec6feb782..0000000000 --- a/examples/mini-testing/pub/32_invalid-profile-rendered.html +++ /dev/null @@ -1,545 +0,0 @@ - - - - - - Patching profile example - - - - - -
    -
    -

    Patching profile example

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - - ALL - - Control ac.5 - Excluded: - - Control ra.10 - - Parameter (organization-defined duties of individuals): butcher; baker; candlestick-maker - - Parameter (organization-defined duties of individuals): butcher; baker; candlestick-maker - - - Do NOT go back in the water. - SEAL OF APPROVAL (a) - Local organizations may wish to sponsor special events including - bake sales, lemonade stands, house-to-house cookie sales, lawn mowing services or other seasonal services etc. - Code green - -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: butcher; baker; candlestick-maker

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - butcher; baker; candlestick-maker - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a organization-defined systems, system components, or system services

    -

    - Value: organization-defined systems, system components, or system services

    -
    -
    -

    - Parameter: - ra-9_b organization-defined decision points in the system development life - cycle

    -

    - Value: organization-defined decision points in the system development life cycle

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - organization-defined systems, system components, or system services - organization-defined systems, system components, or system services - at - - ra-9_b - - organization-defined decision points in the system development life - cycle - organization-defined decision points in the system development life cycle - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/41_exceptions-profile-rendered.html b/examples/mini-testing/pub/41_exceptions-profile-rendered.html deleted file mode 100644 index ff809f7d97..0000000000 --- a/examples/mini-testing/pub/41_exceptions-profile-rendered.html +++ /dev/null @@ -1,560 +0,0 @@ - - - - - - Exceptions profile example - - - - - -
    -
    -

    Exceptions profile example

    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - - - Control ra.9 - - - Control ra.9 - - - - Control controlX - Excluded: - - Control ra.9 - - Parameter (organization-defined duties of individuals): butcher; baker; candlestick-maker - - - DON'T GO BACK IN THE WATER! - SEAL OF APPROVAL (a) - Local organizations may wish to sponsor special events including bake sales, lemonade stands, house-to-house cookie sales, lawn mowing services or other seasonal services etc. - -

    -
    -
    -

    MINI TESTING catalog

    -
    -
    -
    -
    -

    mini-testing-catalog.xml ➭

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: organization-defined duties of individuals

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a organization-defined systems, system components, or system services

    -

    - Value: organization-defined systems, system components, or system services

    -
    -
    -

    - Parameter: - ra-9_b organization-defined decision points in the system development life - cycle

    -

    - Value: organization-defined decision points in the system development life cycle

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - organization-defined systems, system components, or system services - organization-defined systems, system components, or system services - at - - ra-9_b - - organization-defined decision points in the system development life - cycle - organization-defined decision points in the system development life cycle - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/42_invoke-exceptions-profile-rendered.html b/examples/mini-testing/pub/42_invoke-exceptions-profile-rendered.html deleted file mode 100644 index dba09ae203..0000000000 --- a/examples/mini-testing/pub/42_invoke-exceptions-profile-rendered.html +++ /dev/null @@ -1,837 +0,0 @@ - - - - - - More exceptions profile example - - - - - -
    -
    -

    More exceptions profile example

    -
    -
    -

    mini-testing-catalog.xml ➭

    -
    -
    -

    MINI TESTING catalog

    -
    -

    FAKE(S)

    -
    -

    - FAKE_0 EVERYTHING ALL MIXED TOGETHER

    -
    -

    - Parameter: - fake_a FAKE PARAMETER IN FAKE CONTROL

    -

    - Value: whatever is mixed or to be mixed

    -
    -
    -

    Control

    - - - - - - -
    - -

    Whatever to be mixed is a fake control with some pathological markup.

    -
    - - - - - - - -
    -

    -

    -

    Insert your fake parameter here: - - fake_a - - FAKE PARAMETER IN FAKE CONTROL - whatever is mixed or to be mixed - ;

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes inline markup such as italics, - bold, emphasis, code, quoted text - and even a bit of water (H2O).

    -
    -
    -
    - - - - - - - -
    -

    -

    -

    This item includes some more complex prose:

    -
      -
    • Here's language in a list item
    • -
    • Another list item
    • -
    -

    And a scattering of things including a little physics! - e = mc2 - and all that.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Don't follow any guidance you find in a fake control.

    -
    -

    References: None -

    -
    -
    -
    -

    ACCESS CONTROL

    -
    -

    - AC-5 SEPARATION OF DUTIES

    -
    -

    - Parameter: - ac-5_a organization-defined duties of individuals

    -

    - Value: organization-defined duties of individuals

    -
    -
    -

    Control

    - - - - - - -
    - -
    - - - - - - - -
    -

    a.

    -
    -

    Separate - - ac-5_a - - organization-defined duties of individuals - organization-defined duties of individuals - ;

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Document separation of duties of individuals; and

    -
    -
    -
    - - - - - - - -
    -

    c.

    -
    -

    Define system access authorizations to support separation - of duties.

    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Separation of duties addresses the potential for abuse of authorized privileges - and helps to reduce the risk of malevolent activity without collusion. - Separation of duties includes, for example, dividing mission functions and - system support functions among different individuals and/or roles; conducting - system support functions with different individuals; and ensuring security - personnel administering access control functions do not also administer audit - functions. Because separation of duty violations can span systems and - application domains, organizations consider the entirety of organizational - systems and system components when developing policy on separation of - duties.

    -
    -

    References: None -

    -
    -
    -

    - AC-6 LEAST PRIVILEGE

    -
    -

    Control

    - - - - - - -
    - -

    Employ the principle of least privilege, allowing only - authorized accesses for users (or processes acting on behalf of users) which are - necessary to accomplish assigned tasks in accordance with organizational - missions and business functions.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations employ least privilege for specific duties and systems. The - principle of least privilege is also applied to system processes, ensuring that - the processes operate at privilege levels no higher than necessary to accomplish - required organizational missions or business functions. Organizations consider - the creation of additional processes, roles, and system accounts as necessary, - to achieve least privilege. Organizations also apply least privilege to the - development, implementation, and operation of organizational systems.

    -
    -

    References: None -

    -
    -
    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a organization-defined systems, system components, or system services

    -

    - Value: organization-defined systems, system components, or system services

    -
    -
    -

    - Parameter: - ra-9_b organization-defined decision points in the system development life - cycle

    -

    - Value: organization-defined decision points in the system development life cycle

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - organization-defined systems, system components, or system services - organization-defined systems, system components, or system services - at - - ra-9_b - - organization-defined decision points in the system development life - cycle - organization-defined decision points in the system development life cycle - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    -

    99includeRAx3-profile.xml ➭

    -

    mini-testing-catalog.xml ➭ Included: - - Control ra.7 - - - Control ra.8 - - - Control ra.9 - - - - - - Parameter (PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services): PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - - Parameter (ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle): ON AN ONGOING BASIS (AT LEAST NIGHTLY) -

    -
    -

    -
    -
    -
    -

    mini-testing-catalog.xml ➭ Included: - - Control ra.7 - - - Control ra.8 - - - Control ra.9 - - - - - - Parameter (PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services): PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - - Parameter (ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle): ON AN ONGOING BASIS (AT LEAST NIGHTLY) -

    -
    -
    -

    MINI TESTING catalog

    -
    -

    RISK ASSESSMENT

    -
    -

    - RA-7 RISK RESPONSE

    -
    -

    Control

    - - - - - - -
    - -

    Respond to findings from security and privacy assessments, - monitoring, and audits.

    -
    -
    -
    -

    Supplemental guidance

    -

    Organizations have a variety of options for responding to risk including: - mitigating the risk by implementing new controls or strengthening existing - controls; accepting the risk with appropriate justification or rationale; - sharing or transferring the risk; or rejecting the risk. Organizational risk - tolerance influences risk response decisions and actions. Risk response is also - known as risk treatment. This control addresses the need to determine an - appropriate response to risk before a plan of action and milestones entry is - generated. For example, the response may be to accept risk or reject risk, or it - may be possible to mitigate the risk immediately so a plan of action and - milestones entry is not needed. However, if the risk response is to mitigate the - risk and the mitigation cannot be completed immediately, a plan of action and - milestones entry is generated.

    -
    -
    -

    References

    -
    -

    FIPS - Publication 199

    -
    -
    -

    FIPS - Publication 200

    -
    -
    -

    NIST - Special Publication 800-30

    -
    -
    -

    NIST - Special Publication 800-37

    -
    -
    -

    NIST - Special Publication 800-39

    -
    -
    -
    -
    -

    - RA-8 PRIVACY IMPACT ASSESSMENTS

    -
    -

    Control

    - - - - - - -
    - -

    Conduct privacy impact assessments for systems, programs, or - other activities that pose a privacy risk before:

    -
    - - - - - - - -
    -

    a.

    -
    -

    Developing or procuring information technology that - collects, maintains, or disseminates information that is in an identifiable - form; and

    -
    -
    -
    - - - - - - - -
    -

    b.

    -
    -

    Initiating a new collection of information that:

    -
    - - - - - - - -
    -

    1.

    -
    -

    Will be collected, maintained, or disseminated using - information technology; and

    -
    -
    -
    - - - - - - - -
    -

    2.

    -
    -

    Includes information in an identifiable form - permitting the physical or online contacting of a specific individual, - if identical questions have been posed to, or identical reporting - requirements imposed on, ten or more persons, other than agencies, - instrumentalities, or employees of the Federal Government.

    -
    -
    -
    -
    -
    -
    -
    -

    Supplemental guidance

    -

    Privacy impact assessments are an analysis of how information is managed to - ensure that such management conforms to applicable legal, regulatory, and policy - requirements regarding privacy; to determine the associated privacy risks and - effects of creating, collecting, using, processing, storing, maintaining, - disseminating, disclosing, and disposing of information in identifiable form in - a system; and to examine and evaluate the protections and alternate processes - for managing information to mitigate potential privacy concerns. A privacy - impact assessment is an analysis and a formal document detailing the process and - outcome of the analysis. To conduct the analysis, organizations use risk - assessment processes. Although privacy impact assessments may be required by - law, organizations may develop policies to require privacy impact assessments in - circumstances where a privacy impact assessment would not be required by - law.

    -
    -

    References: None -

    -
    -
    -

    - RA-9 CRITICALITY ANALYSIS

    -
    -

    - Parameter: - ra-9_a PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services

    -

    - Value: PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS

    -
    -
    -

    - Parameter: - ra-9_b ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle

    -

    - Value: ON AN ONGOING BASIS (AT LEAST NIGHTLY)

    -
    -
    -

    Control

    - - - - - - -
    - -

    Identify critical system components and functions by - performing a criticality analysis for - - ra-9_a - - PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services - PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - at - - ra-9_b - - ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life - cycle - ON AN ONGOING BASIS (AT LEAST NIGHTLY) - .

    -
    -
    -
    -

    Supplemental guidance

    -

    Not all system components, functions, or services necessarily require significant - protections. Criticality analysis is a key tenet of, for example, supply chain - risk management, and informs the prioritization of protection activities. The - identification of critical system components and functions considers applicable - regulations, directives, policies, standards, and guidelines, system - functionality requirements, system and component interfaces, and system and - component dependencies. Systems engineers conduct an end-to-end functional - decomposition of a system to identify mission-critical functions and components. - The functional decomposition includes the identification of core organizational - missions supported by the system, decomposition into the specific functions to - perform those missions, and traceability to the hardware, software, and firmware - components that implement those functions, including when the functions are - shared by many components within and beyond the system boundary. The operational - environment of a system or component may impact the criticality including, for - example, the connections to and dependencies on cyber-physical systems, devices, - system-of-systems, and outsourced IT services. System components that allow - unmediated access to critical system components or functions are considered - critical due to the inherent vulnerabilities such components create. Component - and function criticality are assessed in terms of the impact of a component or - function failure on the organizational missions supported by the system - containing those components and functions. A criticality analysis is performed - when an architecture or design is being developed, modified, or upgraded. If - done early in the system life cycle, organizations may consider modifying the - system design to reduce the critical nature of these components and functions - by, for example, adding redundancy or alternate paths into the system - design.

    -
    -

    References: None -

    -
    -
    -
    -
    -
    -
    -
    - - diff --git a/examples/mini-testing/pub/oscal-html-fancy.css b/examples/mini-testing/pub/oscal-html-fancy.css deleted file mode 100644 index 68a16f2372..0000000000 --- a/examples/mini-testing/pub/oscal-html-fancy.css +++ /dev/null @@ -1,77 +0,0 @@ - - .control, .component { margin:1em; padding: 1em; border: thin solid black } - .subcontrol, .component .component { margin-top: 0.5em; padding: 1em; border: thin dotted black } - - .control > *:first-child, - .subcontrol > *:first-child, - .component > *:first-child, - .part > *:first-child { margin-top: 0em } - - h1, h2, h3, h4, h5, h6 { font-family: sans-serif; margin-bottom: 0em } - h3 { font-size: 120% } - - div h3 { font-size: 130% } - div div h3 { font-size: 120% } - div div div h3 { font-size: 110% } - - p, div.param { margin-top: 0.4em; margin-bottom: 0.2em } - p { line-height: 160% } - div > *:first-child { margin-top: 0ex } - - div.param { display: none; border: medium solid green; font-size: 80%; padding: 0.3em } - - .param p { margin: 0em } - - p.object { padding-left: 2em; text-indent: -2em } - - p.link { display: inline-block; padding: 0.1em; background-color: aliceblue; border: medium solid blue; padding-right: 0.2em; margin-right: 0.2em } - p.link.broken { background-color: lemonchiffon; border: medium solid darkorange; text-decoration: line-through } - .part td { vertical-align: text-top; padding-top: 0em; padding-bottom: 0em } - - .insert, .choice { border: thin solid black; padding: 0.1em } - .unassigned { border: thin solid red; background-color: pink} - .desc { color: darkgreen; display: none } - .insert .desc { font-size: 90%; } - .value { font-style: italic; text-decoration: underline } - - .param-id { font-size: 90%; font-family: sans-serif; font-weight: bold; - background-color: black; color: white; padding-left: 0.5ex; padding-right: 0.5ex } - .insert .param-id { font-size: 80% } - - .withdrawn { font-weight: bold; font-style: italic } - - .box { vertical-align: middle; width: 2em } - .subst { color: midnightblue; font-family: sans-serif; font-style: normal; font-weight: normal; font-size: 85% } - - .impact-table { width: 100%; font-family: sans-serif } - .impact-table td { padding: 0.5em; background-color: lightgrey; border: thin solid black } - - .part { padding: 0.25em; margin-top: 0.5em; border: thin dotted black } - .part .part { padding: 0em; margin-top: 0em; border: none } - table { border-collapse: collapse } - li { list-style-type: square } - a { text-decoration: none } - -.invocation { padding: 0.2em; border: thin solid black; margin: 0.2em; display: block } - -.hidden, p.link.hidden { display: none } - -#main { width: 80% } -#directory { margin-left: 80%; font-size: 90%; margin-top: 1em; float: right; -position: fixed; padding: 0.5em; background-color: lightsteelblue; height: 80%; -overflow: auto - -} - -.toc .toc { margin-left: 2ex; border-left: thin dotted black; padding-left: 0.5em } -.toc-line { padding-left: 1em; text-indent: -1em } - -.default { text-decoration: line-through } -.invoking { margin-left: 0.2ex; margin-right: 0.2ex; padding: 0.1ex; -border: thin dashed grey; background-color: azure } - -a, a:visited { color: inherit } -a:hover { text-decoration: underline } - -div.param.highlight { border: medium dashed darkgreen; background-color: #c7ddc7 } -span.insert.highlight { border: thin dashed darkgreen; background-color: #c7ddc7 } diff --git a/examples/mini-testing/pub/readme.md b/examples/mini-testing/pub/readme.md deleted file mode 100644 index 858f79555f..0000000000 --- a/examples/mini-testing/pub/readme.md +++ /dev/null @@ -1,12 +0,0 @@ -# HTML renderings of sample catalog profiles - -Note these files are produced by an application of an XSLT processing pipeline, which resolves and renders OSCAL profiles against their source catalogs. - -The pipeline is the (generic) XProc pipeline `/working/lib/XProc/profile-resolve-and-display.xpl` -which produces HTML files from OSCAL profiles (and other inputs). It has been run on each of the sample profiles in the parent directory, producing the file outputs stored here. - -For best results, the file `oscal-html-fancy.css` should be kept in the subdirectory with the files. - -The HTML files here can be opened in a browser to validate that controls and their settings (including parameter settings and augmentations) have been reflected properly in a catalog **as profiled**. - - diff --git a/schema/xml/RNC/oscal-implementation.rnc b/schema/xml/RNC/oscal-implementation.rnc new file mode 100644 index 0000000000..4fffe99d9b --- /dev/null +++ b/schema/xml/RNC/oscal-implementation.rnc @@ -0,0 +1,17 @@ +default namespace = "http://csrc.nist.gov/ns/oscal/1.0" + +include "oscal-profile.rnc" { start = implementation } + +implementation = element implementation { idAttr?, title, (p | prop)*, profiles, components, policies, procedures, params } + +profiles = element profiles { link* } + +components = element components { item* } + +policies = element policies { item* } + +procedures = element procedures { item* } + +params = element params { implementation-param* } + +implementation-param = element set-param { attribute param-id { xsd:NMTOKEN }?, prop*, desc?, value? } diff --git a/schema/xml/RNC/oscal-profile.rnc b/schema/xml/RNC/oscal-profile.rnc index 0a32017aa4..d76b91518b 100644 --- a/schema/xml/RNC/oscal-profile.rnc +++ b/schema/xml/RNC/oscal-profile.rnc @@ -2,41 +2,46 @@ default namespace = "http://csrc.nist.gov/ns/oscal/1.0" include "oscal-core.rnc" { start = profile } -profile = element profile { idAttr, title, invoke+, framework? } +profile = element profile { idAttr, title, import+, merge?, modify? } -invoke = element invoke { hrefAttr, (\include?, exclude?), ( param_setting | alteration )* } +import = element import { hrefAttr, (\include?, exclude?) } -# Can have both 'all' and 'call' to switch up with-subcontrol settings -\include = element include { all | call+ } +# presence of element merge means to merge (not merely aggregate) +merge = element merge { element build { empty }? } -# Move params to a separate 'set' element? -# Logic: params override params given in source catalogs or profiles -# but they apply only to controls included. -# parameters not belonging to included controls/subcontrols might be filtered out of 'set' -# applicable parameters in 'set' might remain -# expansion logic could also provide set/param for any param not already represented +modify = element modify { (param_setting | alteration )* } + +# Can have either 'all' or (a set of) 'call' +\include = element include { all | (call | match)+ } + +# We are permitting include/call along with exclude/call to support tweaky with-subcontrol allowances +# But downstream (Schematron) might detect inelegant or inoperable combinations of include/call and exclude/call # Only 'yes' should have any effect; processors should assume 'no' when implicit all = element all { withSubContrlsAttr } withSubContrlsAttr = attribute with-subcontrols { ('yes'|'no') }? +withContrlAttr = attribute with-control { ('yes'|'no') }? # 'call' can call *either* a control or a subcontrol by its @id # Schematron requirement: there exists in the catalog a control or subcontrol # by the given @id call = element call { - (withSubContrlsAttr, attribute control-id { text } ) | - attribute subcontrol-id { text } } + (withSubContrlsAttr, attribute control-id { xsd:NCName } ) | + attribute subcontrol-id { xsd:NCName } } + +match = element match { withSubContrlsAttr, withContrlAttr, attribute pattern { text } } -exclude = element exclude { element call { - attribute control-id { text } | - attribute subcontrol-id { text } }+ } +exclude = element exclude { ( match | + element call { + attribute control-id { xsd:NCName } | + attribute subcontrol-id { xsd:NCName } }+ ) } param_setting = element set-param { attribute param-id { xsd:NMTOKEN }, optionalClass, desc, value } alteration = element alter { ( - attribute control-id { text } | - attribute subcontrol-id { text } ), + attribute control-id { xsd:NCName } | + attribute subcontrol-id { xsd:NCName } ), remove?, augment? } remove = element remove { attribute targets { xsd:NMTOKENS } } diff --git a/schema/xml/Schematron/oscal-profile-sources.sch b/schema/xml/Schematron/oscal-profile-sources.sch index 5223062e6c..ba17b0438f 100644 --- a/schema/xml/Schematron/oscal-profile-sources.sch +++ b/schema/xml/Schematron/oscal-profile-sources.sch @@ -3,13 +3,9 @@ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:sqf="http://www.schematron-quickfix.com/validator/process" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0"> - - - - - - + + + + + + + No resource found at ... + + + - + + - This invocation could use include/all, excluding only (instead of include/call elements) - This invocation could use include/all (instead of include/call elements): it calls all the controls in without excluding any + This invocation could use include/all, excluding only (instead of include/call elements) + This invocation could use include/all (instead of include/call elements): it calls all the controls in without excluding any - - + + - - + + + value="../(oscal:import except $me)/oscal:resolve(.)//(oscal:subcontrol | oscal:component[contains-token(@class,'subcontrol')] )"/> @@ -68,20 +73,22 @@ - - - - - + - + + + + + + + + - No control with @id '' is found in referenced at '' - no subcontrol with @id '' is found in referenced at '' - No parameter with @id '' is found in referenced at '' + No control with @id '' is found in referenced at '' + no subcontrol with @id '' is found in referenced at '' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/schema/xml/XSD/oscal-profile-interim.xsd b/schema/xml/XSD/oscal-profile-interim.xsd index c607fd305d..60f0adc4be 100644 --- a/schema/xml/XSD/oscal-profile-interim.xsd +++ b/schema/xml/XSD/oscal-profile-interim.xsd @@ -6,28 +6,35 @@ - - + + + - + - - - - - - - - + + - + + + + + + + + + + + + + @@ -37,12 +44,8 @@ @@ -68,8 +71,8 @@ - - + + @@ -77,8 +80,8 @@ - - + + @@ -100,8 +103,8 @@ - - + + diff --git a/schema/xml/XSD/xml.xsd b/schema/xml/XSD/xml.xsd index 44032c33e2..caa768043c 100644 --- a/schema/xml/XSD/xml.xsd +++ b/schema/xml/XSD/xml.xsd @@ -1,6 +1,6 @@ - + diff --git a/schema/xml/oscal-core_xsd.html b/schema/xml/oscal-core_xsd.html new file mode 100644 index 0000000000..5bf728e803 --- /dev/null +++ b/schema/xml/oscal-core_xsd.html @@ -0,0 +1,12953 @@ + + + + + Schema documentation for oscal-core.xsd + + +
    + + + + + + + + + + + + + + + + +
    +

    Showing:

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    Annotations
    Attributes
    Diagrams
    Instances
    Model
    Properties
    Source
    Used by
    +
    +
    +
    Included schema oscal-core.xsd
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    attribute form defaultunqualified
    element form defaultqualified
    +
    +
    +
    Element oscal:title
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Title</b>A fallback for display and navigation, exclusive of more specific properties
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#q
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:q
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:title xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{0,unbounded}</oscal:q>
    +</oscal:title>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="title">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Title</b>A fallback for display and navigation, exclusive of more specific properties</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:sequence>
    +      <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:q"/>
    +    </xs:sequence>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:q
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Quoted text</b>An inline segment to appear within quotation marks
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:inlines
    Elements oscal:a, oscal:title
    +
    +
    Model
    +
    + +
    Childrenoscal:b, oscal:i, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:q xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +</oscal:q>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="q">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Quoted text</b>An inline segment to appear within quotation marks</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:i"/>
    +      <xs:element ref="oscal:b"/>
    +      <xs:element ref="oscal:sub"/>
    +      <xs:element ref="oscal:sup"/>
    +    </xs:choice>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:i
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Italics</b>Typographical shift to italics
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:inlines
    Element oscal:q
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:i class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:i>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="i">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Italics</b>Typographical shift to italics</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:code
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Code</b>Inline code
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:inlines
    Element oscal:a
    +
    +
    Model
    +
    + +
    Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:code class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +</oscal:code>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="code">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Code</b>Inline code</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:group ref="oscal:mix"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:em
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element Group oscal:inlines
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:em class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:em>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="em">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:a
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Anchor</b>An HTML-style anchor (inline linking element)
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#a_href + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#a_em
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Elements oscal:b, oscal:citation, oscal:em, oscal:i, oscal:pre, oscal:span, oscal:std
    Element Group oscal:whatnot
    +
    +
    Model
    +
    + +
    Childrenoscal:code, oscal:em, oscal:q
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:a href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +</oscal:a>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    hrefoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="a">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Anchor</b>An HTML-style anchor (inline linking element)</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:q"/>
    +      <xs:element ref="oscal:code"/>
    +      <xs:element name="em">
    +        <xs:annotation>
    +          <xs:documentation>
    +            <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift</xs:documentation>
    +        </xs:annotation>
    +        <xs:complexType mixed="true">
    +          <xs:attributeGroup ref="oscal:optionalClass"/>
    +        </xs:complexType>
    +      </xs:element>
    +    </xs:choice>
    +    <xs:attribute name="href"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:a / oscal:em
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    Model
    +
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="em">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Emphasis</b>Rhetorical emphasis as typically indicated by a font shift</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:b
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Bold</b>Typographical shift to bold
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:inlines
    Element oscal:q
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:b class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:b>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="b">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Bold</b>Typographical shift to bold</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:sub
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Subscript</b>Subscripted text
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:inlines
    Element oscal:q
    +
    +
    Model
    +
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="sub">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Subscript</b>Subscripted text</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:sup
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Superscript</b>Superscripted text
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:inlines
    Element oscal:q
    +
    +
    Model
    +
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="sup">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Superscript</b>Superscripted text</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:span
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Span</b>Generic inline container
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element Group oscal:inlines
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:span class="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:span>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="span">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Span</b>Generic inline container</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:desc
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Parameter description</b>Indicates and explains the purpose and use of a parameter
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Elements oscal:param, oscal:set-param
    +
    +
    Model
    +
    + +
    Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:desc xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +</oscal:desc>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="desc">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Parameter description</b>Indicates and explains the purpose and use of a parameter</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:group ref="oscal:mix"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:value
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Value constraint</b>Indicates a permissible value for a parameter or property
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram
    +
    Typexs:string
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    + +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="value" type="xs:string">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Value constraint</b>Indicates a permissible value for a parameter or property</xs:documentation>
    +  </xs:annotation>
    +</xs:element>
    +
    +
    +
    Element oscal:prop
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Property</b>A value with a name, attributed to the containing control, subcontrol, component, part,
    +or group
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#requiredClass
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="prop">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Property</b>A value with a name, attributed to the containing control, subcontrol, component, part, or group</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:attributeGroup ref="oscal:requiredClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:part
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Part</b>A partition,<q xmlns="http://csrc.nist.gov/ns/oscal/1.0">piece</q>or section of a control, subcontrol, component or part
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#part_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:anyKindofPart
    Element oscal:component
    +
    +
    Model
    +
    + +
    Childrenoscal:link, oscal:ol, oscal:p, oscal:param, oscal:part, oscal:pre, oscal:prop, oscal:title, oscal:ul
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:part class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{0,1}</oscal:title>
    +  <oscal:ul>{1,1}</oscal:ul>
    +  <oscal:ol>{1,1}</oscal:ol>
    +  <oscal:p class="" id="">{1,1}</oscal:p>
    +  <oscal:pre id="">{1,1}</oscal:pre>
    +  <oscal:prop class="">{1,1}</oscal:prop>
    +  <oscal:part class="" id="">{0,unbounded}</oscal:part>
    +  <oscal:link href="" rel="">{1,1}</oscal:link>
    +  <oscal:param class="" id="">{1,1}</oscal:param>
    +</oscal:part>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="part">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Part</b>A partition,
    +      <q xmlns="http://csrc.nist.gov/ns/oscal/1.0">piece</q>or section of a control, subcontrol, component or part</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:title"/>
    +      <xs:choice minOccurs="0" maxOccurs="unbounded">
    +        <xs:group ref="oscal:prose"/>
    +        <xs:group ref="oscal:control-components"/>
    +      </xs:choice>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:ul
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Unordered list</b>A series of items kept in order but without indicators of sequence; likely bulleted
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#li
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element oscal:li
    Element Group oscal:prose
    +
    +
    Model
    +
    + +
    Childrenoscal:li
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:ul xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:li class="" id="">{1,unbounded}</oscal:li>
    +</oscal:ul>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="ul">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Unordered list</b>A series of items kept in order but without indicators of sequence; likely bulleted</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element maxOccurs="unbounded" ref="oscal:li"/>
    +    </xs:sequence>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:li
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>List item</b>An item demarcated with a bullet or numerator
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#li_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert + oscal-core_xsd.tmp#semantical + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a + oscal-core_xsd.tmp#whatnot + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#ul
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Elements oscal:ol, oscal:ul
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:insert, oscal:ol, oscal:q, oscal:span, oscal:sub, oscal:sup, oscal:ul, oscal:withdrawn
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:li class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:withdrawn>{1,1}</oscal:withdrawn>
    +  <oscal:insert id="" param-id="">{1,1}</oscal:insert>
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +  <oscal:ol>{1,1}</oscal:ol>
    +  <oscal:ul>{1,1}</oscal:ul>
    +</oscal:li>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="li">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>List item</b>An item demarcated with a bullet or numerator</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:whatnot"/>
    +      <xs:element ref="oscal:ol"/>
    +      <xs:element ref="oscal:ul"/>
    +    </xs:choice>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:withdrawn
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Withdrawn</b>Indicates that a containing control or subcontrol is no longer applicable
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element Group oscal:semantical
    +
    +
    Model
    +
    + +
    Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:withdrawn xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +</oscal:withdrawn>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="withdrawn">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Withdrawn</b>Indicates that a containing control or subcontrol is no longer applicable</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:group minOccurs="0" maxOccurs="unbounded" ref="oscal:inlines"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:insert
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Parameter insertion</b>A<q xmlns="http://csrc.nist.gov/ns/oscal/1.0">call</q>(reference) to a parameter for dynamic content transclusion
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#insert_id + oscal-core_xsd.tmp#insert_param-id
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element Group oscal:semantical
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    idxs:IDoptional +
    +
    param-idxs:IDREFrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="insert">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Parameter insertion</b>A
    +      <q xmlns="http://csrc.nist.gov/ns/oscal/1.0">call</q>(reference) to a parameter for dynamic content transclusion</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attribute name="param-id" use="required" type="xs:IDREF"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:ol
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Ordered List</b>Appears with numbering in ordinal position
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#li
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element oscal:li
    Element Group oscal:prose
    +
    +
    Model
    +
    + +
    Childrenoscal:li
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:ol xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:li class="" id="">{1,unbounded}</oscal:li>
    +</oscal:ol>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="ol">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Ordered List</b>Appears with numbering in ordinal position</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element maxOccurs="unbounded" ref="oscal:li"/>
    +    </xs:sequence>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:p
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Paragraph</b>Running text: a paragraph or paragraph fragment
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#p_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert + oscal-core_xsd.tmp#semantical + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a + oscal-core_xsd.tmp#whatnot
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element Group oscal:prose
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:insert, oscal:q, oscal:span, oscal:sub, oscal:sup, oscal:withdrawn
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:p class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:withdrawn>{1,1}</oscal:withdrawn>
    +  <oscal:insert id="" param-id="">{1,1}</oscal:insert>
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:p>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="p">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Paragraph</b>Running text: a paragraph or paragraph fragment</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:group ref="oscal:whatnot"/>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:pre
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Preformatted text</b>Retains whitespace in display
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#pre_id + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element Group oscal:prose
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:pre id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:pre>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="pre">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Preformatted text</b>Retains whitespace in display</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +    <xs:attribute name="id" type="xs:ID"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:link
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    + +
    +
    Diagram
    +
    +
    + +
    +
    Properties
    +
    +
    + +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    + +
    +
    Attributes
    +
    +
    + +
    +
    Source
    +
    +
    + +
    +
    Element oscal:param
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Parameter</b>A parameter setting, to be propagated to points of insertion
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#param_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#desc + oscal-core_xsd.tmp#value
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:control-components
    Element oscal:component
    +
    +
    Model
    +
    + +
    Childrenoscal:desc, oscal:value
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:param class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:desc>{1,1}</oscal:desc>
    +  <oscal:value>{1,1}</oscal:value>
    +</oscal:param>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="param">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Parameter</b>A parameter setting, to be propagated to points of insertion</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element ref="oscal:desc"/>
    +      <xs:element ref="oscal:value"/>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:framework
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Framework</b>A collection of components for formal reference into and among control catalogs
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references + oscal-core_xsd.tmp#framework-contents + oscal-core_xsd.tmp#framework_id + oscal-core_xsd.tmp#optionalClass
    +
    Typeextension of oscal:framework-contents
    Type hierarchy + +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:profile
    +
    +
    Model
    +
    + +
    Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:framework class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{1,1}</oscal:title>
    +  <oscal:declarations href="">{0,1}</oscal:declarations>
    +  <oscal:section class="" id="">{1,1}</oscal:section>
    +  <oscal:group class="" id="">{1,1}</oscal:group>
    +  <oscal:component class="" id="">{1,1}</oscal:component>
    +  <oscal:references>{0,1}</oscal:references>
    +</oscal:framework>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="framework">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Framework</b>A collection of components for formal reference into and among control catalogs</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:complexContent>
    +      <xs:extension base="oscal:framework-contents">
    +        <xs:attribute name="id" type="xs:ID"/>
    +        <xs:attributeGroup ref="oscal:optionalClass"/>
    +      </xs:extension>
    +    </xs:complexContent>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:declarations
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Declarations</b>For extra-schema validation of data given within controls or framework components
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#declare-prop + oscal-core_xsd.tmp#declare-part + oscal-core_xsd.tmp#declare-p + oscal-core_xsd.tmp#declare-link + oscal-core_xsd.tmp#decls + oscal-core_xsd.tmp#hrefAttr
    +
    Typeextension of oscal:decls
    Type hierarchy + +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:declare-link, oscal:declare-p, oscal:declare-part, oscal:declare-prop
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:declarations href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:declare-prop class="" context="">{1,1}</oscal:declare-prop>
    +  <oscal:declare-part class="" context="">{1,1}</oscal:declare-part>
    +  <oscal:declare-p class="" context="">{1,1}</oscal:declare-p>
    +  <oscal:declare-link context="" rel="">{1,1}</oscal:declare-link>
    +</oscal:declarations>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    hrefoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="declarations">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Declarations</b>For extra-schema validation of data given within controls or framework components</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:complexContent>
    +      <xs:extension base="oscal:decls">
    +        <xs:attributeGroup ref="oscal:hrefAttr"/>
    +      </xs:extension>
    +    </xs:complexContent>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:declare-prop
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Property declaration</b>Constraints applicable to a class or classes of<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>elements (properties) in
    +context
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#requiredClass + oscal-core_xsd.tmp#contextAttr + oscal-core_xsd.tmp#singleton + oscal-core_xsd.tmp#required + oscal-core_xsd.tmp#identifier + oscal-core_xsd.tmp#regex + oscal-core_xsd.tmp#calc + oscal-core_xsd.tmp#value
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Complex Type oscal:decls
    Element oscal:declarations
    +
    +
    Model
    +
    + +
    Childrenoscal:calc, oscal:identifier, oscal:regex, oscal:required, oscal:singleton, oscal:value
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:declare-prop class="" context="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:singleton>{0,1}</oscal:singleton>
    +  <oscal:required>{0,1}</oscal:required>
    +  <oscal:identifier>{0,1}</oscal:identifier>
    +  <oscal:regex>{1,1}</oscal:regex>
    +  <oscal:calc xml:space="">{0,unbounded}</oscal:calc>
    +  <oscal:value>{0,unbounded}</oscal:value>
    +</oscal:declare-prop>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classrequired +
    +
    contextrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="declare-prop">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Property declaration</b>Constraints applicable to a class or classes of
    +      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>elements (properties) in context</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:singleton"/>
    +      <xs:element minOccurs="0" ref="oscal:required"/>
    +      <xs:element minOccurs="0" ref="oscal:identifier"/>
    +      <xs:choice>
    +        <xs:element ref="oscal:regex"/>
    +        <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:calc"/>
    +        <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:value"/>
    +      </xs:choice>
    +    </xs:sequence>
    +    <xs:attributeGroup ref="oscal:requiredClass"/>
    +    <xs:attributeGroup ref="oscal:contextAttr"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:singleton
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Singleton constraint</b>The declared component may occur only once in its context
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    + +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="singleton">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Singleton constraint</b>The declared component may occur only once in its context</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType/>
    +</xs:element>
    +
    +
    +
    Element oscal:required
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Requirement constraint</b>The declared component is required in its context
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    + +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="required">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Requirement constraint</b>The declared component is required in its context</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType/>
    +</xs:element>
    +
    +
    +
    Element oscal:identifier
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Identifier constraint</b>The declared component has a value unique within the document, among properties
    +(<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) with the same class
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:declare-prop
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="identifier">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Identifier constraint</b>The declared component has a value unique within the document, among properties (
    +      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) with the same class</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType/>
    +</xs:element>
    +
    +
    +
    Element oscal:regex
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Regular expression constraint</b>Indicates that the value of a property (<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) or parameter
    +(<code xmlns="http://csrc.nist.gov/ns/oscal/1.0">param</code>) must match the given regular expression
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram
    +
    Typexs:string
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:declare-prop
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="regex" type="xs:string">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Regular expression constraint</b>Indicates that the value of a property (
    +      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">prop</code>) or parameter (
    +      <code xmlns="http://csrc.nist.gov/ns/oscal/1.0">param</code>) must match the given regular expression</xs:documentation>
    +  </xs:annotation>
    +</xs:element>
    +
    +
    +
    Element oscal:calc
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Calculated value constraint</b>Indicates a permissible value for a parameter or property, calculated dynamically
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + xml_xsd.tmp#space + oscal-core_xsd.tmp#inherit + oscal-core_xsd.tmp#autonum
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:declare-prop
    +
    +
    Model
    +
    + +
    Childrenoscal:autonum, oscal:inherit
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:calc xml:space="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:inherit from="">{1,1}</oscal:inherit>
    +  <oscal:autonum>{1,1}</oscal:autonum>
    +</oscal:calc>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    xml:spacerestriction of xs:tokenoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="calc">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Calculated value constraint</b>Indicates a permissible value for a parameter or property, calculated dynamically</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:inherit"/>
    +      <xs:element ref="oscal:autonum"/>
    +    </xs:choice>
    +    <xs:attribute ref="xml:space"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:inherit
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Inherited value</b>Indicates that a value or text within a value should be inherited from a property on a
    +containing control object
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#inherit_from
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:calc
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    fromoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="inherit">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Inherited value</b>Indicates that a value or text within a value should be inherited from a property on a containing control object</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:attribute name="from"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:autonum
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Autonumbered (generated) value</b>Generates a formatted numeric value based on the position of a control object among its
    +siblings, the text contents providing a template for the numbering format (arabic,
    +alphabetic, roman, etc.)
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram
    +
    Typexs:string
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:calc
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="autonum" type="xs:string">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Autonumbered (generated) value</b>Generates a formatted numeric value based on the position of a control object among its siblings, the text contents providing a template for the numbering format (arabic, alphabetic, roman, etc.)</xs:documentation>
    +  </xs:annotation>
    +</xs:element>
    +
    +
    +
    Element oscal:declare-part
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Part declaration</b>Indicates constraints to be imposed on parts in context
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#requiredClass + oscal-core_xsd.tmp#contextAttr + oscal-core_xsd.tmp#singleton + oscal-core_xsd.tmp#required
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Complex Type oscal:decls
    Element oscal:declarations
    +
    +
    Model
    +
    + +
    Childrenoscal:required, oscal:singleton
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:declare-part class="" context="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:singleton>{0,1}</oscal:singleton>
    +  <oscal:required>{0,1}</oscal:required>
    +</oscal:declare-part>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classrequired +
    +
    contextrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="declare-part">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Part declaration</b>Indicates constraints to be imposed on parts in context</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:singleton"/>
    +      <xs:element minOccurs="0" ref="oscal:required"/>
    +    </xs:sequence>
    +    <xs:attributeGroup ref="oscal:requiredClass"/>
    +    <xs:attributeGroup ref="oscal:contextAttr"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:declare-p
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Paragraph declaration</b>Indicates constraints to be enforced on paragraphs in context
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#requiredClass + oscal-core_xsd.tmp#contextAttr + oscal-core_xsd.tmp#singleton + oscal-core_xsd.tmp#required
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Complex Type oscal:decls
    Element oscal:declarations
    +
    +
    Model
    +
    + +
    Childrenoscal:required, oscal:singleton
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:declare-p class="" context="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:singleton>{0,1}</oscal:singleton>
    +  <oscal:required>{0,1}</oscal:required>
    +</oscal:declare-p>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classrequired +
    +
    contextrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="declare-p">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Paragraph declaration</b>Indicates constraints to be enforced on paragraphs in context</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:singleton"/>
    +      <xs:element minOccurs="0" ref="oscal:required"/>
    +    </xs:sequence>
    +    <xs:attributeGroup ref="oscal:requiredClass"/>
    +    <xs:attributeGroup ref="oscal:contextAttr"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:declare-link
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    + +
    +
    Diagram
    +
    +
    + +
    +
    Properties
    +
    +
    + +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:required, oscal:singleton
    +
    Instance
    +
    +
    + +
    +
    Attributes
    +
    +
    + +
    +
    Source
    +
    +
    + +
    +
    Element oscal:section
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Section</b>For partitioning a catalog, collection, or section therein
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#section_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#references
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:group, oscal:ol, oscal:p, oscal:pre, oscal:references, oscal:section, oscal:title, oscal:ul
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:section class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{1,1}</oscal:title>
    +  <oscal:ul>{1,1}</oscal:ul>
    +  <oscal:ol>{1,1}</oscal:ol>
    +  <oscal:p class="" id="">{1,1}</oscal:p>
    +  <oscal:pre id="">{1,1}</oscal:pre>
    +  <oscal:section class="" id="">{1,1}</oscal:section>
    +  <oscal:group class="" id="">{1,1}</oscal:group>
    +  <oscal:references>{0,1}</oscal:references>
    +</oscal:section>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="section">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Section</b>For partitioning a catalog, collection, or section therein</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element ref="oscal:title"/>
    +      <xs:group ref="oscal:prose"/>
    +      <xs:choice minOccurs="0" maxOccurs="unbounded">
    +        <xs:element ref="oscal:section"/>
    +        <xs:group ref="oscal:group"/>
    +      </xs:choice>
    +      <xs:element minOccurs="0" ref="oscal:references"/>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:group / oscal:group
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Group</b>Related controls or groups (of controls or groups)
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#group_group_group_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#control + oscal-core_xsd.tmp#references
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    Model
    +
    + +
    Childrenoscal:control, oscal:group, oscal:link, oscal:param, oscal:part, oscal:prop, oscal:references, oscal:title
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:group class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{0,1}</oscal:title>
    +  <oscal:prop class="">{1,1}</oscal:prop>
    +  <oscal:part class="" id="">{0,unbounded}</oscal:part>
    +  <oscal:link href="" rel="">{1,1}</oscal:link>
    +  <oscal:param class="" id="">{1,1}</oscal:param>
    +  <oscal:group class="" id="">{1,1}</oscal:group>
    +  <oscal:control class="" id="">{1,1}</oscal:control>
    +  <oscal:references>{0,1}</oscal:references>
    +</oscal:group>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="group">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:title"/>
    +      <xs:group ref="oscal:control-components"/>
    +      <xs:choice maxOccurs="unbounded">
    +        <xs:group ref="oscal:group"/>
    +        <xs:element ref="oscal:control"/>
    +      </xs:choice>
    +      <xs:element minOccurs="0" ref="oscal:references"/>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:control
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Control</b>A structured information object representing a security control
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#control_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components + oscal-core_xsd.tmp#subcontrol + oscal-core_xsd.tmp#references
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element oscal:group/oscal:group
    Complex Type oscal:catalog-contents
    +
    +
    Model
    +
    + +
    Childrenoscal:link, oscal:param, oscal:part, oscal:prop, oscal:references, oscal:subcontrol, oscal:title
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:control class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{0,1}</oscal:title>
    +  <oscal:prop class="">{1,1}</oscal:prop>
    +  <oscal:part class="" id="">{0,unbounded}</oscal:part>
    +  <oscal:link href="" rel="">{1,1}</oscal:link>
    +  <oscal:param class="" id="">{1,1}</oscal:param>
    +  <oscal:subcontrol class="" id="">{1,1}</oscal:subcontrol>
    +  <oscal:references>{0,1}</oscal:references>
    +</oscal:control>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="control">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Control</b>A structured information object representing a security control</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:title"/>
    +      <xs:choice minOccurs="0" maxOccurs="unbounded">
    +        <xs:group ref="oscal:control-components"/>
    +        <xs:element ref="oscal:subcontrol"/>
    +      </xs:choice>
    +      <xs:element minOccurs="0" ref="oscal:references"/>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:subcontrol
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Control extension</b>An associated or dependent control object; an enhancement to a control
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#subcontrol_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#control-components + oscal-core_xsd.tmp#references
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:control
    +
    +
    Model
    +
    + +
    Childrenoscal:link, oscal:param, oscal:part, oscal:prop, oscal:references, oscal:title
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:subcontrol class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{0,1}</oscal:title>
    +  <oscal:prop class="">{1,1}</oscal:prop>
    +  <oscal:part class="" id="">{0,unbounded}</oscal:part>
    +  <oscal:link href="" rel="">{1,1}</oscal:link>
    +  <oscal:param class="" id="">{1,1}</oscal:param>
    +  <oscal:references>{0,1}</oscal:references>
    +</oscal:subcontrol>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="subcontrol">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Control extension</b>An associated or dependent control object; an enhancement to a control</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:title"/>
    +      <xs:group ref="oscal:control-components"/>
    +      <xs:element minOccurs="0" ref="oscal:references"/>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:references
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>References</b>A group of reference descriptions
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#ref
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:ref
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:references xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:ref id="">{1,unbounded}</oscal:ref>
    +</oscal:references>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="references">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>References</b>A group of reference descriptions</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element maxOccurs="unbounded" ref="oscal:ref"/>
    +    </xs:sequence>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:ref
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Reference</b>A reference, with one or more citations to standards, related documents, or other
    +resources
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#ref_id + oscal-core_xsd.tmp#std + oscal-core_xsd.tmp#citation + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:references
    +
    +
    Model
    +
    + +
    Childrenoscal:citation, oscal:ol, oscal:p, oscal:pre, oscal:std, oscal:ul
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:ref id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:std href="">{1,1}</oscal:std>
    +  <oscal:citation href="">{1,1}</oscal:citation>
    +  <oscal:ul>{1,1}</oscal:ul>
    +  <oscal:ol>{1,1}</oscal:ol>
    +  <oscal:p class="" id="">{1,1}</oscal:p>
    +  <oscal:pre id="">{1,1}</oscal:pre>
    +</oscal:ref>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="ref">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Reference</b>A reference, with one or more citations to standards, related documents, or other resources</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:std"/>
    +      <xs:element ref="oscal:citation"/>
    +      <xs:group ref="oscal:prose"/>
    +    </xs:choice>
    +    <xs:attribute name="id" type="xs:ID"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:std
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Standard</b>Citation of a formal published standard
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#std_href + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:ref
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:std href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:std>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    hrefxs:anyURIoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="std">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Standard</b>Citation of a formal published standard</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +    <xs:attribute name="href" type="xs:anyURI"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:citation
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Citation</b>Citation of a resource
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#citation_href + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    contentcomplex
    mixedtrue
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:ref
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:citation href="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:q>{1,1}</oscal:q>
    +  <oscal:code class="">{1,1}</oscal:code>
    +  <oscal:em class="">{1,1}</oscal:em>
    +  <oscal:i class="">{1,1}</oscal:i>
    +  <oscal:b class="">{1,1}</oscal:b>
    +  <oscal:sub class="">{1,1}</oscal:sub>
    +  <oscal:sup class="">{1,1}</oscal:sup>
    +  <oscal:span class="">{1,1}</oscal:span>
    +  <oscal:a href="">{1,1}</oscal:a>
    +</oscal:citation>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    hrefxs:anyURIoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="citation">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Citation</b>Citation of a resource</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType mixed="true">
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +    <xs:attribute name="href" type="xs:anyURI"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:category / oscal:group
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Group</b>Related controls or groups (of controls or groups)
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#category_category_group_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    Model
    +
    + +
    Childrenoscal:component, oscal:group, oscal:link, oscal:ol, oscal:p, oscal:pre, oscal:prop, oscal:title, oscal:ul
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:group class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{0,1}</oscal:title>
    +  <oscal:prop class="">{1,1}</oscal:prop>
    +  <oscal:link href="" rel="">{1,1}</oscal:link>
    +  <oscal:ul>{1,1}</oscal:ul>
    +  <oscal:ol>{1,1}</oscal:ol>
    +  <oscal:p class="" id="">{1,1}</oscal:p>
    +  <oscal:pre id="">{1,1}</oscal:pre>
    +  <oscal:group class="" id="">{1,1}</oscal:group>
    +  <oscal:component class="" id="">{1,unbounded}</oscal:component>
    +</oscal:group>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="group">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:title"/>
    +      <xs:choice minOccurs="0" maxOccurs="unbounded">
    +        <xs:element ref="oscal:prop"/>
    +        <xs:element ref="oscal:link"/>
    +        <xs:group ref="oscal:prose"/>
    +      </xs:choice>
    +      <xs:choice>
    +        <xs:group maxOccurs="unbounded" ref="oscal:category"/>
    +        <xs:element maxOccurs="unbounded" ref="oscal:component"/>
    +      </xs:choice>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:component
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Framework component</b>Within a framework, a structured information object typically referencing one or more
    +security controls
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#component_id + oscal-core_xsd.tmp#optionalClass + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#param + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre + oscal-core_xsd.tmp#prose + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#component
    +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:component, oscal:link, oscal:ol, oscal:p, oscal:param, oscal:part, oscal:pre, oscal:prop, oscal:title, oscal:ul
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:component class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{0,1}</oscal:title>
    +  <oscal:param class="" id="">{1,1}</oscal:param>
    +  <oscal:prop class="">{1,1}</oscal:prop>
    +  <oscal:link href="" rel="">{1,1}</oscal:link>
    +  <oscal:ul>{1,1}</oscal:ul>
    +  <oscal:ol>{1,1}</oscal:ol>
    +  <oscal:p class="" id="">{1,1}</oscal:p>
    +  <oscal:pre id="">{1,1}</oscal:pre>
    +  <oscal:part class="" id="">{1,1}</oscal:part>
    +  <oscal:component class="" id="">{0,unbounded}</oscal:component>
    +</oscal:component>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="component">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Framework component</b>Within a framework, a structured information object typically referencing one or more security controls</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:sequence>
    +      <xs:element minOccurs="0" ref="oscal:title"/>
    +      <xs:choice minOccurs="0" maxOccurs="unbounded">
    +        <xs:element ref="oscal:param"/>
    +        <xs:element ref="oscal:prop"/>
    +        <xs:element ref="oscal:link"/>
    +        <xs:group ref="oscal:prose"/>
    +        <xs:element ref="oscal:part"/>
    +      </xs:choice>
    +      <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:component"/>
    +    </xs:sequence>
    +    <xs:attribute name="id" type="xs:ID"/>
    +    <xs:attributeGroup ref="oscal:optionalClass"/>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Element oscal:catalog
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Catalog</b>A (canonical) control catalog: a structured set of security controls
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#control + oscal-core_xsd.tmp#references + oscal-core_xsd.tmp#catalog-contents
    +
    Typeoscal:catalog-contents
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    Model
    +
    + +
    Childrenoscal:control, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:catalog xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{1,1}</oscal:title>
    +  <oscal:declarations href="">{0,1}</oscal:declarations>
    +  <oscal:section class="" id="">{1,1}</oscal:section>
    +  <oscal:group class="" id="">{1,1}</oscal:group>
    +  <oscal:control class="" id="">{1,1}</oscal:control>
    +  <oscal:references>{0,1}</oscal:references>
    +</oscal:catalog>
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="catalog" type="oscal:catalog-contents">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Catalog</b>A (canonical) control catalog: a structured set of security controls</xs:documentation>
    +  </xs:annotation>
    +</xs:element>
    +
    +
    +
    Element oscal:worksheet
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Annotations
    +
    +
    +
    +
    + + + + +
    <b>Worksheet</b>An arbitrary, working collection of components
    +
    +
    +
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references + oscal-core_xsd.tmp#worksheet-contents + oscal-core_xsd.tmp#worksheet_id + oscal-core_xsd.tmp#optionalClass
    +
    Typeextension of oscal:worksheet-contents
    Type hierarchy + +
    +
    Properties
    +
    +
    +
    + + + + + +
    contentcomplex
    +
    +
    Model
    +
    + +
    Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
    +
    Instance
    +
    +
    +
    + + + + +
    <oscal:worksheet class="" id="" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0">
    +  <oscal:title>{1,1}</oscal:title>
    +  <oscal:declarations href="">{0,1}</oscal:declarations>
    +  <oscal:section class="" id="">{1,1}</oscal:section>
    +  <oscal:group class="" id="">{1,1}</oscal:group>
    +  <oscal:component class="" id="">{1,1}</oscal:component>
    +  <oscal:references>{0,1}</oscal:references>
    +</oscal:worksheet>
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    idxs:IDoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:element name="worksheet">
    +  <xs:annotation>
    +    <xs:documentation>
    +      <b>Worksheet</b>An arbitrary, working collection of components</xs:documentation>
    +  </xs:annotation>
    +  <xs:complexType>
    +    <xs:complexContent>
    +      <xs:extension base="oscal:worksheet-contents">
    +        <xs:attribute name="id" type="xs:ID"/>
    +        <xs:attributeGroup ref="oscal:optionalClass"/>
    +      </xs:extension>
    +    </xs:complexContent>
    +  </xs:complexType>
    +</xs:element>
    +
    +
    +
    Complex Type oscal:framework-contents
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:framework
    +
    +
    Model
    +
    + +
    Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
    +
    Source
    +
    +
    +
    + + + + +
    <xs:complexType name="framework-contents">
    +  <xs:sequence>
    +    <xs:element ref="oscal:title"/>
    +    <xs:element minOccurs="0" ref="oscal:declarations"/>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:section"/>
    +      <xs:group ref="oscal:category"/>
    +      <xs:element ref="oscal:component"/>
    +    </xs:choice>
    +    <xs:element minOccurs="0" ref="oscal:references"/>
    +  </xs:sequence>
    +</xs:complexType>
    +
    +
    +
    Complex Type oscal:decls
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#declare-prop + oscal-core_xsd.tmp#declare-part + oscal-core_xsd.tmp#declare-p + oscal-core_xsd.tmp#declare-link
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:declarations
    +
    +
    Model
    +
    + +
    Childrenoscal:declare-link, oscal:declare-p, oscal:declare-part, oscal:declare-prop
    +
    Source
    +
    +
    +
    + + + + +
    <xs:complexType name="decls">
    +  <xs:choice minOccurs="0" maxOccurs="unbounded">
    +    <xs:element ref="oscal:declare-prop"/>
    +    <xs:element ref="oscal:declare-part"/>
    +    <xs:element ref="oscal:declare-p"/>
    +    <xs:element ref="oscal:declare-link"/>
    +  </xs:choice>
    +</xs:complexType>
    +
    +
    +
    Complex Type oscal:catalog-contents
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#group_group + oscal-core_xsd.tmp#group + oscal-core_xsd.tmp#control + oscal-core_xsd.tmp#references
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:catalog
    +
    +
    Model
    +
    + +
    Childrenoscal:control, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
    +
    Source
    +
    +
    +
    + + + + +
    <xs:complexType name="catalog-contents">
    +  <xs:sequence>
    +    <xs:element ref="oscal:title"/>
    +    <xs:element minOccurs="0" ref="oscal:declarations"/>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:section"/>
    +      <xs:group ref="oscal:group"/>
    +      <xs:element ref="oscal:control"/>
    +    </xs:choice>
    +    <xs:element minOccurs="0" ref="oscal:references"/>
    +  </xs:sequence>
    +</xs:complexType>
    +
    +
    +
    Complex Type oscal:worksheet-contents
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#title + oscal-core_xsd.tmp#declarations + oscal-core_xsd.tmp#section + oscal-core_xsd.tmp#category_group + oscal-core_xsd.tmp#category + oscal-core_xsd.tmp#component + oscal-core_xsd.tmp#references
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:worksheet
    +
    +
    Model
    +
    + +
    Childrenoscal:component, oscal:declarations, oscal:group, oscal:references, oscal:section, oscal:title
    +
    Source
    +
    +
    +
    + + + + +
    <xs:complexType name="worksheet-contents">
    +  <xs:sequence>
    +    <xs:element ref="oscal:title"/>
    +    <xs:element minOccurs="0" ref="oscal:declarations"/>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:section"/>
    +      <xs:group ref="oscal:category"/>
    +      <xs:element ref="oscal:component"/>
    +    </xs:choice>
    +    <xs:element minOccurs="0" ref="oscal:references"/>
    +  </xs:sequence>
    +</xs:complexType>
    +
    +
    +
    Attribute oscal:optionalClass / @class
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    +
    Used by
    +
    +
    +
    + + + + + +
    Attribute Group oscal:optionalClass
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="class"/>
    +
    +
    +
    Attribute oscal:a / @href
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:a
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="href"/>
    +
    +
    +
    Attribute oscal:requiredClass / @class
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    +
    Properties
    +
    +
    +
    + + + + + +
    userequired
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Attribute Group oscal:requiredClass
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="class" use="required"/>
    +
    +
    +
    Attribute oscal:insert / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:insert
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:insert / @param-id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:IDREF
    +
    Properties
    +
    +
    +
    + + + + + +
    userequired
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:insert
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="param-id" use="required" type="xs:IDREF"/>
    +
    +
    +
    Attribute oscal:li / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:li
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:whatnot / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:p
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:p / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:pre / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:pre
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:relAttr / @rel
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    +
    Used by
    +
    +
    +
    + + + + + +
    Attribute Group oscal:relAttr
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="rel"/>
    +
    +
    +
    Attribute oscal:hrefAttr / @href
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    +
    Used by
    +
    +
    +
    + + + + + +
    Attribute Group oscal:hrefAttr
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="href"/>
    +
    +
    +
    Attribute oscal:param / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:param
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:part / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:part
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:inherit / @from
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:inherit
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="from"/>
    +
    +
    +
    Attribute oscal:contextAttr / @context
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    +
    Properties
    +
    +
    +
    + + + + + +
    userequired
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Attribute Group oscal:contextAttr
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="context" use="required"/>
    +
    +
    +
    Attribute oscal:std / @href
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:anyURI
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:std
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="href" type="xs:anyURI"/>
    +
    +
    +
    Attribute oscal:citation / @href
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:anyURI
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:citation
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="href" type="xs:anyURI"/>
    +
    +
    +
    Attribute oscal:ref / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:ref
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:subcontrol / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:subcontrol
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:control / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:control
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:group / oscal:group / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:group/oscal:group
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:section / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:section
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:component / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:component
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:category / oscal:group / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:category/oscal:group
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:framework / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:framework
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:idAttr / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    userequired
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Attribute Group oscal:idAttr
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" use="required" type="xs:ID"/>
    +
    +
    +
    Attribute oscal:worksheet / @id
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    NamespaceNo namespace
    Typexs:ID
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:worksheet
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="id" type="xs:ID"/>
    +
    +
    +
    Element Group oscal:mix
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="mix">
    +  <xs:sequence>
    +    <xs:group minOccurs="0" maxOccurs="unbounded" ref="oscal:inlines"/>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:inlines
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:mix
    Element oscal:withdrawn
    +
    +
    Model
    +
    + +
    Childrenoscal:b, oscal:code, oscal:em, oscal:i, oscal:q, oscal:span, oscal:sub, oscal:sup
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="inlines">
    +  <xs:sequence>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:q"/>
    +      <xs:element ref="oscal:code"/>
    +      <xs:element ref="oscal:em"/>
    +      <xs:element ref="oscal:i"/>
    +      <xs:element ref="oscal:b"/>
    +      <xs:element ref="oscal:sub"/>
    +      <xs:element ref="oscal:sup"/>
    +      <xs:element ref="oscal:span"/>
    +    </xs:choice>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:anyKindofPart
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#part
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Element Group oscal:control-components
    Element oscal:augment
    +
    +
    Model
    +
    + +
    Childrenoscal:part
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="anyKindofPart">
    +  <xs:sequence>
    +    <xs:element minOccurs="0" maxOccurs="unbounded" ref="oscal:part"/>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:prose
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#ul + oscal-core_xsd.tmp#ol + oscal-core_xsd.tmp#p + oscal-core_xsd.tmp#pre
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:ol, oscal:p, oscal:pre, oscal:ul
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="prose">
    +  <xs:sequence>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:ul"/>
    +      <xs:element ref="oscal:ol"/>
    +      <xs:element ref="oscal:p"/>
    +      <xs:element ref="oscal:pre"/>
    +    </xs:choice>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:whatnot
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert + oscal-core_xsd.tmp#semantical + oscal-core_xsd.tmp#q + oscal-core_xsd.tmp#code + oscal-core_xsd.tmp#em + oscal-core_xsd.tmp#i + oscal-core_xsd.tmp#b + oscal-core_xsd.tmp#sub + oscal-core_xsd.tmp#sup + oscal-core_xsd.tmp#span + oscal-core_xsd.tmp#inlines + oscal-core_xsd.tmp#mix + oscal-core_xsd.tmp#a
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Elements oscal:li, oscal:p
    +
    +
    Model
    +
    + +
    Childrenoscal:a, oscal:b, oscal:code, oscal:em, oscal:i, oscal:insert, oscal:q, oscal:span, oscal:sub, oscal:sup, oscal:withdrawn
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="whatnot">
    +  <xs:sequence>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:group ref="oscal:semantical"/>
    +      <xs:group ref="oscal:mix"/>
    +      <xs:element ref="oscal:a"/>
    +    </xs:choice>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:semantical
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#withdrawn + oscal-core_xsd.tmp#insert
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element Group oscal:whatnot
    +
    +
    Model
    +
    + +
    Childrenoscal:insert, oscal:withdrawn
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="semantical">
    +  <xs:sequence>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:withdrawn"/>
    +      <xs:element ref="oscal:insert"/>
    +    </xs:choice>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:control-components
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#prop + oscal-core_xsd.tmp#part + oscal-core_xsd.tmp#anyKindofPart + oscal-core_xsd.tmp#link + oscal-core_xsd.tmp#param
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:link, oscal:param, oscal:part, oscal:prop
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="control-components">
    +  <xs:sequence>
    +    <xs:choice minOccurs="0" maxOccurs="unbounded">
    +      <xs:element ref="oscal:prop"/>
    +      <xs:group ref="oscal:anyKindofPart"/>
    +      <xs:element ref="oscal:link"/>
    +      <xs:element ref="oscal:param"/>
    +    </xs:choice>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:group
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#group_group
    +
    +
    Used by
    +
    +
    +
    + + + + + + + + + +
    Elements oscal:group/oscal:group, oscal:section
    Complex Type oscal:catalog-contents
    +
    +
    Model
    +
    + +
    Childrenoscal:group
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="group">
    +  <xs:sequence>
    +    <xs:element name="group">
    +      <xs:annotation>
    +        <xs:documentation>
    +          <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
    +      </xs:annotation>
    +      <xs:complexType>
    +        <xs:sequence>
    +          <xs:element minOccurs="0" ref="oscal:title"/>
    +          <xs:group ref="oscal:control-components"/>
    +          <xs:choice maxOccurs="unbounded">
    +            <xs:group ref="oscal:group"/>
    +            <xs:element ref="oscal:control"/>
    +          </xs:choice>
    +          <xs:element minOccurs="0" ref="oscal:references"/>
    +        </xs:sequence>
    +        <xs:attribute name="id" type="xs:ID"/>
    +        <xs:attributeGroup ref="oscal:optionalClass"/>
    +      </xs:complexType>
    +    </xs:element>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Element Group oscal:category
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#category_group
    +
    +
    Used by
    +
    +
    + +
    Model
    +
    + +
    Childrenoscal:group
    +
    Source
    +
    +
    +
    + + + + +
    <xs:group name="category">
    +  <xs:sequence>
    +    <xs:element name="group">
    +      <xs:annotation>
    +        <xs:documentation>
    +          <b>Group</b>Related controls or groups (of controls or groups)</xs:documentation>
    +      </xs:annotation>
    +      <xs:complexType>
    +        <xs:sequence>
    +          <xs:element minOccurs="0" ref="oscal:title"/>
    +          <xs:choice minOccurs="0" maxOccurs="unbounded">
    +            <xs:element ref="oscal:prop"/>
    +            <xs:element ref="oscal:link"/>
    +            <xs:group ref="oscal:prose"/>
    +          </xs:choice>
    +          <xs:choice>
    +            <xs:group maxOccurs="unbounded" ref="oscal:category"/>
    +            <xs:element maxOccurs="unbounded" ref="oscal:component"/>
    +          </xs:choice>
    +        </xs:sequence>
    +        <xs:attribute name="id" type="xs:ID"/>
    +        <xs:attributeGroup ref="oscal:optionalClass"/>
    +      </xs:complexType>
    +    </xs:element>
    +  </xs:sequence>
    +</xs:group>
    +
    +
    +
    Attribute Group oscal:optionalClass
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#optionalClass_class
    +
    +
    Used by
    +
    +
    + +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attributeGroup name="optionalClass">
    +  <xs:attribute name="class"/>
    +</xs:attributeGroup>
    +
    +
    +
    Attribute Group oscal:requiredClass
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#requiredClass_class
    +
    +
    Used by
    +
    +
    + +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    classrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attributeGroup name="requiredClass">
    +  <xs:attribute name="class" use="required"/>
    +</xs:attributeGroup>
    +
    +
    +
    Attribute Group oscal:relAttr
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#relAttr_rel
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Elements oscal:declare-link, oscal:link
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    reloptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attributeGroup name="relAttr">
    +  <xs:attribute name="rel"/>
    +</xs:attributeGroup>
    +
    +
    +
    Attribute Group oscal:hrefAttr
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#hrefAttr_href
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Elements oscal:declarations, oscal:invoke, oscal:link
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    hrefoptional +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attributeGroup name="hrefAttr">
    +  <xs:attribute name="href"/>
    +</xs:attributeGroup>
    +
    +
    +
    Attribute Group oscal:contextAttr
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#contextAttr_context
    +
    +
    Used by
    +
    +
    + +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    contextrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attributeGroup name="contextAttr">
    +  <xs:attribute name="context" use="required"/>
    +</xs:attributeGroup>
    +
    +
    +
    Attribute Group oscal:idAttr
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://csrc.nist.gov/ns/oscal/1.0
    +
    Diagram
    +
    +
    +
    Diagram + oscal-core_xsd.tmp#idAttr_id
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:profile
    +
    +
    +
    Attributes
    +
    +
    +
    + + + + + + + + + + + + + + + +
    QNameTypeUse
    idxs:IDrequired +
    +
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attributeGroup name="idAttr">
    +  <xs:attribute name="id" use="required" type="xs:ID"/>
    +</xs:attributeGroup>
    +
    +
    +
    + + \ No newline at end of file diff --git a/schema/xml/oscal-profile.xsd b/schema/xml/oscal-profile.xsd index ba8a0a5c53..d552f12f27 100644 --- a/schema/xml/oscal-profile.xsd +++ b/schema/xml/oscal-profile.xsd @@ -8,42 +8,49 @@ - Profile In reference to a catalog (or other authority such as profile or framework), a selection + Profile In reference to a catalog (or other resource such as profile or framework), a selection and configuration of controls, maintained separately - - + + + + - + - Authority invocation For invocation of controls and subcontrols from a catalog or other authority + Import resource Designating a catalog, profile or other resource for controls - - - - - - - - + + + + + + + + + + + + + - Include controls The element's contents indicate which controls and subcontrols to include from the - authority (source catalog) + Include controls Which controls and subcontrols to include from the resource (source catalog) being + imported @@ -55,7 +62,7 @@ - Include all Include all controls from the invoked authority (catalog) + Include all Include all controls from the imported resource (catalog) @@ -78,15 +85,15 @@ - - + + - Exclude controls Which controls and subcontrols to exclude from the authority (source catalog) being - invoked + Exclude controls Which controls and subcontrols to exclude from the resource (source catalog) being + imported @@ -96,8 +103,8 @@ Call (control or subcontrol) Call a control or subcontrol by its ID - - + + @@ -128,8 +135,8 @@ - - + + diff --git a/schema/xml/xml_xsd.html b/schema/xml/xml_xsd.html new file mode 100644 index 0000000000..fd40496fda --- /dev/null +++ b/schema/xml/xml_xsd.html @@ -0,0 +1,465 @@ + + + + + Schema documentation for xml.xsd + + +
    + + + + + + + + + + + + + + + + +
    +

    Showing:

    + + + + + + + + + + + + + +
    Facets
    Properties
    Source
    Used by
    +
    +
    +
    Imported schema xml.xsd
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + +
    Namespacehttp://www.w3.org/XML/1998/namespace
    +
    Properties
    +
    +
    +
    + + + + + + + + + +
    attribute form defaultunqualified
    element form defaultqualified
    +
    +
    +
    Attribute @xml:space
    + + + + + + + + + + + + + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Namespacehttp://www.w3.org/XML/1998/namespace
    Typerestriction of xs:token
    +
    Properties
    +
    +
    +
    + + + + + +
    contentsimple
    +
    +
    +
    Facets
    +
    +
    +
    + + + + + + +
    enumerationpreserve +
    +
    +
    +
    +
    Used by
    +
    +
    +
    + + + + + +
    Element oscal:calc
    +
    +
    +
    Source
    +
    +
    +
    + + + + +
    <xs:attribute name="space">
    +  <xs:simpleType>
    +    <xs:restriction base="xs:token">
    +      <xs:enumeration value="preserve"/>
    +    </xs:restriction>
    +  </xs:simpleType>
    +</xs:attribute>
    +
    +
    +
    + + \ No newline at end of file diff --git a/working/COBIT5/profile-cobit5.xml b/working/COBIT5/profile-cobit5.xml index 1496536720..014a43afae 100644 --- a/working/COBIT5/profile-cobit5.xml +++ b/working/COBIT5/profile-cobit5.xml @@ -1,12 +1,12 @@ - + Business Process Owners Business Process Owners Business Process Owners Business Process Owners - + \ No newline at end of file diff --git a/working/FedRAMP/FedRAMP-HIGH-working.json b/working/FedRAMP/FedRAMP-HIGH-working.json deleted file mode 100644 index a9b9ff627c..0000000000 --- a/working/FedRAMP/FedRAMP-HIGH-working.json +++ /dev/null @@ -1,10460 +0,0 @@ -{ - "id": "uuid-fe680beb-e833-4287-bf0f-985eeaea1e70", - "title": "FedRAMP HIGH Baseline PROFILE (extracted and aligned, no edits)", - "invocations": [ - { - "href": "../SP800-53/SP800-53-HIGH-baseline.json", - "include": { - "calls": [ - { - "controlId": "ac.1" - }, - { - "controlId": "ac.2" - }, - { - "subcontrolId": "ac.2.1." - }, - { - "subcontrolId": "ac.2.2." - }, - { - "subcontrolId": "ac.2.3." - }, - { - "subcontrolId": "ac.2.4." - }, - { - "subcontrolId": "ac.2.5." - }, - { - "subcontrolId": "ac.2.11." - }, - { - "subcontrolId": "ac.2.12." - }, - { - "subcontrolId": "ac.2.13." - }, - { - "controlId": "ac.3" - }, - { - "controlId": "ac.4" - }, - { - "controlId": "ac.5" - }, - { - "controlId": "ac.6" - }, - { - "subcontrolId": "ac.6.1." - }, - { - "subcontrolId": "ac.6.2." - }, - { - "subcontrolId": "ac.6.3." - }, - { - "subcontrolId": "ac.6.5." - }, - { - "subcontrolId": "ac.6.9." - }, - { - "subcontrolId": "ac.6.10." - }, - { - "controlId": "ac.7" - }, - { - "controlId": "ac.8" - }, - { - "controlId": "ac.10" - }, - { - "controlId": "ac.11" - }, - { - "subcontrolId": "ac.11.1." - }, - { - "controlId": "ac.12" - }, - { - "controlId": "ac.14" - }, - { - "controlId": "ac.17" - }, - { - "subcontrolId": "ac.17.1." - }, - { - "subcontrolId": "ac.17.2." - }, - { - "subcontrolId": "ac.17.3." - }, - { - "subcontrolId": "ac.17.4." - }, - { - "controlId": "ac.18" - }, - { - "subcontrolId": "ac.18.1." - }, - { - "subcontrolId": "ac.18.4." - }, - { - "subcontrolId": "ac.18.5." - }, - { - "controlId": "ac.19" - }, - { - "subcontrolId": "ac.19.5." - }, - { - "controlId": "ac.20" - }, - { - "subcontrolId": "ac.20.1." - }, - { - "subcontrolId": "ac.20.2." - }, - { - "controlId": "ac.21" - }, - { - "controlId": "ac.22" - }, - { - "controlId": "at.1" - }, - { - "controlId": "at.2" - }, - { - "subcontrolId": "at.2.2." - }, - { - "controlId": "at.3" - }, - { - "controlId": "at.4" - }, - { - "controlId": "au.1" - }, - { - "controlId": "au.2" - }, - { - "subcontrolId": "au.2.3." - }, - { - "controlId": "au.3" - }, - { - "subcontrolId": "au.3.1." - }, - { - "subcontrolId": "au.3.2." - }, - { - "controlId": "au.4" - }, - { - "controlId": "au.5" - }, - { - "subcontrolId": "au.5.1." - }, - { - "subcontrolId": "au.5.2." - }, - { - "controlId": "au.6" - }, - { - "subcontrolId": "au.6.1." - }, - { - "subcontrolId": "au.6.3." - }, - { - "subcontrolId": "au.6.5." - }, - { - "subcontrolId": "au.6.6." - }, - { - "controlId": "au.7" - }, - { - "subcontrolId": "au.7.1." - }, - { - "controlId": "au.8" - }, - { - "subcontrolId": "au.8.1." - }, - { - "controlId": "au.9" - }, - { - "subcontrolId": "au.9.2." - }, - { - "subcontrolId": "au.9.3." - }, - { - "subcontrolId": "au.9.4." - }, - { - "controlId": "au.10" - }, - { - "controlId": "au.11" - }, - { - "controlId": "au.12" - }, - { - "subcontrolId": "au.12.1." - }, - { - "subcontrolId": "au.12.3." - }, - { - "controlId": "ca.1" - }, - { - "controlId": "ca.2" - }, - { - "subcontrolId": "ca.2.1." - }, - { - "subcontrolId": "ca.2.2." - }, - { - "controlId": "ca.3" - }, - { - "subcontrolId": "ca.3.5." - }, - { - "controlId": "ca.5" - }, - { - "controlId": "ca.6" - }, - { - "controlId": "ca.7" - }, - { - "subcontrolId": "ca.7.1." - }, - { - "controlId": "ca.8" - }, - { - "controlId": "ca.9" - }, - { - "controlId": "cm.1" - }, - { - "controlId": "cm.2" - }, - { - "subcontrolId": "cm.2.1." - }, - { - "subcontrolId": "cm.2.2." - }, - { - "subcontrolId": "cm.2.3." - }, - { - "subcontrolId": "cm.2.7." - }, - { - "controlId": "cm.3" - }, - { - "subcontrolId": "cm.3.1." - }, - { - "subcontrolId": "cm.3.2." - }, - { - "controlId": "cm.4" - }, - { - "subcontrolId": "cm.4.1." - }, - { - "controlId": "cm.5" - }, - { - "subcontrolId": "cm.5.1." - }, - { - "subcontrolId": "cm.5.2." - }, - { - "subcontrolId": "cm.5.3." - }, - { - "controlId": "cm.6" - }, - { - "subcontrolId": "cm.6.1." - }, - { - "subcontrolId": "cm.6.2." - }, - { - "controlId": "cm.7" - }, - { - "subcontrolId": "cm.7.1." - }, - { - "subcontrolId": "cm.7.2." - }, - { - "subcontrolId": "cm.7.5." - }, - { - "controlId": "cm.8" - }, - { - "subcontrolId": "cm.8.1." - }, - { - "subcontrolId": "cm.8.2." - }, - { - "subcontrolId": "cm.8.3." - }, - { - "subcontrolId": "cm.8.4." - }, - { - "subcontrolId": "cm.8.5." - }, - { - "controlId": "cm.9" - }, - { - "controlId": "cm.10" - }, - { - "controlId": "cm.11" - }, - { - "controlId": "cp.1" - }, - { - "controlId": "cp.2" - }, - { - "subcontrolId": "cp.2.1." - }, - { - "subcontrolId": "cp.2.2." - }, - { - "subcontrolId": "cp.2.3." - }, - { - "subcontrolId": "cp.2.4." - }, - { - "subcontrolId": "cp.2.5." - }, - { - "subcontrolId": "cp.2.8." - }, - { - "controlId": "cp.3" - }, - { - "subcontrolId": "cp.3.1." - }, - { - "controlId": "cp.4" - }, - { - "subcontrolId": "cp.4.1." - }, - { - "subcontrolId": "cp.4.2." - }, - { - "controlId": "cp.6" - }, - { - "subcontrolId": "cp.6.1." - }, - { - "subcontrolId": "cp.6.2." - }, - { - "subcontrolId": "cp.6.3." - }, - { - "controlId": "cp.7" - }, - { - "subcontrolId": "cp.7.1." - }, - { - "subcontrolId": "cp.7.2." - }, - { - "subcontrolId": "cp.7.3." - }, - { - "subcontrolId": "cp.7.4." - }, - { - "controlId": "cp.8" - }, - { - "subcontrolId": "cp.8.1." - }, - { - "subcontrolId": "cp.8.2." - }, - { - "subcontrolId": "cp.8.3." - }, - { - "subcontrolId": "cp.8.4." - }, - { - "controlId": "cp.9" - }, - { - "subcontrolId": "cp.9.1." - }, - { - "subcontrolId": "cp.9.2." - }, - { - "subcontrolId": "cp.9.3." - }, - { - "subcontrolId": "cp.9.5." - }, - { - "controlId": "cp.10" - }, - { - "subcontrolId": "cp.10.2." - }, - { - "subcontrolId": "cp.10.4." - }, - { - "controlId": "ia.1" - }, - { - "controlId": "ia.2" - }, - { - "subcontrolId": "ia.2.1." - }, - { - "subcontrolId": "ia.2.2." - }, - { - "subcontrolId": "ia.2.3." - }, - { - "subcontrolId": "ia.2.4." - }, - { - "subcontrolId": "ia.2.8." - }, - { - "subcontrolId": "ia.2.9." - }, - { - "subcontrolId": "ia.2.11." - }, - { - "subcontrolId": "ia.2.12." - }, - { - "controlId": "ia.3" - }, - { - "controlId": "ia.4" - }, - { - "controlId": "ia.5" - }, - { - "subcontrolId": "ia.5.1." - }, - { - "subcontrolId": "ia.5.2." - }, - { - "subcontrolId": "ia.5.3." - }, - { - "subcontrolId": "ia.5.11." - }, - { - "controlId": "ia.6" - }, - { - "controlId": "ia.7" - }, - { - "controlId": "ia.8" - }, - { - "subcontrolId": "ia.8.1." - }, - { - "subcontrolId": "ia.8.2." - }, - { - "subcontrolId": "ia.8.3." - }, - { - "subcontrolId": "ia.8.4." - }, - { - "controlId": "ir.1" - }, - { - "controlId": "ir.2" - }, - { - "subcontrolId": "ir.2.1." - }, - { - "subcontrolId": "ir.2.2." - }, - { - "controlId": "ir.3" - }, - { - "subcontrolId": "ir.3.2." - }, - { - "controlId": "ir.4" - }, - { - "subcontrolId": "ir.4.1." - }, - { - "subcontrolId": "ir.4.4." - }, - { - "controlId": "ir.5" - }, - { - "subcontrolId": "ir.5.1." - }, - { - "controlId": "ir.6" - }, - { - "subcontrolId": "ir.6.1." - }, - { - "controlId": "ir.7" - }, - { - "subcontrolId": "ir.7.1." - }, - { - "controlId": "ir.8" - }, - { - "controlId": "ma.1" - }, - { - "controlId": "ma.2" - }, - { - "subcontrolId": "ma.2.2." - }, - { - "controlId": "ma.3" - }, - { - "subcontrolId": "ma.3.1." - }, - { - "subcontrolId": "ma.3.2." - }, - { - "subcontrolId": "ma.3.3." - }, - { - "controlId": "ma.4" - }, - { - "subcontrolId": "ma.4.2." - }, - { - "subcontrolId": "ma.4.3." - }, - { - "controlId": "ma.5" - }, - { - "subcontrolId": "ma.5.1." - }, - { - "controlId": "ma.6" - }, - { - "controlId": "mp.1" - }, - { - "controlId": "mp.2" - }, - { - "controlId": "mp.3" - }, - { - "controlId": "mp.4" - }, - { - "controlId": "mp.5" - }, - { - "subcontrolId": "mp.5.4." - }, - { - "controlId": "mp.6" - }, - { - "subcontrolId": "mp.6.1." - }, - { - "subcontrolId": "mp.6.2." - }, - { - "subcontrolId": "mp.6.3." - }, - { - "controlId": "mp.7" - }, - { - "subcontrolId": "mp.7.1." - }, - { - "controlId": "pe.1" - }, - { - "controlId": "pe.2" - }, - { - "controlId": "pe.3" - }, - { - "subcontrolId": "pe.3.1." - }, - { - "controlId": "pe.4" - }, - { - "controlId": "pe.5" - }, - { - "controlId": "pe.6" - }, - { - "subcontrolId": "pe.6.1." - }, - { - "subcontrolId": "pe.6.4." - }, - { - "controlId": "pe.8" - }, - { - "subcontrolId": "pe.8.1." - }, - { - "controlId": "pe.9" - }, - { - "controlId": "pe.10" - }, - { - "controlId": "pe.11" - }, - { - "subcontrolId": "pe.11.1." - }, - { - "controlId": "pe.12" - }, - { - "controlId": "pe.13" - }, - { - "subcontrolId": "pe.13.1." - }, - { - "subcontrolId": "pe.13.2." - }, - { - "subcontrolId": "pe.13.3." - }, - { - "controlId": "pe.14" - }, - { - "controlId": "pe.15" - }, - { - "subcontrolId": "pe.15.1." - }, - { - "controlId": "pe.16" - }, - { - "controlId": "pe.17" - }, - { - "controlId": "pe.18" - }, - { - "controlId": "pl.1" - }, - { - "controlId": "pl.2" - }, - { - "subcontrolId": "pl.2.3." - }, - { - "controlId": "pl.4" - }, - { - "subcontrolId": "pl.4.1." - }, - { - "controlId": "pl.8" - }, - { - "controlId": "ps.1" - }, - { - "controlId": "ps.2" - }, - { - "controlId": "ps.3" - }, - { - "controlId": "ps.4" - }, - { - "subcontrolId": "ps.4.2." - }, - { - "controlId": "ps.5" - }, - { - "controlId": "ps.6" - }, - { - "controlId": "ps.7" - }, - { - "controlId": "ps.8" - }, - { - "controlId": "ra.1" - }, - { - "controlId": "ra.2" - }, - { - "controlId": "ra.3" - }, - { - "controlId": "ra.5" - }, - { - "subcontrolId": "ra.5.1." - }, - { - "subcontrolId": "ra.5.2." - }, - { - "subcontrolId": "ra.5.4." - }, - { - "subcontrolId": "ra.5.5." - }, - { - "controlId": "sa.1" - }, - { - "controlId": "sa.2" - }, - { - "controlId": "sa.3" - }, - { - "controlId": "sa.4" - }, - { - "subcontrolId": "sa.4.1." - }, - { - "subcontrolId": "sa.4.2." - }, - { - "subcontrolId": "sa.4.9." - }, - { - "subcontrolId": "sa.4.10." - }, - { - "controlId": "sa.5" - }, - { - "controlId": "sa.8" - }, - { - "controlId": "sa.9" - }, - { - "subcontrolId": "sa.9.2." - }, - { - "controlId": "sa.10" - }, - { - "controlId": "sa.11" - }, - { - "controlId": "sa.12" - }, - { - "controlId": "sa.15" - }, - { - "controlId": "sa.16" - }, - { - "controlId": "sa.17" - }, - { - "controlId": "sc.1" - }, - { - "controlId": "sc.2" - }, - { - "controlId": "sc.3" - }, - { - "controlId": "sc.4" - }, - { - "controlId": "sc.5" - }, - { - "controlId": "sc.7" - }, - { - "subcontrolId": "sc.7.3." - }, - { - "subcontrolId": "sc.7.4." - }, - { - "subcontrolId": "sc.7.5." - }, - { - "subcontrolId": "sc.7.7." - }, - { - "subcontrolId": "sc.7.8." - }, - { - "subcontrolId": "sc.7.18." - }, - { - "subcontrolId": "sc.7.21." - }, - { - "controlId": "sc.8" - }, - { - "subcontrolId": "sc.8.1." - }, - { - "controlId": "sc.10" - }, - { - "controlId": "sc.12" - }, - { - "subcontrolId": "sc.12.1." - }, - { - "controlId": "sc.13" - }, - { - "controlId": "sc.15" - }, - { - "controlId": "sc.17" - }, - { - "controlId": "sc.18" - }, - { - "controlId": "sc.19" - }, - { - "controlId": "sc.20" - }, - { - "controlId": "sc.21" - }, - { - "controlId": "sc.22" - }, - { - "controlId": "sc.23" - }, - { - "controlId": "sc.24" - }, - { - "controlId": "sc.28" - }, - { - "controlId": "sc.39" - }, - { - "controlId": "si.1" - }, - { - "controlId": "si.2" - }, - { - "subcontrolId": "si.2.1." - }, - { - "subcontrolId": "si.2.2." - }, - { - "controlId": "si.3" - }, - { - "subcontrolId": "si.3.1." - }, - { - "subcontrolId": "si.3.2." - }, - { - "controlId": "si.4" - }, - { - "subcontrolId": "si.4.2." - }, - { - "subcontrolId": "si.4.4." - }, - { - "subcontrolId": "si.4.5." - }, - { - "controlId": "si.5" - }, - { - "subcontrolId": "si.5.1." - }, - { - "controlId": "si.6" - }, - { - "controlId": "si.7" - }, - { - "subcontrolId": "si.7.1." - }, - { - "subcontrolId": "si.7.2." - }, - { - "subcontrolId": "si.7.5." - }, - { - "subcontrolId": "si.7.7." - }, - { - "subcontrolId": "si.7.14." - }, - { - "controlId": "si.8" - }, - { - "subcontrolId": "si.8.1." - }, - { - "subcontrolId": "si.8.2." - }, - { - "controlId": "si.10" - }, - { - "controlId": "si.11" - }, - { - "controlId": "si.12" - }, - { - "controlId": "si.16" - } - ] - }, - "paramSettings": [ - { - "paramId": "ac-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-2_a", - "desc": "organization-defined information system account types", - "value": "organization-defined information system account types" - }, - { - "paramId": "ac-2_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-2_c", - "desc": "organization-defined procedures or conditions", - "value": "organization-defined procedures or conditions" - }, - { - "paramId": "ac-2_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-2_e", - "desc": "organization-defined time period for each type of account", - "value": "organization-defined time period for each type of account" - }, - { - "paramId": "ac-2_f", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-2_g", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-2_h", - "desc": "organization-defined time-period of expected inactivity or description of when to log out", - "value": "organization-defined time-period of expected inactivity or description of when to log out" - }, - { - "paramId": "ac-2_m", - "desc": "organization-defined circumstances and/or usage conditions", - "value": "organization-defined circumstances and/or usage conditions" - }, - { - "paramId": "ac-2_n", - "desc": "organization-defined information system accounts", - "value": "organization-defined information system accounts" - }, - { - "paramId": "ac-2_o", - "desc": "organization-defined atypical usage", - "value": "organization-defined atypical usage" - }, - { - "paramId": "ac-2_p", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-2_q", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-4_a", - "desc": "organization-defined information flow control policies", - "value": "organization-defined information flow control policies" - }, - { - "paramId": "ac-5_a", - "desc": "organization-defined duties of individuals", - "value": "organization-defined duties of individuals" - }, - { - "paramId": "ac-6_a", - "desc": "organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information", - "value": "organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information" - }, - { - "paramId": "ac-6_b", - "desc": "organization-defined security functions or security-relevant information", - "value": "organization-defined security functions or security-relevant information" - }, - { - "paramId": "ac-6_c", - "desc": "organization-defined privileged commands", - "value": "organization-defined privileged commands" - }, - { - "paramId": "ac-6_d", - "desc": "organization-defined compelling operational needs", - "value": "organization-defined compelling operational needs" - }, - { - "paramId": "ac-6_e", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-7_a", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ac-7_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-7_c", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-7_d", - "desc": "organization-defined delay algorithm", - "value": "organization-defined delay algorithm" - }, - { - "paramId": "ac-8_a", - "desc": "organization-defined system use notification message or banner", - "value": "organization-defined system use notification message or banner" - }, - { - "paramId": "ac-8_b", - "desc": "organization-defined conditions", - "value": "organization-defined conditions" - }, - { - "paramId": "ac-10_a", - "desc": "organization-defined account and/or account type", - "value": "organization-defined account and/or account type" - }, - { - "paramId": "ac-10_b", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ac-11_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-12_a", - "desc": "organization-defined conditions or trigger events requiring session disconnect", - "value": "organization-defined conditions or trigger events requiring session disconnect" - }, - { - "paramId": "ac-14_a", - "desc": "organization-defined user actions", - "value": "organization-defined user actions" - }, - { - "paramId": "ac-17_a", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ac-17_b", - "desc": "organization-defined needs", - "value": "organization-defined needs" - }, - { - "paramId": "ac-19_c", - "desc": "organization-defined mobile devices", - "value": "organization-defined mobile devices" - }, - { - "paramId": "ac-21_a", - "desc": "organization-defined information sharing circumstances where user discretion is required", - "value": "organization-defined information sharing circumstances where user discretion is required" - }, - { - "paramId": "ac-21_b", - "desc": "organization-defined automated mechanisms or manual processes", - "value": "organization-defined automated mechanisms or manual processes" - }, - { - "paramId": "ac-22_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "at-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-4_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "au-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-2_a", - "desc": "organization-defined auditable events", - "value": "organization-defined auditable events" - }, - { - "paramId": "au-2_b", - "desc": "organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event", - "value": "organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event" - }, - { - "paramId": "au-2_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-3_a", - "desc": "organization-defined additional, more detailed information", - "value": "organization-defined additional, more detailed information" - }, - { - "paramId": "au-3_b", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "au-4_a", - "desc": "organization-defined audit record storage requirements", - "value": "organization-defined audit record storage requirements" - }, - { - "paramId": "au-5_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-5_b", - "desc": "organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)", - "value": "organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)" - }, - { - "paramId": "au-5_c", - "desc": "organization-defined personnel, roles, and/or locations", - "value": "organization-defined personnel, roles, and/or locations" - }, - { - "paramId": "au-5_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "au-5_e", - "desc": "organization-defined percentage", - "value": "organization-defined percentage" - }, - { - "paramId": "au-5_f", - "desc": "organization-defined real-time period", - "value": "organization-defined real-time period" - }, - { - "paramId": "au-5_g", - "desc": "organization-defined personnel, roles, and/or locations", - "value": "organization-defined personnel, roles, and/or locations" - }, - { - "paramId": "au-5_h", - "desc": "organization-defined audit failure events requiring real-time alerts", - "value": "organization-defined audit failure events requiring real-time alerts" - }, - { - "paramId": "au-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-6_b", - "desc": "organization-defined inappropriate or unusual activity", - "value": "organization-defined inappropriate or unusual activity" - }, - { - "paramId": "au-6_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-6_d", - "desc": "organization-defined data/information collected from other sources", - "value": "organization-defined data/information collected from other sources" - }, - { - "paramId": "au-7_a", - "desc": "organization-defined audit fields within audit records", - "value": "organization-defined audit fields within audit records" - }, - { - "paramId": "au-8_a", - "desc": "organization-defined granularity of time measurement", - "value": "organization-defined granularity of time measurement" - }, - { - "paramId": "au-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-8_c", - "desc": "organization-defined authoritative time source", - "value": "organization-defined authoritative time source" - }, - { - "paramId": "au-8_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "au-9_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-9_b", - "desc": "organization-defined subset of privileged users", - "value": "organization-defined subset of privileged users" - }, - { - "paramId": "au-10_a", - "desc": "organization-defined actions to be covered by non-repudiation", - "value": "organization-defined actions to be covered by non-repudiation" - }, - { - "paramId": "au-11_a", - "desc": "organization-defined time period consistent with records retention policy", - "value": "organization-defined time period consistent with records retention policy" - }, - { - "paramId": "au-12_a", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "au-12_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-12_c", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "au-12_d", - "desc": "organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail", - "value": "organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail" - }, - { - "paramId": "au-12_e", - "desc": "organization-defined individuals or roles", - "value": "organization-defined individuals or roles" - }, - { - "paramId": "au-12_f", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "au-12_g", - "desc": "organization-defined selectable event criteria", - "value": "organization-defined selectable event criteria" - }, - { - "paramId": "au-12_h", - "desc": "organization-defined time thresholds", - "value": "organization-defined time thresholds" - }, - { - "paramId": "ca-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_b", - "desc": "organization-defined individuals or roles", - "value": "organization-defined individuals or roles" - }, - { - "paramId": "ca-2_c", - "desc": "organization-defined level of independence", - "value": "organization-defined level of independence" - }, - { - "paramId": "ca-2_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_e", - "desc": "organization-defined other forms of security assessment", - "value": "organization-defined other forms of security assessment" - }, - { - "paramId": "ca-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-3_h", - "desc": "organization-defined information systems", - "value": "organization-defined information systems" - }, - { - "paramId": "ca-5_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-7_a", - "desc": "organization-defined metrics", - "value": "organization-defined metrics" - }, - { - "paramId": "ca-7_b", - "desc": "organization-defined frequencies", - "value": "organization-defined frequencies" - }, - { - "paramId": "ca-7_c", - "desc": "organization-defined frequencies", - "value": "organization-defined frequencies" - }, - { - "paramId": "ca-7_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-7_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-7_f", - "desc": "organization-defined level of independence", - "value": "organization-defined level of independence" - }, - { - "paramId": "ca-8_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-8_b", - "desc": "organization-defined information systems or system components", - "value": "organization-defined information systems or system components" - }, - { - "paramId": "ca-9_a", - "desc": "organization-defined information system components or classes of components", - "value": "organization-defined information system components or classes of components" - }, - { - "paramId": "cm-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cm-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-2_b", - "desc": "Assignment organization-defined circumstances", - "value": "Assignment organization-defined circumstances" - }, - { - "paramId": "cm-2_c", - "desc": "organization-defined previous versions of baseline configurations of the information system", - "value": "organization-defined previous versions of baseline configurations of the information system" - }, - { - "paramId": "cm-2_d", - "desc": "organization-defined information systems, system components, or devices", - "value": "organization-defined information systems, system components, or devices" - }, - { - "paramId": "cm-2_e", - "desc": "organization-defined configurations", - "value": "organization-defined configurations" - }, - { - "paramId": "cm-2_f", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "cm-3_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cm-3_b", - "desc": "organization-defined configuration change control element (e.g., committee, board)", - "value": "organization-defined configuration change control element (e.g., committee, board)" - }, - { - "paramId": "cm-3_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-3_d", - "desc": "organization-defined configuration change conditions", - "value": "organization-defined configuration change conditions" - }, - { - "paramId": "cm-3_e", - "desc": "organized-defined approval authorities", - "value": "organized-defined approval authorities" - }, - { - "paramId": "cm-3_f", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cm-3_g", - "desc": "organization-defined personnel", - "value": "organization-defined personnel" - }, - { - "paramId": "cm-5_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-5_b", - "desc": "organization-defined circumstances", - "value": "organization-defined circumstances" - }, - { - "paramId": "cm-5_c", - "desc": "organization-defined software and firmware components", - "value": "organization-defined software and firmware components" - }, - { - "paramId": "cm-6_a", - "desc": "organization-defined security configuration checklists", - "value": "organization-defined security configuration checklists" - }, - { - "paramId": "cm-6_b", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "cm-6_c", - "desc": "organization-defined operational requirements", - "value": "organization-defined operational requirements" - }, - { - "paramId": "cm-6_d", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "cm-6_e", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "cm-6_f", - "desc": "organization-defined configuration settings", - "value": "organization-defined configuration settings" - }, - { - "paramId": "cm-7_a", - "desc": "organization-defined prohibited or restricted functions, ports, protocols, and/or services", - "value": "organization-defined prohibited or restricted functions, ports, protocols, and/or services" - }, - { - "paramId": "cm-7_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-7_c", - "desc": "organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure", - "value": "organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure" - }, - { - "paramId": "cm-7_d", - "desc": "organization-defined policies regarding software program usage and restrictions", - "value": "organization-defined policies regarding software program usage and restrictions" - }, - { - "paramId": "cm-7_h", - "desc": "organization-defined software programs authorized to execute on the information system", - "value": "organization-defined software programs authorized to execute on the information system" - }, - { - "paramId": "cm-7_i", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-8_a", - "desc": "organization-defined information deemed necessary to achieve effective information system component accountability", - "value": "organization-defined information deemed necessary to achieve effective information system component accountability" - }, - { - "paramId": "cm-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-8_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-8_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cm-11_a", - "desc": "organization-defined policies", - "value": "organization-defined policies" - }, - { - "paramId": "cm-11_b", - "desc": "organization-defined methods", - "value": "organization-defined methods" - }, - { - "paramId": "cm-11_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cp-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cp-2_b", - "desc": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "cp-2_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-2_d", - "desc": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "cp-2_e", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-2_f", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-3_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-3_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-4_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-4_b", - "desc": "organization-defined tests", - "value": "organization-defined tests" - }, - { - "paramId": "cp-7_a", - "desc": "organization-defined information system operations", - "value": "organization-defined information system operations" - }, - { - "paramId": "cp-7_b", - "desc": "organization-defined time period consistent with recovery time and recovery point objectives", - "value": "organization-defined time period consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-8_a", - "desc": "organization-defined information system operations", - "value": "organization-defined information system operations" - }, - { - "paramId": "cp-8_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-8_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-9_a", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_b", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_c", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-9_e", - "desc": "organization-defined critical information system software and other security-related information", - "value": "organization-defined critical information system software and other security-related information" - }, - { - "paramId": "cp-9_f", - "desc": "organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives", - "value": "organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives" - }, - { - "paramId": "cp-10_a", - "desc": "organization-defined restoration time-periods", - "value": "organization-defined restoration time-periods" - }, - { - "paramId": "ia-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ia-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ia-2_d", - "desc": "organization-defined strength of mechanism requirements", - "value": "organization-defined strength of mechanism requirements" - }, - { - "paramId": "ia-3_a", - "desc": "organization-defined specific and/or types of devices", - "value": "organization-defined specific and/or types of devices" - }, - { - "paramId": "ia-4_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-4_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ia-4_c", - "desc": "organization-defined time period of inactivity", - "value": "organization-defined time period of inactivity" - }, - { - "paramId": "ia-5_a", - "desc": "organization-defined time period by authenticator type", - "value": "organization-defined time period by authenticator type" - }, - { - "paramId": "ia-5_b", - "desc": "organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type", - "value": "organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type" - }, - { - "paramId": "ia-5_c", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ia-5_d", - "desc": "organization-defined numbers for lifetime minimum, lifetime maximum", - "value": "organization-defined numbers for lifetime minimum, lifetime maximum" - }, - { - "paramId": "ia-5_e", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ia-5_f", - "desc": "organization-defined types of and/or specific authenticators", - "value": "organization-defined types of and/or specific authenticators" - }, - { - "paramId": "ia-5_g", - "desc": "organization-defined registration authority", - "value": "organization-defined registration authority" - }, - { - "paramId": "ia-5_h", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-5_l", - "desc": "organization-defined token quality requirements", - "value": "organization-defined token quality requirements" - }, - { - "paramId": "ia-8_a", - "desc": "organization-defined information systems", - "value": "organization-defined information systems" - }, - { - "paramId": "ir-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-2_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ir-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-3_b", - "desc": "organization-defined tests", - "value": "organization-defined tests" - }, - { - "paramId": "ir-6_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ir-6_b", - "desc": "organization-defined authorities", - "value": "organization-defined authorities" - }, - { - "paramId": "ir-8_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-8_b", - "desc": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "ir-8_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-8_d", - "desc": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "ma-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ma-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ma-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ma-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ma-2_b", - "desc": "organization-defined maintenance-related information", - "value": "organization-defined maintenance-related information" - }, - { - "paramId": "ma-3_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ma-6_a", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "ma-6_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "mp-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "mp-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "mp-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "mp-2_a", - "desc": "organization-defined types of digital and/or non-digital media", - "value": "organization-defined types of digital and/or non-digital media" - }, - { - "paramId": "mp-2_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "mp-3_a", - "desc": "organization-defined types of information system media", - "value": "organization-defined types of information system media" - }, - { - "paramId": "mp-3_b", - "desc": "organization-defined controlled areas", - "value": "organization-defined controlled areas" - }, - { - "paramId": "mp-4_a", - "desc": "organization-defined types of digital and/or non-digital media", - "value": "organization-defined types of digital and/or non-digital media" - }, - { - "paramId": "mp-4_b", - "desc": "organization-defined controlled areas", - "value": "organization-defined controlled areas" - }, - { - "paramId": "mp-5_a", - "desc": "organization-defined types of information system media", - "value": "organization-defined types of information system media" - }, - { - "paramId": "mp-5_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "mp-6_a", - "desc": "organization-defined information system media", - "value": "organization-defined information system media" - }, - { - "paramId": "mp-6_b", - "desc": "organization-defined sanitization techniques and procedures", - "value": "organization-defined sanitization techniques and procedures" - }, - { - "paramId": "mp-6_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "mp-6_d", - "desc": "organization-defined circumstances requiring sanitization of portable storage devices", - "value": "organization-defined circumstances requiring sanitization of portable storage devices" - }, - { - "paramId": "mp-7_a", - "desc": "organization-defined types of information system media", - "value": "organization-defined types of information system media" - }, - { - "paramId": "mp-7_b", - "desc": "organization-defined information systems or system components", - "value": "organization-defined information systems or system components" - }, - { - "paramId": "mp-7_c", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pe-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-3_a", - "desc": "organization-defined entry/exit points to the facility where the information system resides", - "value": "organization-defined entry/exit points to the facility where the information system resides" - }, - { - "paramId": "pe-3_b", - "desc": "organization-defined physical access control systems/devices", - "value": "organization-defined physical access control systems/devices" - }, - { - "paramId": "pe-3_c", - "desc": "organization-defined entry/exit points", - "value": "organization-defined entry/exit points" - }, - { - "paramId": "pe-3_d", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-3_e", - "desc": "organization-defined circumstances requiring visitor escorts and monitoring", - "value": "organization-defined circumstances requiring visitor escorts and monitoring" - }, - { - "paramId": "pe-3_f", - "desc": "organization-defined physical access devices", - "value": "organization-defined physical access devices" - }, - { - "paramId": "pe-3_g", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-3_h", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-3_i", - "desc": "organization-defined physical spaces containing one or more components of the information system", - "value": "organization-defined physical spaces containing one or more components of the information system" - }, - { - "paramId": "pe-4_a", - "desc": "organization-defined information system distribution and transmission lines", - "value": "organization-defined information system distribution and transmission lines" - }, - { - "paramId": "pe-4_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-6_b", - "desc": "organization-defined events or potential indications of events", - "value": "organization-defined events or potential indications of events" - }, - { - "paramId": "pe-6_g", - "desc": "organization-defined physical spaces containing one or more components of the information system", - "value": "organization-defined physical spaces containing one or more components of the information system" - }, - { - "paramId": "pe-8_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "pe-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-10_a", - "desc": "organization-defined location by information system or system component", - "value": "organization-defined location by information system or system component" - }, - { - "paramId": "pe-13_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pe-13_b", - "desc": "organization-defined emergency responders", - "value": "organization-defined emergency responders" - }, - { - "paramId": "pe-13_c", - "desc": "organization-defined emergency responders", - "value": "organization-defined emergency responders" - }, - { - "paramId": "pe-14_a", - "desc": "organization-defined acceptable levels", - "value": "organization-defined acceptable levels" - }, - { - "paramId": "pe-14_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-15_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pe-16_a", - "desc": "organization-defined types of information system components", - "value": "organization-defined types of information system components" - }, - { - "paramId": "pe-17_a", - "desc": "organization-defined security controls", - "value": "organization-defined security controls" - }, - { - "paramId": "pe-18_a", - "desc": "organization-defined physical and environmental hazards", - "value": "organization-defined physical and environmental hazards" - }, - { - "paramId": "pl-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pl-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pl-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-2_c", - "desc": "organization-defined individuals or groups", - "value": "organization-defined individuals or groups" - }, - { - "paramId": "pl-4_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-8_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-3_a", - "desc": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening", - "value": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening" - }, - { - "paramId": "ps-4_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-4_b", - "desc": "organization-defined information security topics", - "value": "organization-defined information security topics" - }, - { - "paramId": "ps-4_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-4_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-4_e", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-5_a", - "desc": "organization-defined transfer or reassignment actions", - "value": "organization-defined transfer or reassignment actions" - }, - { - "paramId": "ps-5_b", - "desc": "organization-defined time period following the formal transfer action", - "value": "organization-defined time period following the formal transfer action" - }, - { - "paramId": "ps-5_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-5_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-6_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-7_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-7_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-8_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-8_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ra-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-3_a", - "desc": "organization-defined document", - "value": "organization-defined document" - }, - { - "paramId": "ra-3_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-3_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-3_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-5_a", - "desc": "organization-defined frequency and/or randomly in accordance with organization-defined process", - "value": "organization-defined frequency and/or randomly in accordance with organization-defined process" - }, - { - "paramId": "ra-5_b", - "desc": "organization-defined response times", - "value": "organization-defined response times" - }, - { - "paramId": "ra-5_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-5_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-5_e", - "desc": "organization-defined corrective actions", - "value": "organization-defined corrective actions" - }, - { - "paramId": "ra-5_f", - "desc": "organization-identified information system components", - "value": "organization-identified information system components" - }, - { - "paramId": "ra-5_g", - "desc": "organization-defined vulnerability scanning activities", - "value": "organization-defined vulnerability scanning activities" - }, - { - "paramId": "sa-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sa-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sa-3_a", - "desc": "organization-defined system development life cycle", - "value": "organization-defined system development life cycle" - }, - { - "paramId": "sa-4_a", - "desc": "organization-defined design/implementation information", - "value": "organization-defined design/implementation information" - }, - { - "paramId": "sa-4_b", - "desc": "organization-defined level of detail", - "value": "organization-defined level of detail" - }, - { - "paramId": "sa-5_a", - "desc": "organization-defined actions", - "value": "organization-defined actions" - }, - { - "paramId": "sa-5_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-9_a", - "desc": "organization-defined security controls", - "value": "organization-defined security controls" - }, - { - "paramId": "sa-9_b", - "desc": "organization-defined processes, methods, and techniques", - "value": "organization-defined processes, methods, and techniques" - }, - { - "paramId": "sa-9_d", - "desc": "organization-defined external information system services", - "value": "organization-defined external information system services" - }, - { - "paramId": "sa-10_a", - "desc": "organization-defined configuration items under configuration management", - "value": "organization-defined configuration items under configuration management" - }, - { - "paramId": "sa-10_b", - "desc": "organization-defined personnel", - "value": "organization-defined personnel" - }, - { - "paramId": "sa-11_a", - "desc": "organization-defined depth and coverage", - "value": "organization-defined depth and coverage" - }, - { - "paramId": "sa-12_a", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sa-15_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sa-15_b", - "desc": "organization-defined security requirements", - "value": "organization-defined security requirements" - }, - { - "paramId": "sa-16_a", - "desc": "organization-defined training", - "value": "organization-defined training" - }, - { - "paramId": "sc-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sc-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-5_a", - "desc": "organization-defined types of denial of service attacks or references to sources for such information", - "value": "organization-defined types of denial of service attacks or references to sources for such information" - }, - { - "paramId": "sc-5_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sc-7_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-7_b", - "desc": "organization-defined internal communications traffic", - "value": "organization-defined internal communications traffic" - }, - { - "paramId": "sc-7_c", - "desc": "organization-defined external networks", - "value": "organization-defined external networks" - }, - { - "paramId": "sc-7_l", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "sc-7_m", - "desc": "organization-defined missions and/or business functions", - "value": "organization-defined missions and/or business functions" - }, - { - "paramId": "sc-8_a", - "desc": "organization-defined alternative physical safeguards", - "value": "organization-defined alternative physical safeguards" - }, - { - "paramId": "sc-10_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "sc-12_a", - "desc": "organization-defined requirements for key generation, distribution, storage, access, and destruction", - "value": "organization-defined requirements for key generation, distribution, storage, access, and destruction" - }, - { - "paramId": "sc-13_a", - "desc": "organization-defined cryptographic uses and type of cryptography required for each use", - "value": "organization-defined cryptographic uses and type of cryptography required for each use" - }, - { - "paramId": "sc-15_a", - "desc": "organization-defined exceptions where remote activation is to be allowed", - "value": "organization-defined exceptions where remote activation is to be allowed" - }, - { - "paramId": "sc-17_a", - "desc": "organization-defined certificate policy", - "value": "organization-defined certificate policy" - }, - { - "paramId": "sc-24_a", - "desc": "organization-defined known-state", - "value": "organization-defined known-state" - }, - { - "paramId": "sc-24_b", - "desc": "organization-defined types of failures", - "value": "organization-defined types of failures" - }, - { - "paramId": "sc-24_c", - "desc": "organization-defined system state information", - "value": "organization-defined system state information" - }, - { - "paramId": "sc-28_a", - "desc": "organization-defined information at rest", - "value": "organization-defined information at rest" - }, - { - "paramId": "si-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-2_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "si-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-3_b", - "desc": "organization-defined action", - "value": "organization-defined action" - }, - { - "paramId": "si-4_a", - "desc": "organization-defined monitoring objectives", - "value": "organization-defined monitoring objectives" - }, - { - "paramId": "si-4_b", - "desc": "organization-defined techniques and methods", - "value": "organization-defined techniques and methods" - }, - { - "paramId": "si-4_c", - "desc": "organization-defined information system monitoring information", - "value": "organization-defined information system monitoring information" - }, - { - "paramId": "si-4_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-4_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-4_f", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-4_g", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-4_h", - "desc": "organization-defined compromise indicators", - "value": "organization-defined compromise indicators" - }, - { - "paramId": "si-5_a", - "desc": "organization-defined external organizations", - "value": "organization-defined external organizations" - }, - { - "paramId": "si-5_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-5_c", - "desc": "organization-defined elements within the organization", - "value": "organization-defined elements within the organization" - }, - { - "paramId": "si-5_d", - "desc": "organization-defined external organizations", - "value": "organization-defined external organizations" - }, - { - "paramId": "si-6_a", - "desc": "organization-defined security functions", - "value": "organization-defined security functions" - }, - { - "paramId": "si-6_b", - "desc": "organization-defined system transitional states", - "value": "organization-defined system transitional states" - }, - { - "paramId": "si-6_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-6_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-6_e", - "desc": "organization-defined alternative action(s)", - "value": "organization-defined alternative action(s)" - }, - { - "paramId": "si-7_a", - "desc": "organization-defined software, firmware, and information", - "value": "organization-defined software, firmware, and information" - }, - { - "paramId": "si-7_b", - "desc": "organization-defined software, firmware, and information", - "value": "organization-defined software, firmware, and information" - }, - { - "paramId": "si-7_c", - "desc": "organization-defined transitional states or security-relevant events", - "value": "organization-defined transitional states or security-relevant events" - }, - { - "paramId": "si-7_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-7_e", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-7_f", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "si-7_g", - "desc": "organization-defined security-relevant changes to the information system", - "value": "organization-defined security-relevant changes to the information system" - }, - { - "paramId": "si-10_a", - "desc": "organization-defined information inputs", - "value": "organization-defined information inputs" - }, - { - "paramId": "si-11_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-16_a", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - } - ], - "alterations": [ - { - "controlId": "ac.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-1 (b) (1) [at least annually] AC-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (j) [monthly for privileged accessed, every six (6) months for non-privileged access]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (2) [Selection: disables] [Assignment: 24 hours from last use]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (3) [35 days for user accounts]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (3) Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (4) [organization and/or service provider system owner]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (5) [inactivity is anticipated to exceed Fifteen (15) minutes]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (5) Guidance: Should use a shorter timeframe than AC-12.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.11.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNIST added this control to the NIST High Baseline during the 1/15/2015\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.12.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (12) (b)[at a minimum, the ISSO and/or similar role within the organization]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (12)(a) Guidance: Required for privileged accounts. AC-2 (12)(b) Guidance: Required for privileged accounts.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.13.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (13) [one (1) hour]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-5 Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-6 (1) [all functions not publicly accessible and all security-relevant information not publicly available]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-6 (2) [all security functions]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-6 (2) Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-6 (3)-1 [all privileged commands]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.9.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.10.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-7(a)-1 [not more than three (3)]\u003c/p\u003e", - "\u003cp\u003eAC-7(a)-2 [fifteen (15) minutes] AC-7(b) [locks the account/node for a minimum of three (3) hours or until unlocked by an administrator]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-8 (a) [see additional Requirements and Guidance] AC-8 (c) (1) [see additional Requirements and Guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-8 Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO. Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-10-2 [three (3) sessions for privileged access and two (2) sessions for non-privileged access]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.11", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-11(a) [fifteen (15) minutes]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.11.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.12", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.14", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.17", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.17.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.17.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.17.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.17.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.18", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.18.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.18.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.18.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.19", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.19.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.20", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.20.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.20.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.21", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.22", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-22 (d) [at least quarterly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.1", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURITY AWARENESS AND TRAINING POLICY ANDPROCEDURES" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-1 (b) (1) [at least annually or whenever a significant change occurs] AT-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "at.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-3 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-4 (b) [five (5) years or 5 years after completion of a specific training program]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-1 (b) (1) [at least annually] AU-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-2 (a) [successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes] AU-2 (d) [organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event].\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-2 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-2 (3) [annually or whenever there is a change in the threat environment]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-2 (3) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.3.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-3 (1) Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.3.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-3 (2) [all network, data storage, and computing devices]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-5 (b). [organization-defined actions to be taken (overwrite oldest record)\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.5.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.5.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-5 (2)-1 [real-time] AU-5 (1)-2 [service provider personnel with authority to address failed audit events] AU-5 (1)-3 [audit failure events requiring real-time alerts, as defined by organization audit policy].\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-6 (a)-1 [at least weekly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-6 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-6 (5) [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Organization -defined data/information collected from other sources]]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.6.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-6 (6) Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.7.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-8 (b) [one second granularity of time measurement]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-8 (1) [http://tf.nist.gov/tf-cgi/servers.cgi] [At least hourly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-8 (1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. AU-8 (1) Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server. AU-8 (1) Guidance: Synchronization of system clocks improves the accuracy of log analysis.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.9", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.9.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-9 (2) [at least weekly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.9.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.9.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-10 [minimum actions including the addition, modification, deletion, approval, sending, or receiving of data]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.11", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-11 [at least one (1) year]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-11 Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.12", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-12 (a) [all information system and network components where audit capability is deployed/available]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.12.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNon-repudiation\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-12 (1) [all network, data storage, and computing devices]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.12.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNon-repudiation\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-12 (3) (1) [service provider-defined individuals or roles with audit configuration responsibilities] AU-12 (3) (2) [all network, data storage, and computing devices]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-1 (b) (1) [at least annually] CA-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-2 (b) [at least annually] CA-2 (d) [individuals or roles to include FedRAMP PMO]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.2.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-2 (1) Requirement: For JAB Authorization, must use an accredited 3PAO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-2 (2) [at least annually]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-2 (2) Requirement: To include 'announced', 'vulnerability scanning'\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-3 (c) [At least annually and on input from FedRAMP]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.3.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-3 (5) [deny-all, permit by exception]\u003c/p\u003e", - "\u003cp\u003e[any systems]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-3 (5) Guidance: For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-5 (b) [at least monthly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-5 Guidance: Requirement: POA\u0026amp;Ms must be provided at least monthly.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-6 (c) [at least every three (3) years or when a significant change occurs]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-6 (c) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-7 (g) [to meet Federal and FedRAMP requirements]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-7 Requirement: Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually CA-7 Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA\u0026amp;M updates. Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.7.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-8-1 [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.9", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-1 (b) (1) [at least annually] CM-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.2.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-2 (1) (a) [at least annually or when a significant change occurs] CM-2 (1) (b) [to include when directed by the JAB]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-2 (1) (a) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-2 (3) [organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.2.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-3 Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO. CM-3 (e) Guidance: In accordance with record retention policies and procedures.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.3.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-3 (1) (c) [organization agreed upon time period] CM-3 (1) (f) [organization defined configuration management approval authorities]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.3.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.4.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.5.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.5.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-5 (2) [at least every thirty (30) days]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.5.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-5 (3) Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-6 (a) [United States Government Configuration Baseline (USGCB)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-6 (a)-1 Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. CM-6 (a)-2 Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.6.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.6.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-7 (b) [United States Government Configuration Baseline (USGCB)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-7 (b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived from AC-17(8).\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.7.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-7 (1) (a) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.7.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-7 (2) Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.7.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-7(5) (c) [at least quarterly or when there is a change]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-8 (b) [at least monthly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-8 Requirement: must be provided at least monthly or when there is a change.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.8.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.8.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-8 (3) (a). [Continuously, using automated mechanisms with a maximum five-minute delay in detection.]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.8.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-8 (4) [position and role]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.8.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.9", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.11", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-11 (c) [Continuously (via CM-7 (5))]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-1 (b) (1) [at least annually] CP-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-2 (d) [at least annually]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-2 Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-2 (4) [time period defined in service provider and organization SLA]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-3 (a) [ten (10) days] CP-3 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.3.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-4 (a)-1 [at least annually] CP-4 (a)-2 [functional exercises]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-4 (a) Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.4.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.4.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.6.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.6.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.6.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-7 (a) Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.7.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-7 (1) Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.7.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.7.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.7.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-8 Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.8.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.8.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.8.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-8 (4) (c) [annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.9", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check. CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.9.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-9 (1). [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.9.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.9.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.9.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-9 (5) [time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA].\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.10.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.10.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-10 (4) [time period consistent with the restoration time-periods defined in the service provider and organization SLA]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-1 (b) (1) [at least annually] IA-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.9.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.11.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-2 (11) [FIPS 140-2, NIAP Certification, or NSA approval]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-2 (11) Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.12.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-2 (12) Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-4(a) [at a minimum, the ISSO (or similar role within the organization)] IA-4 (d) [at least two (2) years] IA-4 (e) [thirty-five (35) days] (See additional requirements and guidance.)\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-4 (e) Requirement: The service provider defines the time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (g) [to include sixty (60) days for passwords]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-5 Requirement: Authenticators must be compliant with NIST SP 800-63-2 Electronic Authentication Guideline assurance Level 4 (Link http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf)\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (1) (a) [case sensitive, minimum of fourteen (14) characters, and at least one (1) each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b) [at least fifty percent (50%)] IA-5 (1) (d) [one (1) day minimum, sixty (60) day maximum] IA-5 (1) (e) [twenty four (24)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (3)-1 [All hardware/biometric (multifactor authenticators] IA-5 (3)-2 [in person]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.11.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.8", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS)" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.8.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.8.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.8.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-1 (b) (1) [at least annually] IR-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-2 (a) [within ten (10) days] IR-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.2.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-3-1 [at least every six (6) months]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-3-2 Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.3.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-4 Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.4.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.4.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.5.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-6 (a) [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-6 Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.6.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.7.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (c) [at least annually] IR-8 (e) [see additional FedRAMP Requirements and Guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-8 (b) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8 (e) Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMA-1 (b) (1) [at least annually] MA-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.3.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.3.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.3.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMA-3 (3) (d). [the information owner explicitly authorizing removal of the equipment from the facility]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.4.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.4.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.5.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-1 (b) (1) [at least annually] MP-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-2-1 [any digital and non-digital media deemed sensitive]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-3 (b)-1 [no removable media types] MP-3 (b)-2 [organization-defined security safeguards not applicable]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-3 (b) Guidance: Second parameter not-applicable\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-4 (a)-1 [all types of digital and non-digital media with sensitive information] MP-4 (a)-2 [see additional FedRAMP requirements and guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-4 (a) Requirement: The service provider defines controlled areas within facilities where the information and information system reside.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-5 (a) [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-5 (a) Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "mp.5.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-6(a)-2 [techniques and procedures IAW NIST SP 800-88 and Section 5.9: Reuse and Disposal of Storage Media and Hardware]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "mp.6.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "mp.6.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-6 (2) [at least every six (6) months]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-6 (2) Guidance: Equipment and procedures may be tested or validated for effectiveness\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "mp.6.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "mp.7.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-1 (b) (1) [at least annually] PE-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-2 (c) [at least every ninety (90) days]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 (d) [in all circumstances within restricted access area where the information system resides] PE-3 (f) [at least annually] PE-3 (g) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.3.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-6 (b) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.6.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.6.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-8 (a) [for a minimum of one (1) year] PE-8 (b) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.9", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.11", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.11.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.12", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.13", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.13.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-13 (1) -1 [service provider building maintenance/physical security personnel] PE-13 (1) -2 [service provider emergency responders with incident response responsibilities]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.13.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.13.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.14", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-14 (a) [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14 (b) [continuously]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003ePE-14 (a) Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.15", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.15.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-15 (1) [service provider building maintenance/physical security personnel]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.16", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-16 [all information system components]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.17", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.18", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-18 [physical and environmental hazards identified during threat assessment]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-1 (b) (1) [at least annually] PL-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pl.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-4 (c) [annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pl.4.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-8 (b) [at least annually or when a significant change occurs]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003ePL-8 (b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-1 (b) (1) [at least annually] PS-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-3 (b) [for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-4 (a) [eight (8) hours]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ps.4.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-4 (2) [access control personnel responsible for disabling access to the system]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-5 (b)-2 [twenty-four (24) hours] PS-5 (d)-2 [twenty-four (24) hours]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-6 (b) [at least annually] PS-6 (c) (2) [at least annually and any time there is a change to the user's level of access]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-7 (d)-2 [terminations: immediately; transfers: within twenty-four (24) hours]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-8(b)-1 [at a minimum, the ISSO and/or similar role within the organization]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-1 (b) (1) [at least annually] RA-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-3 (b) [security assessment report]\u003c/p\u003e", - "\u003cp\u003eRA-3 (c) [at least annually or whenever a significant change occurs]\u003c/p\u003e", - "\u003cp\u003eRA-3 (e) [annually]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-3 Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3 (d) Requirement: Include all Authoring Officials and FedRAMP ISSOs.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (a) [monthly operating system/infrastructure; monthly web applications and databases] RA-5 (d) [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. RA-5 (e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (2) [prior to a new scan]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (4) [notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (5)-1 [operating systems / web applications / databases] RA-5 (5)-2 [all scans]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-1 (b) (1) [at least annually] SA-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-4 (2)-1 [at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.9.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.10.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-5E [at a minimum, the ISSO (or similar role within the organization)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.9", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (a) [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] SA-9 (c) [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.9.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (2) [all external systems where Federal information is processed or stored]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-10 (a) [development, implementation, AND operation]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-10 (e) Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.11", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.12", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-12 [organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.15", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-15 (b)-1 [as needed and as dictated by the current threat posture] SA-15 (b)-2 [organization and service provider- defined security requirements]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.16", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.17", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-1 (b) (1) [at least annually] SC-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-7 (4) (e) [at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.18.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.21.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-8 [confidentiality AND integrity]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-8 (1)-1 [prevent unauthorized disclosure of information AND detect changes to information] SC-8 (1)-1 [a hardened or alarmed carrier Protective Distribution System (PDS)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-10 [no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.12", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-12 Guidance: Federally approved cryptography\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.12.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.13", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-13 [FIPS-validated or NSA-approved cryptography]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.15", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-15 (a) [no exceptions]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-15 Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.17", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.18", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.19", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.20", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURE NAME /ADDRESS RESOLUTION SERVICE\n(AUTHORITATIVE SOURCE)" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.21", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURE NAME /ADDRESS RESOLUTION SERVICE\n(RECURSIVE OR CACHING RESOLVER)" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.22", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "ARCHITECTURE AND PROVISIONING FOR\nNAME/ADDRESS RESOLUTION SERVICE" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.23", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.24", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.28", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-28 [confidentiality AND integrity]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.39", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.1", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-1 (b) (1) [at least annually] SI-1 (b) (2) [at least annually or whenever a significant change occurs]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.2", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-2 (c) [thirty (30) days of release of updates]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.2.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.2.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-2 (2) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.3", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-3 (c) (1)-1 [at least weekly] SI-3 (c) (1)-2 [to include endpoints] SI-3 (c) (2) [to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.3.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.3.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.4", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSI-4 Guidance: See US-CERT Incident Response Reporting Guidelines.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-4 (4) [continuously]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSI-4 (5) Guidance: In accordance with the incident response plan.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.5", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-5 (a) [to include US-CERT] SI-5 (c) [to include system security personnel and administrators with configuration/patch-management responsibilities]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.5.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-6 (b) [to include upon system startup and/or restart and at least monthly] SI-6 (c) [to include system administrators and security personnel] SI-6 (d) [to include notification of system administrators and security personnel]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.7", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.7.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-7(1)-1 [selection to include security relevant events] SI-7(1)-2 [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.7.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.7.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.7.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.7.14.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.8", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.8.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.10", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.11", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.12", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.16", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - } - ] - }, - { - "href": "../SP800-53/SP800-53-rev4-catalog.json", - "include": { - "calls": [ - { - "subcontrolId": "ac.2.7." - }, - { - "subcontrolId": "ac.2.9." - }, - { - "subcontrolId": "ac.2.10." - }, - { - "subcontrolId": "ac.4.8." - }, - { - "subcontrolId": "ac.4.21." - }, - { - "subcontrolId": "ac.6.7." - }, - { - "subcontrolId": "ac.6.8." - }, - { - "subcontrolId": "ac.7.2." - }, - { - "subcontrolId": "ac.12.1." - }, - { - "subcontrolId": "ac.17.9." - }, - { - "subcontrolId": "ac.18.3." - }, - { - "subcontrolId": "at.3.3." - }, - { - "subcontrolId": "at.3.4." - }, - { - "subcontrolId": "au.6.4." - }, - { - "subcontrolId": "au.6.7." - }, - { - "subcontrolId": "au.6.10." - }, - { - "subcontrolId": "ca.2.3." - }, - { - "subcontrolId": "ca.3.3." - }, - { - "subcontrolId": "ca.7.3." - }, - { - "subcontrolId": "ca.8.1." - }, - { - "subcontrolId": "cm.3.4." - }, - { - "subcontrolId": "cm.3.6." - }, - { - "subcontrolId": "cm.5.5." - }, - { - "subcontrolId": "cm.10.1." - }, - { - "subcontrolId": "cm.11.1." - }, - { - "subcontrolId": "ia.2.5." - }, - { - "subcontrolId": "ia.4.4." - }, - { - "subcontrolId": "ia.5.4." - }, - { - "subcontrolId": "ia.5.6." - }, - { - "subcontrolId": "ia.5.7." - }, - { - "subcontrolId": "ia.5.8." - }, - { - "subcontrolId": "ia.5.13." - }, - { - "subcontrolId": "ir.4.2." - }, - { - "subcontrolId": "ir.4.3." - }, - { - "subcontrolId": "ir.4.6." - }, - { - "subcontrolId": "ir.4.8." - }, - { - "subcontrolId": "ir.7.2." - }, - { - "controlId": "ir.9" - }, - { - "subcontrolId": "ir.9.1." - }, - { - "subcontrolId": "ir.9.2." - }, - { - "subcontrolId": "ir.9.3." - }, - { - "subcontrolId": "ir.9.4." - }, - { - "subcontrolId": "ma.4.6." - }, - { - "subcontrolId": "pe.14.2." - }, - { - "subcontrolId": "ps.3.3." - }, - { - "subcontrolId": "ra.5.3." - }, - { - "subcontrolId": "ra.5.6." - }, - { - "subcontrolId": "ra.5.8." - }, - { - "subcontrolId": "ra.5.10." - }, - { - "subcontrolId": "sa.4.8." - }, - { - "subcontrolId": "sa.9.1." - }, - { - "subcontrolId": "sa.9.4." - }, - { - "subcontrolId": "sa.9.5." - }, - { - "subcontrolId": "sa.10.1." - }, - { - "subcontrolId": "sa.11.1." - }, - { - "subcontrolId": "sa.11.2." - }, - { - "subcontrolId": "sa.11.8." - }, - { - "controlId": "sc.6" - }, - { - "subcontrolId": "sc.7.10." - }, - { - "subcontrolId": "sc.7.12." - }, - { - "subcontrolId": "sc.7.13." - }, - { - "subcontrolId": "sc.7.20." - }, - { - "subcontrolId": "sc.12.2." - }, - { - "subcontrolId": "sc.12.3." - }, - { - "subcontrolId": "sc.23.1." - }, - { - "subcontrolId": "sc.28.1." - }, - { - "subcontrolId": "si.2.3." - }, - { - "subcontrolId": "si.3.7." - }, - { - "subcontrolId": "si.4.1." - }, - { - "subcontrolId": "si.4.11." - }, - { - "subcontrolId": "si.4.14." - }, - { - "subcontrolId": "si.4.16." - }, - { - "subcontrolId": "si.4.18." - }, - { - "subcontrolId": "si.4.19." - }, - { - "subcontrolId": "si.4.20." - }, - { - "subcontrolId": "si.4.22." - }, - { - "subcontrolId": "si.4.23." - }, - { - "subcontrolId": "si.4.24." - } - ] - }, - "paramSettings": [ - { - "paramId": "ac-2_j", - "desc": "organization-defined actions", - "value": "organization-defined actions" - }, - { - "paramId": "ac-2_l", - "desc": "organization-defined conditions for establishing shared/group accounts", - "value": "organization-defined conditions for establishing shared/group accounts" - }, - { - "paramId": "ac-4_k", - "desc": "organization-defined security policy filters", - "value": "organization-defined security policy filters" - }, - { - "paramId": "ac-4_l", - "desc": "organization-defined information flows", - "value": "organization-defined information flows" - }, - { - "paramId": "ac-4_z", - "desc": "organization-defined mechanisms and/or techniques", - "value": "organization-defined mechanisms and/or techniques" - }, - { - "paramId": "ac-4_aa", - "desc": "organization-defined required separations by types of information", - "value": "organization-defined required separations by types of information" - }, - { - "paramId": "ac-6_f", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-6_g", - "desc": "organization-defined roles or classes of users", - "value": "organization-defined roles or classes of users" - }, - { - "paramId": "ac-6_h", - "desc": "organization-defined software", - "value": "organization-defined software" - }, - { - "paramId": "ac-7_e", - "desc": "organization-defined mobile devices", - "value": "organization-defined mobile devices" - }, - { - "paramId": "ac-7_f", - "desc": "organization-defined purging/wiping requirements/techniques", - "value": "organization-defined purging/wiping requirements/techniques" - }, - { - "paramId": "ac-7_g", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ac-12_b", - "desc": "organization-defined information resources", - "value": "organization-defined information resources" - }, - { - "paramId": "ac-17_c", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "at-3_f", - "desc": "organization-defined indicators of malicious code", - "value": "organization-defined indicators of malicious code" - }, - { - "paramId": "ca-2_f", - "desc": "organization-defined information system", - "value": "organization-defined information system" - }, - { - "paramId": "ca-2_g", - "desc": "organization-defined external organization", - "value": "organization-defined external organization" - }, - { - "paramId": "ca-2_h", - "desc": "organization-defined requirements", - "value": "organization-defined requirements" - }, - { - "paramId": "ca-3_e", - "desc": "organization-defined unclassified, non-national security system", - "value": "organization-defined unclassified, non-national security system" - }, - { - "paramId": "ca-3_f", - "desc": "Assignment; organization-defined boundary protection device", - "value": "Assignment; organization-defined boundary protection device" - }, - { - "paramId": "cm-3_h", - "desc": "organization-defined configuration change control element", - "value": "organization-defined configuration change control element" - }, - { - "paramId": "cm-3_j", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "cm-5_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-10_a", - "desc": "organization-defined restrictions", - "value": "organization-defined restrictions" - }, - { - "paramId": "cm-11_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-4_d", - "desc": "organization-defined characteristic identifying individual status", - "value": "organization-defined characteristic identifying individual status" - }, - { - "paramId": "ia-5_i", - "desc": "organization-defined requirements", - "value": "organization-defined requirements" - }, - { - "paramId": "ia-5_j", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "ia-5_n", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ir-4_a", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "ir-4_b", - "desc": "organization-defined classes of incidents", - "value": "organization-defined classes of incidents" - }, - { - "paramId": "ir-4_c", - "desc": "organization-defined actions to take in response to classes of incidents", - "value": "organization-defined actions to take in response to classes of incidents" - }, - { - "paramId": "ir-4_f", - "desc": "organization-defined external organizations", - "value": "organization-defined external organizations" - }, - { - "paramId": "ir-4_g", - "desc": "organization-defined incident information", - "value": "organization-defined incident information" - }, - { - "paramId": "ir-9_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-9_b", - "desc": "organization-defined actions", - "value": "organization-defined actions" - }, - { - "paramId": "ir-9_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-9_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-9_e", - "desc": "organization-defined procedures", - "value": "organization-defined procedures" - }, - { - "paramId": "ir-9_f", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "ps-3_b", - "desc": "organization-defined additional personnel screening criteria", - "value": "organization-defined additional personnel screening criteria" - }, - { - "paramId": "sa-4_e", - "desc": "organization-defined level of detail", - "value": "organization-defined level of detail" - }, - { - "paramId": "sa-9_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-9_f", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sa-9_g", - "desc": "organization-defined external service providers", - "value": "organization-defined external service providers" - }, - { - "paramId": "sa-9_h", - "desc": "organization-defined locations", - "value": "organization-defined locations" - }, - { - "paramId": "sa-9_i", - "desc": "organization-defined requirements or conditions", - "value": "organization-defined requirements or conditions" - }, - { - "paramId": "sc-6_a", - "desc": "organization-defined resources", - "value": "organization-defined resources" - }, - { - "paramId": "sc-6_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sc-7_f", - "desc": "organization-defined host-based boundary protection mechanisms", - "value": "organization-defined host-based boundary protection mechanisms" - }, - { - "paramId": "sc-7_g", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "sc-7_h", - "desc": "organization-defined information security tools, mechanisms, and support components", - "value": "organization-defined information security tools, mechanisms, and support components" - }, - { - "paramId": "sc-7_k", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "sc-28_b", - "desc": "organization-defined information", - "value": "organization-defined information" - }, - { - "paramId": "sc-28_c", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "si-2_c", - "desc": "organization-defined benchmarks", - "value": "organization-defined benchmarks" - }, - { - "paramId": "si-4_n", - "desc": "organization-defined interior points within the system (e.g., subnetworks, subsystems)", - "value": "organization-defined interior points within the system (e.g., subnetworks, subsystems)" - }, - { - "paramId": "si-4_p", - "desc": "organization-defined interior points within the system (e.g., subsystems, subnetworks)", - "value": "organization-defined interior points within the system (e.g., subsystems, subnetworks)" - }, - { - "paramId": "si-4_q", - "desc": "organization-defined additional monitoring", - "value": "organization-defined additional monitoring" - }, - { - "paramId": "si-4_r", - "desc": "organization-defined sources", - "value": "organization-defined sources" - }, - { - "paramId": "si-4_s", - "desc": "organization-defined additional monitoring", - "value": "organization-defined additional monitoring" - }, - { - "paramId": "si-4_v", - "desc": "organization-defined authorization or approval processes", - "value": "organization-defined authorization or approval processes" - }, - { - "paramId": "si-4_w", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-4_x", - "desc": "organization-defined host-based monitoring mechanisms", - "value": "organization-defined host-based monitoring mechanisms" - }, - { - "paramId": "si-4_y", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - } - ], - "alterations": [ - { - "subcontrolId": "ac.2.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (7) (c) [disables/revokes access within a organization-specified timeframe]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.9.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (9) [organization-defined need with justification statement that explains why such accounts are necessary]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (9) Required if shared/group accounts are deployed\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.10.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (10) Required if shared/group accounts are deployed\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.4.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. If there is a significant high-impact risk of inadvertent or intentional data leakage with a system deployed in a shared-service environment, this control is justified to mitigate that risk. Similar justification applies when an organization needs to ensure data isolation between different types of information enclaves within the organization. ANALYSIS. Although this control is usually employed to control flows between different classified enclaves, it can also apply to non-classified scenarios (e.g., the need to isolate legal, personnel, health-related, financial, or other information or files deemed sensitive. SAMPLE THREAT VECTORS. Sensitive free-text information passes from the personnel department to the rest of the organization. Law-enforcement sensitive information is inadvertently pulled from the organization's general counsel case management system and passed outside the department to users without authorization to view that information. HIPAA-protected health information flows freely from the HR department to all employees. Privacy-Act information flows from an HR system into a publicly released report. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Adaptive, Manageable, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential, Data Controllable, Access-Controlled.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.4.21.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eCSP Insider Threat mitigation; Good housekeeping and a best business practice for the protection of the CSP and customer alike. In a cloud environment, the power (and potentially harm) of the privileged users is greatly magnified because of the scale. For that reason periodic review of privileges is important.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: HIGH\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-6 (7)(a)-1 at a minimum, annually AC-6 (7)(a)-2 all users with privileges\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eThis control is not part of the NIST high baseline and was added for FedRAMP at the recommendation of DoD and NIST. This is a CNSSI 1253 control.\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-6 (8) [any software except software explicitly documented]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.7.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. If an organization’s mobile devices carry information whose loss would have a high impact, this control is warranted in order to mitigate the risk of such loss. ANALYSIS. The technologies associated with this control are well established COTS hardware and software. SAMPLE THREAT VECTORS. Mobile device is lost, falls into the hands of people without authorization to view the information contained on the device. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Usable, Adaptive, Manageable, Agile, Supported, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Confidential, Data Controllable, Access-Controlled, Mission Assured.\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-7 (2)-1 [mobile devices as defined by organization policy] AC-7 (2)-3 [three (3)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.12.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRecommended by High Baseline Tiger Team. vulnerabilities associated with not having a logout button are well-documented.\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-12 (1) Guidance: https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.17.9.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-17 (9) [fifteen (15) minutes]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.18.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for Selection: Best business practice for the protection of the CSP and customer alike \" when not intended for use\". This is an unanticipated vector for attack if present and active. While probably not an issue with data center servers and networking devices, wireless is becoming embedded in many components and devices such as printers, fax devices, copiers, scanners, communications devices, etc. There is the additional potential that wireless capabilities may become available in air conditioners, power centers, power controllers, lighting, alarm systems, etc. There is a potential that these capabilities could exist without organizational awareness. Selection drivedsawareness. It's better to perform the check than to make assumptions about what devices are in the IS.\u003c/p\u003e", - "\u003cp\u003eECSB Supplemental Guidance as the C/CE relates to CSPs The application of this control enchancement should include all systems and devices in the CSP facility such as printers, fax devices, copiers, scanners, communications devices, air conditioners, power centers, power controllers, lighting, alarm systems, etc. Wireless networking capabilities should be disabled when they are near or networked with systems supporting customer's services.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: Moderate (Low L1/2)\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "at.3.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. High-impact systems warrant significantly elevated protection; one of these elevated protections is provided through simulated no-notice attacks that exercise users’ ability to detect and respond correctly to attempts to steal internal information in their possession. ANALYSIS. These controls are well understood and widely installed; COTS components keep implementation time and cost low. SAMPLE THREAT VECTORS. Cybersecurity staff do not know how to monitor, respond, and manage complex enforcement systems and subsystems. Cybersecurity staff is not properly trained to understand how the controls are to operate. Staff does not understand the event alarms/logs. Staff is not able to protect from unauthorized disclosure. Staff is careless with handling data, or unwilling to follow the established security protocols, or willing to cut corners to save time. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "at.3.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. High-impact systems warrant significantly elevated protection.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. These controls are well understood and widely installed.\u003c/p\u003e", - "\u003cp\u003eTHREAT VECTORS ADDRESSED. Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally when in reality, it is not. People fail to review event logs. People make unauthorized changes to event logger.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential.\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-3 (4) [malicious code indicators as defined by organization incident policy/capability]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. Due to the complexity of independent systems exchanging security-related monitoring data, and high-impact systems implemented in shared-service environments, the responsible organization needs a centralized capability that integrates these various data sources into a unified whole permitting central review and analysis of diverse log data relevant to security audits. ANALYSIS. This control permits analysts and auditors to focus on their primary duty of analyzing log data, and relieves them of the usual burden of discovery, collection, validation, aggregation, and indexing of large log datasets relevant to system security. Since these latter collection tasks have been automated under this control, less time and funding will be required to execute this core audit/analysis activity. SAMPLE THREAT VECTORS. Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally, when it is not. People fail to review event logs. People make unauthorized changes to event logger.\" RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eThis control is not part of the NIST high baseline and was added for FedRAMP.\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-6 (7) [information system process; role; user]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.10.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for Selection L3-6: In support of cyber security threat / incident response activities. Supports flexibility in auditing levels based on threat level. Supports CSP integration with DoD security architecture. The sensitivity of the information at levels 3-6 warrents the adjustment of auditing levels based on threat level.\u003c/p\u003e", - "\u003cp\u003eECSB Supplemental Guidance as the C/CE relates to CSPs: This CE supports cyber security threat / incident response activities and flexibility in auditing levels based on threat level. This CE also supports CSP integration with DoD security architecture and the ability to respond to USCYBERCOM and DoD CNDSP alerts and directives. NOTE L1/2: The handling of alerts from US-CERT and other credible sources is sufficient to change auditing activities if this CE is tailored in via an SLA. NOTE: L3-6: The handling of alerts and directives from USCYBERCOM and DoD CNDSPs is required at these levels in addition to handling of alerts from US-CERTand other credible sources.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: High\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-2 (3)-1 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-2 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-3 [the conditions of the JAB/AO in the FedRAMP Repository]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.3.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-3 (3) [boundary protections which meet the Trusted Internet Connection (TIC) requirements]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-3 (3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 Reference Architecture document.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.7.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. Organization requires independent data to validate that current security monitoring continues to target the right data, and that no gaps have opened between what is currently measured and what needs to be measured given the constantly evolving threat environment. In particular, the organization determines that security management will need trend analytics tuned to the current security climate to ensure the organization’s security officials maintain general situational awareness of larger security trends that may pose a threat to the organization’s high-impact systems fielded in shared-service environments.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. Implementation of this control should provide security management with a technical advantage by forcing them to maintain continual current awareness of the larger security threat-scape, rather than become lost in the lower-level details of specific security metrics.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS ADDRESSED. Stakeholders do not have the information they need to make sound decisions due to technology capability. System fails to send alarms, logs, and other pertinent data to the event manager. Control processes involve too many layers of review, concurrence, and revision to support effective and timely conveyance of relevant information to decision-makers. Monitoring not effectively linked to control processes.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Controlled\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.8.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.3.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for De-Selection L1/2: The sensitivity of the information at these levels may not require a information security representative to be a member of the organization-defined configuration change control element. Rationale for Selection L3-6: This is a best business practice for the protection of the CSP and customer alike in that the security representative will be more aware of IA issues that configuration changes can introduce and he/she can more easily provide IA guidance for issues spotted.\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-3 (4) Configuration control board (CCB) or similar (as defined in CM-3)\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.3.6.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for SA L1: Cryptographic mechanisms are only required at this level for priviledged user (system administrator / SA) access control and the transport of privileged commands or configuration files. Not the publicly released information served at this level. Rationale for Selection L2-6: Best practice. Supplemental guidance for this CE refers primarily to the processes surrounding the management of the cryptographic mechanisms used. These processes need to be under change management that addresses security concerns to ensure they remain secure.\u003c/p\u003e", - "\u003cp\u003eCE supplemental guidance. Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: High\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-3 (6) All security safeguards that rely on cryptography\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.5.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-5 (5) (b) [at least quarterly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.10.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.11.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. High-impact systems will require special measures to ensure users cannot place the overall system at risk by installing unauthorized software. This control supports that need. ANALYSIS. Implementation of these controls is well understood, and relies on capabilities provided in COTS operating systems. SAMPLE THREAT VECTORS. The system executes malicious and harmful software. Software updates could render the system unstable or cause it to function incorrectly. Software is not designed with adequate safeguards to protect PII and other sensitive information. Users could make mistakes in following policy. Users could intentionally install unapproved/unvetted software. RELEVANT SECURITY CONTROL ATTRIBUTES. Quality Assured, Substantiated Integrity, Maintainable, Testable, Configuration Managed, Change Managed, Supported, Assessed, Auditable, Authorized, Regulated, Enforcement, Controlled, Reliable, Providing Good Data Stewardship, Assured, Confidential, Access-Controlled\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.5.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |\nGROUP AUTHENTICATION" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.4.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-4 (4) [contractors; foreign nationals]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (4) [complexity as identified in IA-5 (1) Control Enhancement Part (a)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-5 (4) Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.6.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. In those cases where an organization’s user accounts authenticate to more than one system, and at least one of those systems is a high-impact system implemented in a shared-service environment, then this control is warranted as a baseline capability to guard against loss of high-impact, sensitive information. ANALYSIS. Organizations can use COTS tools and techniques to implement this control in many ways. Agencies should be prepared to document their plan and approach to this control technique. THREAT VECTORS ADDRESSED. A user’s account password is cracked, permitting attackers to identify all systems to which the user has access, and to gain access to the information in those systems. RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (8) [different authenticators on different systems]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.13.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for Selection: Best practice for authenticated web services and best business practice for the protection of the CSP and customer alike. ECSB sees this as a significant value add toward the protection of customer accounts on SaaS or customer service / managent interfaces/portals. L1 Rationale for SA: No authenticators are required for user access to public informationl. Info sensitivity does not warrant. However this CE would be required priviledged user access to manage the system server(s) containing public information.\u003c/p\u003e", - "\u003cp\u003eECSB Supplemental Guidance as the C/CE relates to CSPs: CSP must minimally implement this control enhancement on all SaaS offerings and customer service / managent interfaces. The time period can be negotiated in the SLA. NOTE: while the browser or other client cashes the authenticator, the server must enforce its expiration if the client does not.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: Low\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.4.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. Organization requires near real-time subsystem reconfiguration for high-impact systems, especially those deployed wholly or partially into shared-service environments. This dynamic reconfiguration is required for core infrastructure components such as routers, firewalls, messaging gateways, or access control/authentication servers, especially when these core components are under cyber-attack.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. Since this technology area is rapidly changing to meet new cyber-threat scenarios, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are clear, especially for high-impact systems infrastructure.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. System does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Survivable, Absorptive, Adaptive, Restorable\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-4 (2) [all network, data storage, and computing devices]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.4.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. Due to the direct connection between system function and critical mission/business capability, the system requires Continuity-of-Operations (COOP) controls.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. Since this technology area is rapidly changing to meet new cyber-threat scenarios and also changes in subsystem technology, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are fundamental, especially for high-impact systems infrastructure.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. The system does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system. Time does not allow for the design in error handling, self-recovery, or to capitalize on system diversity to restore a system. Also, the organization lacks the expertise to develop or implement a plan for restoring system. A malicious change may be implemented to counter the ability to restore the system.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Survivable, Absorptive, Adaptable, Restorable\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.4.6.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. High-impact systems will require special measures to ensure security incidents are correctly and effectively handled in a timely manner. This high-level control supports that need, and is therefore warranted as a baseline for high-impact systems in shared-service environments. ANALYSIS. Implementation of this general control is well understood among Departments and Agencies. However, it may require special funding and time to implement in a shared service environment, where response roles and responsibilities demand vigilant analysis and definition. SAMPLE THREAT VECTORS. Insiders gain access to information for which they have no authorization. Insiders push sensitive information to outside networks not authorized to receive it. Insiders violate agency information-security policies. Insider actions are not monitored. RELEVANT SECURITY CONTROL ATTRIBUTES. Agile, Owned, Enforcement\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.4.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eThis control was recommended ecommended by the High Baseline Tiger Team.\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-4 (8) [external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.7.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.9", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.9.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.9.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-9 (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.9.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.9.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.4.6.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for Selection: Best practice business practice for the protection of the CSP and customer alike. Protects against unauthorized access and compromise of the CSP infrastructure. See Supplemental Guidance\u003c/p\u003e", - "\u003cp\u003eECSB Supplemental Guidance as the C/CE relates to CSPs: While AC-17(2) is similar to this CE and implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions, System configuration, maintenance and diagnostic communications can be considered sensitive information and it is in DoD. Maintaining the confidrntiality and integrity of nonlocal maintenance and diagnostic communications helps maintain the health of the system, prevents unauthorized access from sniffing and MITM atacks, etc. While beneficial this selection may not be required for nonlocal maintenance and diagnostic communications over the CSP's private network and particularly if that network is out of band. Encryption is required if such communications are over a network external to the CSP (e.g., the Internet).\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: High\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.14.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ps.3.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-3 (3) (b) [personnel screening criteria – as required by specific information]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.6.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (6) Guidance: include in Continuous Monitoring ISSO digest/report to JAB/AO\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (8) Requirements: This enhancement is required for all high vulnerability scan findings. Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.10.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. Organizations commonly run vulnerability scanning tools against diverse enterprise systems and subsystems. These tools are often attuned to the specific subsystems, and often provided by different manufacturers. Because there is no single-vendor consolidation of all scanning tools, organizations need to correlate the outputs of these tools in order to triangulate on potential threats that may be related, or identical at their source. When the security impact is high a shared-service environment may increase the number of independent scanning tools, implementation of this control is warranted.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. Although this control is well understood by vendors, its implementation takes many forms, depending on the scanning tools adopted by a particular organization.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. Different scanning tools discover low-impact vulnerabilities in multiple subsystems of a system. Considered individually, none of them warrants immediate action,; yet when considered together, they constitute a significant attack pattern.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Interoperable, Change Managed, Agile, Supported, Assessed, Monitored\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (10) Guidance: If multiple tools are not used, this control is not applicable.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-4 (8) [at least the minimum requirement as defined in control CA-7]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-4 (8) Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.9.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.9.4.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (4)-2 [all external systems where Federal information is processed or stored]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.9.5.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (5)-1 [information processing, information data, AND information services]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.10.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.11.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-11 (1) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.11.2.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.11.8.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-11 (8) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.6", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.10.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. High-impact systems warrant careful attention to scenarios associated with exfiltration of sensitive organizational information. Different systems and implementation will trigger different scenarios, but regardless of the specific system context, organizations are warranted in establishing this control for high-impact systems with subsystems deployed into shared-service environments.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. Organizations should devote careful attention to design considerations relative to this control.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. Authorized processes push very large volumes of data to external networks. Internal devices send address/status/security information to external networks.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES: Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.12.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-7(12)-1 [Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.13.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-7 (13) Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets. Guidance: Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.20.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. High-impact systems warrant careful attention to situations where specific sources or methods become suspect. Such situations can involve specific user accounts, messages, message payloads, data, applications, or even entire subsystems. Under these circumstances, a capability for dynamic segregation is highly justified.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. Isolation techniques are well understood in the cyber market, and constantly evolving. Example techniques include honey pots and honey nets. Both techniques can isolate a user, an autonomous application, or an entire subsystem.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. Anomalous user behavior is detected Messages arrive from suspect domains. Messages arrive with suspect attachments. Applications begin to behave anomalously. Subsystems begin moving data anomalously.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.12.2.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |\nSYMMETRIC KEYS" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-12 (2) [NIST FIPS-compliant]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.12.3.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |\nASYMMETRIC KEYS" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.23.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for Selection: Rationale for Selection for SA L1: At L1 this CE is only applicable to privileged user sessions.\u003c/p\u003e", - "\u003cp\u003eRationale for Selection L1-6: Best Practice; APT. This CE mitigates the threat/vulnerability inherant in authenticated sessions whereby If an adversary captures a session identifier that remains valid after the session is terminated, the adversary could use it to reinitiate the session thus gaining unauthorized access to CSP and CSP customer resources and information/data.\u003c/p\u003e", - "\u003cp\u003eECSB Supplemental Guidance as the C/CE relates to CSPs: If an adversary captures a session identifier that remains valid after the session is terminated, the adversary could use it to reinitiate the session thus gaining unauthorized access to CSP and/or CSP customer resources and information/data. While unnessary for user sessions at L1, this enhancement is selected for System Administrator sessions.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: High\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.28.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - }, - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-28 (1)-2 [all information system components storing customer data deemed sensitive]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.2.3.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.3.7.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.1.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.11.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of its sensitive information. This control partially meets that need.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. The tools and techniques for implementing this monitoring control are now well understood and embedded in COTS operating systems and software.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. Large outbound file transfers execute without being detected. External malware network sites are accessed from within the organization without detection. Network sessions remain connected for long periods of time without detection. Esoteric protocols are active and undetected on ports not defined by the organization.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Monitored\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.14.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.16.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.18.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of sensitive information. This control partially meets that need.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. The tools and techniques for implementing this monitoring control are now well understood, and embedded in COTS operating systems and software.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. Large outbound files are disguised to transfer without being detected. Communications with external malware network sites are embedded to avoid detection.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Substantiated Integrity, Monitored, Assessed\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.19.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for De-Selection L1-3: The information sensitivity at these levels does not seem to warrant implementation of this CE. The costs for instituting fine-grained monitoring per individual far may outweigh the risks\u003c/p\u003e", - "\u003cp\u003eRationale for selection L4-6: SP Insider Threat mitigation; The information sensitivity at these levels warrants implementation of this CE.Best business practice for the protection of the CSP and customer alike. This enhancement works in conjunction with AC-2 (13) account disablement for such individuals and IR-4 (6).\u003c/p\u003e", - "\u003cp\u003eECSB Supplemental Guidance as the C/CE relates to CSPs: This enhancement works in conjunction with or opposite of AC-2 (13) which requires acount disablement within a specific time frame of discovering or identifying an individual posing a significant insider threat. In some instances the best action is not to terminate the individual's account, but rather to monitor their actions. This allows for the ability to collect evidence (for prosecution) and obtain insight into the TTPs that they may be using and others they may working with. Termination of the account is often best left as a final act.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: Moderate\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.20.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "PRIVILEGED USER" - } - ], - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eRationale for Selection: Best business practice for the protection of the CSP and customer alike. Given the scale of a cloud, the possible harm by an malicious insider is greatly magnified over normal systems.\u003c/p\u003e", - "\u003cp\u003eECSB Supplemental Guidance as the C/CE relates to CSPs: his CE is on a par with SI-4 (9), IR-4 (6) and the various other insider threat Cs/CEs. Supports the mitigation of insider threat from those that can do the most damage. While CSPs typically claim they only have privileged users in their infrastructure (other than customers), this CEadds value for privilege users that have higher privilege than others. These higher privileged users should be subject to additional monitoring.\u003c/p\u003e", - "\u003cp\u003ePriority for adding to FedRAMP-M: High\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.22.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should monitor network services to protect against unauthorized services capable of exfiltrating sensitive information. This control meets that monitoring need.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. The tools and techniques for implementing this monitoring control are well understood, and embedded in COTS operating systems and software.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. Systems daemons and application services running in the background, exfiltrating sensitive information to external networks.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.23.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eIncluded in FedRAMP Moderate Baseline, Rev 4\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.24.", - "augment": { - "parts": [ - { - "class": "justification", - "prose": [ - "\u003cp\u003eNEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should aggressively monitor for symptoms that system integrity has been compromised. This control addresses that monitoring need.\u003c/p\u003e", - "\u003cp\u003eANALYSIS. The tools and techniques for implementing this monitoring control are no longer unusual, but their implementation still requires careful initial analysis of tools, standards, and sources for indicators of compromise (IOC) data. This capability is not a simple matter of installing COTS software and watching for alerts. Rather, it requires staff to maintain a keen understanding of the threat-scape in order to properly understand the alerts coming from the IOC subsystem.\u003c/p\u003e", - "\u003cp\u003eSAMPLE THREAT VECTORS. Temporary files appear but are not associated with any known system processes; independent security services warn of new surveillance techniques appearing globally; evidence of those new techniques appears in an organization’s event logs. Reports on the payload of a new botnet indicate that the system has been touched by the botnet.\u003c/p\u003e", - "\u003cp\u003eRELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed\u003c/p\u003e" - ] - } - ] - } - } - ] - } - ] -} \ No newline at end of file diff --git a/working/FedRAMP/FedRAMP-HIGH-working.xml b/working/FedRAMP/FedRAMP-HIGH-working.xml index c4c24dc272..36718ebf05 100644 --- a/working/FedRAMP/FedRAMP-HIGH-working.xml +++ b/working/FedRAMP/FedRAMP-HIGH-working.xml @@ -1,10 +1,11 @@ + + id="uuid-3793ff7f-f182-4e7e-b0b2-4b0dc6fe521d"> FedRAMP HIGH Baseline PROFILE (extracted and aligned, no edits) - + @@ -350,6 +351,90 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles @@ -5174,88 +5259,7 @@ NAME/ADDRESS RESOLUTION SERVICE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + organization-defined actions @@ -6315,5 +6319,5 @@ ASYMMETRIC KEYS - + diff --git a/working/FedRAMP/FedRAMP-LOW-working.json b/working/FedRAMP/FedRAMP-LOW-working.json deleted file mode 100644 index 6cf30fe93c..0000000000 --- a/working/FedRAMP/FedRAMP-LOW-working.json +++ /dev/null @@ -1,2751 +0,0 @@ -{ - "id": "uuid-84130014-44f3-49c0-85d2-088596a9f496", - "title": "FedRAMP LOW Baseline PROFILE (extracted and aligned, no edits)", - "invocations": [ - { - "href": "../SP800-53/SP800-53-LOW-baseline.json", - "include": { - "calls": [ - { - "controlId": "ac.1" - }, - { - "controlId": "ac.2" - }, - { - "controlId": "ac.3" - }, - { - "controlId": "ac.7" - }, - { - "controlId": "ac.8" - }, - { - "controlId": "ac.14" - }, - { - "controlId": "ac.17" - }, - { - "controlId": "ac.18" - }, - { - "controlId": "ac.19" - }, - { - "controlId": "ac.20" - }, - { - "controlId": "ac.22" - }, - { - "controlId": "at.1" - }, - { - "controlId": "at.2" - }, - { - "controlId": "at.3" - }, - { - "controlId": "at.4" - }, - { - "controlId": "au.1" - }, - { - "controlId": "au.2" - }, - { - "controlId": "au.3" - }, - { - "controlId": "au.4" - }, - { - "controlId": "au.5" - }, - { - "controlId": "au.6" - }, - { - "controlId": "au.8" - }, - { - "controlId": "au.9" - }, - { - "controlId": "au.11" - }, - { - "controlId": "au.12" - }, - { - "controlId": "ca.1" - }, - { - "controlId": "ca.2" - }, - { - "controlId": "ca.3" - }, - { - "controlId": "ca.5" - }, - { - "controlId": "ca.6" - }, - { - "controlId": "ca.7" - }, - { - "controlId": "ca.9" - }, - { - "controlId": "cm.1" - }, - { - "controlId": "cm.2" - }, - { - "controlId": "cm.4" - }, - { - "controlId": "cm.6" - }, - { - "controlId": "cm.7" - }, - { - "controlId": "cm.8" - }, - { - "controlId": "cm.10" - }, - { - "controlId": "cm.11" - }, - { - "controlId": "cp.1" - }, - { - "controlId": "cp.2" - }, - { - "controlId": "cp.3" - }, - { - "controlId": "cp.4" - }, - { - "controlId": "cp.9" - }, - { - "controlId": "cp.10" - }, - { - "controlId": "ia.1" - }, - { - "controlId": "ia.2" - }, - { - "subcontrolId": "ia.2.1." - }, - { - "subcontrolId": "ia.2.12." - }, - { - "controlId": "ia.4" - }, - { - "controlId": "ia.5" - }, - { - "subcontrolId": "ia.5.1." - }, - { - "subcontrolId": "ia.5.11." - }, - { - "controlId": "ia.6" - }, - { - "controlId": "ia.7" - }, - { - "controlId": "ia.8" - }, - { - "subcontrolId": "ia.8.1." - }, - { - "subcontrolId": "ia.8.2." - }, - { - "subcontrolId": "ia.8.3." - }, - { - "subcontrolId": "ia.8.4." - }, - { - "controlId": "ir.1" - }, - { - "controlId": "ir.2" - }, - { - "controlId": "ir.4" - }, - { - "controlId": "ir.5" - }, - { - "controlId": "ir.6" - }, - { - "controlId": "ir.7" - }, - { - "controlId": "ir.8" - }, - { - "controlId": "ma.1" - }, - { - "controlId": "ma.2" - }, - { - "controlId": "ma.4" - }, - { - "controlId": "ma.5" - }, - { - "controlId": "mp.1" - }, - { - "controlId": "mp.2" - }, - { - "controlId": "mp.6" - }, - { - "controlId": "mp.7" - }, - { - "controlId": "pe.1" - }, - { - "controlId": "pe.2" - }, - { - "controlId": "pe.3" - }, - { - "controlId": "pe.6" - }, - { - "controlId": "pe.8" - }, - { - "controlId": "pe.12" - }, - { - "controlId": "pe.13" - }, - { - "controlId": "pe.14" - }, - { - "controlId": "pe.15" - }, - { - "controlId": "pe.16" - }, - { - "controlId": "pl.1" - }, - { - "controlId": "pl.2" - }, - { - "controlId": "pl.4" - }, - { - "controlId": "ps.1" - }, - { - "controlId": "ps.2" - }, - { - "controlId": "ps.3" - }, - { - "controlId": "ps.4" - }, - { - "controlId": "ps.5" - }, - { - "controlId": "ps.6" - }, - { - "controlId": "ps.7" - }, - { - "controlId": "ps.8" - }, - { - "controlId": "ra.1" - }, - { - "controlId": "ra.2" - }, - { - "controlId": "ra.3" - }, - { - "controlId": "ra.5" - }, - { - "controlId": "sa.1" - }, - { - "controlId": "sa.2" - }, - { - "controlId": "sa.3" - }, - { - "controlId": "sa.4" - }, - { - "controlId": "sa.5" - }, - { - "controlId": "sa.9" - }, - { - "controlId": "sc.1" - }, - { - "controlId": "sc.5" - }, - { - "controlId": "sc.7" - }, - { - "controlId": "sc.12" - }, - { - "controlId": "sc.13" - }, - { - "controlId": "sc.15" - }, - { - "controlId": "sc.20" - }, - { - "controlId": "sc.21" - }, - { - "controlId": "sc.22" - }, - { - "controlId": "sc.39" - }, - { - "controlId": "si.1" - }, - { - "controlId": "si.2" - }, - { - "controlId": "si.3" - }, - { - "controlId": "si.4" - }, - { - "controlId": "si.5" - }, - { - "controlId": "si.12" - } - ] - }, - "paramSettings": [ - { - "paramId": "ac-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-2_a", - "desc": "organization-defined information system account types", - "value": "organization-defined information system account types" - }, - { - "paramId": "ac-2_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-2_c", - "desc": "organization-defined procedures or conditions", - "value": "organization-defined procedures or conditions" - }, - { - "paramId": "ac-2_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-7_a", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ac-7_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-7_c", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-7_d", - "desc": "organization-defined delay algorithm", - "value": "organization-defined delay algorithm" - }, - { - "paramId": "ac-8_a", - "desc": "organization-defined system use notification message or banner", - "value": "organization-defined system use notification message or banner" - }, - { - "paramId": "ac-8_b", - "desc": "organization-defined conditions", - "value": "organization-defined conditions" - }, - { - "paramId": "ac-14_a", - "desc": "organization-defined user actions", - "value": "organization-defined user actions" - }, - { - "paramId": "ac-22_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "at-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-4_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "au-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-2_a", - "desc": "organization-defined auditable events", - "value": "organization-defined auditable events" - }, - { - "paramId": "au-2_b", - "desc": "organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event", - "value": "organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event" - }, - { - "paramId": "au-4_a", - "desc": "organization-defined audit record storage requirements", - "value": "organization-defined audit record storage requirements" - }, - { - "paramId": "au-5_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-5_b", - "desc": "organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)", - "value": "organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)" - }, - { - "paramId": "au-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-6_b", - "desc": "organization-defined inappropriate or unusual activity", - "value": "organization-defined inappropriate or unusual activity" - }, - { - "paramId": "au-6_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-8_a", - "desc": "organization-defined granularity of time measurement", - "value": "organization-defined granularity of time measurement" - }, - { - "paramId": "au-11_a", - "desc": "organization-defined time period consistent with records retention policy", - "value": "organization-defined time period consistent with records retention policy" - }, - { - "paramId": "au-12_a", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "au-12_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_b", - "desc": "organization-defined individuals or roles", - "value": "organization-defined individuals or roles" - }, - { - "paramId": "ca-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-5_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-7_a", - "desc": "organization-defined metrics", - "value": "organization-defined metrics" - }, - { - "paramId": "ca-7_b", - "desc": "organization-defined frequencies", - "value": "organization-defined frequencies" - }, - { - "paramId": "ca-7_c", - "desc": "organization-defined frequencies", - "value": "organization-defined frequencies" - }, - { - "paramId": "ca-7_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-7_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-9_a", - "desc": "organization-defined information system components or classes of components", - "value": "organization-defined information system components or classes of components" - }, - { - "paramId": "cm-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cm-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-6_a", - "desc": "organization-defined security configuration checklists", - "value": "organization-defined security configuration checklists" - }, - { - "paramId": "cm-6_b", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "cm-6_c", - "desc": "organization-defined operational requirements", - "value": "organization-defined operational requirements" - }, - { - "paramId": "cm-7_a", - "desc": "organization-defined prohibited or restricted functions, ports, protocols, and/or services", - "value": "organization-defined prohibited or restricted functions, ports, protocols, and/or services" - }, - { - "paramId": "cm-8_a", - "desc": "organization-defined information deemed necessary to achieve effective information system component accountability", - "value": "organization-defined information deemed necessary to achieve effective information system component accountability" - }, - { - "paramId": "cm-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-11_a", - "desc": "organization-defined policies", - "value": "organization-defined policies" - }, - { - "paramId": "cm-11_b", - "desc": "organization-defined methods", - "value": "organization-defined methods" - }, - { - "paramId": "cm-11_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cp-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cp-2_b", - "desc": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "cp-2_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-2_d", - "desc": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "cp-3_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-3_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-4_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-4_b", - "desc": "organization-defined tests", - "value": "organization-defined tests" - }, - { - "paramId": "cp-9_a", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_b", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_c", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "ia-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ia-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ia-4_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-4_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ia-4_c", - "desc": "organization-defined time period of inactivity", - "value": "organization-defined time period of inactivity" - }, - { - "paramId": "ia-5_a", - "desc": "organization-defined time period by authenticator type", - "value": "organization-defined time period by authenticator type" - }, - { - "paramId": "ia-5_b", - "desc": "organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type", - "value": "organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type" - }, - { - "paramId": "ia-5_c", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ia-5_d", - "desc": "organization-defined numbers for lifetime minimum, lifetime maximum", - "value": "organization-defined numbers for lifetime minimum, lifetime maximum" - }, - { - "paramId": "ia-5_e", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ia-5_l", - "desc": "organization-defined token quality requirements", - "value": "organization-defined token quality requirements" - }, - { - "paramId": "ia-8_a", - "desc": "organization-defined information systems", - "value": "organization-defined information systems" - }, - { - "paramId": "ir-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-2_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ir-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-6_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ir-6_b", - "desc": "organization-defined authorities", - "value": "organization-defined authorities" - }, - { - "paramId": "ir-8_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-8_b", - "desc": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "ir-8_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-8_d", - "desc": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "ma-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ma-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ma-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ma-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ma-2_b", - "desc": "organization-defined maintenance-related information", - "value": "organization-defined maintenance-related information" - }, - { - "paramId": "mp-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "mp-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "mp-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "mp-2_a", - "desc": "organization-defined types of digital and/or non-digital media", - "value": "organization-defined types of digital and/or non-digital media" - }, - { - "paramId": "mp-2_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "mp-6_a", - "desc": "organization-defined information system media", - "value": "organization-defined information system media" - }, - { - "paramId": "mp-6_b", - "desc": "organization-defined sanitization techniques and procedures", - "value": "organization-defined sanitization techniques and procedures" - }, - { - "paramId": "mp-7_a", - "desc": "organization-defined types of information system media", - "value": "organization-defined types of information system media" - }, - { - "paramId": "mp-7_b", - "desc": "organization-defined information systems or system components", - "value": "organization-defined information systems or system components" - }, - { - "paramId": "mp-7_c", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pe-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-3_a", - "desc": "organization-defined entry/exit points to the facility where the information system resides", - "value": "organization-defined entry/exit points to the facility where the information system resides" - }, - { - "paramId": "pe-3_b", - "desc": "organization-defined physical access control systems/devices", - "value": "organization-defined physical access control systems/devices" - }, - { - "paramId": "pe-3_c", - "desc": "organization-defined entry/exit points", - "value": "organization-defined entry/exit points" - }, - { - "paramId": "pe-3_d", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-3_e", - "desc": "organization-defined circumstances requiring visitor escorts and monitoring", - "value": "organization-defined circumstances requiring visitor escorts and monitoring" - }, - { - "paramId": "pe-3_f", - "desc": "organization-defined physical access devices", - "value": "organization-defined physical access devices" - }, - { - "paramId": "pe-3_g", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-3_h", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-6_b", - "desc": "organization-defined events or potential indications of events", - "value": "organization-defined events or potential indications of events" - }, - { - "paramId": "pe-8_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "pe-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-14_a", - "desc": "organization-defined acceptable levels", - "value": "organization-defined acceptable levels" - }, - { - "paramId": "pe-14_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-16_a", - "desc": "organization-defined types of information system components", - "value": "organization-defined types of information system components" - }, - { - "paramId": "pl-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pl-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pl-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-4_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-3_a", - "desc": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening", - "value": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening" - }, - { - "paramId": "ps-4_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-4_b", - "desc": "organization-defined information security topics", - "value": "organization-defined information security topics" - }, - { - "paramId": "ps-4_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-4_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-5_a", - "desc": "organization-defined transfer or reassignment actions", - "value": "organization-defined transfer or reassignment actions" - }, - { - "paramId": "ps-5_b", - "desc": "organization-defined time period following the formal transfer action", - "value": "organization-defined time period following the formal transfer action" - }, - { - "paramId": "ps-5_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-5_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-6_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-7_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-7_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-8_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-8_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ra-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-3_a", - "desc": "organization-defined document", - "value": "organization-defined document" - }, - { - "paramId": "ra-3_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-3_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-3_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-5_a", - "desc": "organization-defined frequency and/or randomly in accordance with organization-defined process", - "value": "organization-defined frequency and/or randomly in accordance with organization-defined process" - }, - { - "paramId": "ra-5_b", - "desc": "organization-defined response times", - "value": "organization-defined response times" - }, - { - "paramId": "ra-5_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sa-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sa-3_a", - "desc": "organization-defined system development life cycle", - "value": "organization-defined system development life cycle" - }, - { - "paramId": "sa-5_a", - "desc": "organization-defined actions", - "value": "organization-defined actions" - }, - { - "paramId": "sa-5_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-9_a", - "desc": "organization-defined security controls", - "value": "organization-defined security controls" - }, - { - "paramId": "sa-9_b", - "desc": "organization-defined processes, methods, and techniques", - "value": "organization-defined processes, methods, and techniques" - }, - { - "paramId": "sc-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sc-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-5_a", - "desc": "organization-defined types of denial of service attacks or references to sources for such information", - "value": "organization-defined types of denial of service attacks or references to sources for such information" - }, - { - "paramId": "sc-5_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sc-12_a", - "desc": "organization-defined requirements for key generation, distribution, storage, access, and destruction", - "value": "organization-defined requirements for key generation, distribution, storage, access, and destruction" - }, - { - "paramId": "sc-13_a", - "desc": "organization-defined cryptographic uses and type of cryptography required for each use", - "value": "organization-defined cryptographic uses and type of cryptography required for each use" - }, - { - "paramId": "sc-15_a", - "desc": "organization-defined exceptions where remote activation is to be allowed", - "value": "organization-defined exceptions where remote activation is to be allowed" - }, - { - "paramId": "si-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-2_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "si-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-3_b", - "desc": "organization-defined action", - "value": "organization-defined action" - }, - { - "paramId": "si-4_a", - "desc": "organization-defined monitoring objectives", - "value": "organization-defined monitoring objectives" - }, - { - "paramId": "si-4_b", - "desc": "organization-defined techniques and methods", - "value": "organization-defined techniques and methods" - }, - { - "paramId": "si-4_c", - "desc": "organization-defined information system monitoring information", - "value": "organization-defined information system monitoring information" - }, - { - "paramId": "si-4_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-4_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-5_a", - "desc": "organization-defined external organizations", - "value": "organization-defined external organizations" - }, - { - "paramId": "si-5_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-5_c", - "desc": "organization-defined elements within the organization", - "value": "organization-defined elements within the organization" - }, - { - "paramId": "si-5_d", - "desc": "organization-defined external organizations", - "value": "organization-defined external organizations" - } - ], - "alterations": [ - { - "controlId": "ac.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-1 (b) (1) [at least every 3 years] AC-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (j) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.3", - "augment": true - }, - { - "controlId": "ac.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-7(a) [not more than three] [fifteen minutes] AC-7(b) [locks the account/node for thirty minutes]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-8 (a) [see additional Requirements and Guidance] AC-8 (c) [see additional Requirements and Guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-8 Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB. AC-08 Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB. AC-8 Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. AC-8 Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.14", - "augment": true - }, - { - "controlId": "ac.17", - "augment": true - }, - { - "controlId": "ac.18", - "augment": true - }, - { - "controlId": "ac.19", - "augment": true - }, - { - "controlId": "ac.20", - "augment": true - }, - { - "controlId": "ac.22", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-22 (d) [at least quarterly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.1", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURITY AWARENESS AND TRAINING POLICY ANDPROCEDURES" - } - ], - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-1 (b) (1) [at least every 3 years] AT-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-2(c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-3 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-4 (b) [At least one year]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-1 (b) (1) [at least every 3 years] AU-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-2 (a) [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes] AU-2 (d) [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-2 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.3", - "augment": true - }, - { - "controlId": "au.4", - "augment": true - }, - { - "controlId": "au.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-5 (b) [organization-defined actions to be taken (overwrite oldest record)\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-6 (a)-1 [at least weekly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-6 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.8", - "augment": true - }, - { - "controlId": "au.9", - "augment": true - }, - { - "controlId": "au.11", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-11 [at least ninety days]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-11. Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.12", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-12 (a) [all information system and network components where audit capability is deployed/available]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-1 (b) (1) [at least every 3 years] CA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-2 (b) [at least annually] CA-2 (d) [individuals or roles to include FedRAMP PMO]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-3 (c) [at least annually and on input from FedRAMP]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-5 (b) [at least monthly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-5 Guidance: Requirement: POA\u0026amp;Ms must be provided at least monthly.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-6 (c) [at least every three years or when a significant change occurs]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-6c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-7 (g) [To meet Federal and FedRAMP requirements]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-7 Requirement: Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually CA-7 Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA\u0026amp;M updates. Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.9", - "augment": true - }, - { - "controlId": "cm.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-1 (b) (1) [at least every 3 years] CM-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.2", - "augment": true - }, - { - "controlId": "cm.4", - "augment": true - }, - { - "controlId": "cm.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-6 (a) [United States Government Configuration Baseline (USGCB)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-6 (a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-7 (b) [United States Government Configuration Baseline (USGCB)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-7 (b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived from AC-17(8).)\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-8 (b) [at least monthly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-8 Requirement: must be provided at least monthly or when there is a change.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.10", - "augment": true - }, - { - "controlId": "cm.11", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-11 (c) [Continuously (via CM-7 (5))]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-1 (b)(1) [at least every 3 years] CP-1 (b)(2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-2 (d) [at least annually]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-2 Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-3 (a) [10 days] CP-3 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-4 (a)-1 [at least annually for moderate impact systems; at least every three years for low impact systems] CP-4 (a)-2 [functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-4 (a). Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.9", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check. CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.10", - "augment": true - }, - { - "controlId": "ia.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-1 (b) (1) [at least every 3 years] IA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.2", - "augment": true - }, - { - "subcontrolId": "ia.2.1.", - "augment": true - }, - { - "subcontrolId": "ia.2.12.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-2 (12) Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-4 (d) [at least two years] IA-4 (e) [ninety days for user identifiers] (See additional requirements and guidance)\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-4 (e) Requirement: The service provider defines time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (g) [to include sixty days for passwords]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (1) (a) [case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b) [at least one] IA-5 (1) (d) [one day minimum, sixty day maximum] IA-5 (1) (e) [twenty four]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.11.", - "augment": true - }, - { - "controlId": "ia.6", - "augment": true - }, - { - "controlId": "ia.7", - "augment": true - }, - { - "controlId": "ia.8", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS)" - } - ] - } - }, - { - "subcontrolId": "ia.8.1.", - "augment": true - }, - { - "subcontrolId": "ia.8.2.", - "augment": true - }, - { - "subcontrolId": "ia.8.3.", - "augment": true - }, - { - "subcontrolId": "ia.8.4.", - "augment": true - }, - { - "controlId": "ir.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-1 (b) (1) [at least every 3 years] IR-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.4", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-4 Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.5", - "augment": true - }, - { - "controlId": "ir.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-6 (a) [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-6 Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.7", - "augment": true - }, - { - "controlId": "ir.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (c) [at least annually] IR-8 (e) [see additional FedRAMP Requirements and Guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-8 (b) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8 (e) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMA-1 (b) (1) [at least every 3 years] MA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.2", - "augment": true - }, - { - "controlId": "ma.4", - "augment": true - }, - { - "controlId": "ma.5", - "augment": true - }, - { - "controlId": "mp.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-1 (b) (1) [at least every 3 years] MP-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.2", - "augment": true - }, - { - "controlId": "mp.6", - "augment": true - }, - { - "controlId": "mp.7", - "augment": true - }, - { - "controlId": "pe.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-1 (b) (1) [at least every 3 years] PE-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 (d) [in all circumstances within restricted access area where the information system resides] PE-3 (f) [at least annually] PE-3 (g) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-6 (b) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-8 (a) [for a minimum of one year] PE-8 (b) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.12", - "augment": true - }, - { - "controlId": "pe.13", - "augment": true - }, - { - "controlId": "pe.14", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-14 (a) [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14 (b) [continuously]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003ePE-14 (a). Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.15", - "augment": true - }, - { - "controlId": "pe.16", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-16 [all information system components]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-1 (b) (1) [at least every 3 years] PL-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-4 (c) [At least every 3 years]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-1 (b) (1) [at least every 3 years] PS-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-2 (c) [at least every three years]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-3 (b) [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year There is no reinvestigation for other moderate risk positions or any low risk positions]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-4 (a) [same day]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-5 (d)-2 [five days of the time period following the formal transfer action (DoD 24 hours)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-6 (b) [at least annually] PS-6 (c) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-7 (d)-2 [organization-defined time period – same day]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.8", - "augment": true - }, - { - "controlId": "ra.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-1 (b) (1) [at least every 3 years] RA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.2", - "augment": true - }, - { - "controlId": "ra.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-3 (b) [security assessment report] RA-3 (c) [at least every three (3) years or when a significant change occurs] RA-3 (d) [to include all Authoring Officials and FedRAMP ISSOs] RA-3 (e) [at least every three (3) years or when a significant change occurs]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-3 Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (a) [monthly operating system/infrastructure; monthly web applications and databases] RA-5 (d) [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. RA-5 (e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-1 (b) (1) [at least every 3 years] SA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.2", - "augment": true - }, - { - "controlId": "sa.3", - "augment": true - }, - { - "controlId": "sa.4", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.5", - "augment": true - }, - { - "controlId": "sa.9", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (a) [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] SA-9 (c) [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-1 (b) (1) [at least every 3 years] SC-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.5", - "augment": true - }, - { - "controlId": "sc.7", - "augment": true - }, - { - "controlId": "sc.12", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-12 Guidance: Federally approved cryptography\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.13", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-13 [FIPS-validated or NSA-approved cryptography]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.15", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-15 (a) [no exceptions]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-15 Additional FedRAMP Requirements and Guidance: Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.20", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURE NAME /ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)" - } - ] - } - }, - { - "controlId": "sc.21", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURE NAME /ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING\n RESOLVER)" - } - ] - } - }, - { - "controlId": "sc.22", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION\n SERVICE" - } - ] - } - }, - { - "controlId": "sc.39", - "augment": true - }, - { - "controlId": "si.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-1 (b) (1) [at least every 3 years] SI-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-2 (c) [within 30 days of release of updates]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-3 (c) (1)-1 [at least weekly] SI-3 (c) (1)-2 [to include endpoints] SI-3 (c) (2) [to include alerting administrator or defined security personnel]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.4", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSI-4 Guidance: See US-CERT Incident Response Reporting Guidelines.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-5 (a) [to include US-CERT] SI-5 (c) [to include system security personnel and administrators with configuration/patch-management responsibilities]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.12", - "augment": true - } - ] - }, - { - "href": "../SP800-53/SP800-53-MODERATE-baseline.json", - "include": { - "calls": [ - { - "subcontrolId": "ca.2.1." - }, - { - "controlId": "si.16" - } - ] - }, - "paramSettings": [ - { - "paramId": "ca-2_c", - "desc": "organization-defined level of independence", - "value": "organization-defined level of independence" - }, - { - "paramId": "si-16_a", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - } - ], - "alterations": [ - { - "subcontrolId": "ca.2.1.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-2(1) Requirement: Must use an accredited 3PAO for JAB authorization\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.16", - "augment": true - } - ] - } - ] -} \ No newline at end of file diff --git a/working/FedRAMP/FedRAMP-LOW-working.xml b/working/FedRAMP/FedRAMP-LOW-working.xml index bbcd7ee115..9c55aade4d 100644 --- a/working/FedRAMP/FedRAMP-LOW-working.xml +++ b/working/FedRAMP/FedRAMP-LOW-working.xml @@ -1,10 +1,11 @@ + + id="uuid-b4ee7b6a-ccd5-4c44-946a-dc224a0c889e"> FedRAMP LOW Baseline PROFILE (extracted and aligned, no edits) - + @@ -130,6 +131,14 @@ + + + + + + + + organization-defined personnel or roles @@ -1794,12 +1803,7 @@ - - - - - - + organization-defined level of independence @@ -1821,5 +1825,5 @@ - + diff --git a/working/FedRAMP/FedRAMP-MODERATE-working.json b/working/FedRAMP/FedRAMP-MODERATE-working.json deleted file mode 100644 index fb9de6c7c5..0000000000 --- a/working/FedRAMP/FedRAMP-MODERATE-working.json +++ /dev/null @@ -1,5677 +0,0 @@ -{ - "id": "uuid-4a36cdf2-d112-49c3-bde0-7bdec2864842", - "title": "FedRAMP MODERATE Baseline PROFILE (extracted and aligned, no edits)", - "invocations": [ - { - "href": "../SP800-53/SP800-53-MODERATE-baseline.json", - "include": { - "calls": [ - { - "controlId": "ac.1" - }, - { - "controlId": "ac.2" - }, - { - "subcontrolId": "ac.2.1." - }, - { - "subcontrolId": "ac.2.2." - }, - { - "subcontrolId": "ac.2.3." - }, - { - "subcontrolId": "ac.2.4." - }, - { - "controlId": "ac.3" - }, - { - "controlId": "ac.4" - }, - { - "controlId": "ac.5" - }, - { - "controlId": "ac.6" - }, - { - "subcontrolId": "ac.6.1." - }, - { - "subcontrolId": "ac.6.2." - }, - { - "subcontrolId": "ac.6.5." - }, - { - "subcontrolId": "ac.6.9." - }, - { - "subcontrolId": "ac.6.10." - }, - { - "controlId": "ac.7" - }, - { - "controlId": "ac.8" - }, - { - "controlId": "ac.11" - }, - { - "subcontrolId": "ac.11.1." - }, - { - "controlId": "ac.12" - }, - { - "controlId": "ac.14" - }, - { - "controlId": "ac.17" - }, - { - "subcontrolId": "ac.17.1." - }, - { - "subcontrolId": "ac.17.2." - }, - { - "subcontrolId": "ac.17.3." - }, - { - "subcontrolId": "ac.17.4." - }, - { - "controlId": "ac.18" - }, - { - "subcontrolId": "ac.18.1." - }, - { - "controlId": "ac.19" - }, - { - "subcontrolId": "ac.19.5." - }, - { - "controlId": "ac.20" - }, - { - "subcontrolId": "ac.20.1." - }, - { - "subcontrolId": "ac.20.2." - }, - { - "controlId": "ac.21" - }, - { - "controlId": "ac.22" - }, - { - "controlId": "at.1" - }, - { - "controlId": "at.2" - }, - { - "subcontrolId": "at.2.2." - }, - { - "controlId": "at.3" - }, - { - "controlId": "at.4" - }, - { - "controlId": "au.1" - }, - { - "controlId": "au.2" - }, - { - "subcontrolId": "au.2.3." - }, - { - "controlId": "au.3" - }, - { - "subcontrolId": "au.3.1." - }, - { - "controlId": "au.4" - }, - { - "controlId": "au.5" - }, - { - "controlId": "au.6" - }, - { - "subcontrolId": "au.6.1." - }, - { - "subcontrolId": "au.6.3." - }, - { - "controlId": "au.7" - }, - { - "subcontrolId": "au.7.1." - }, - { - "controlId": "au.8" - }, - { - "subcontrolId": "au.8.1." - }, - { - "controlId": "au.9" - }, - { - "subcontrolId": "au.9.4." - }, - { - "controlId": "au.11" - }, - { - "controlId": "au.12" - }, - { - "controlId": "ca.1" - }, - { - "controlId": "ca.2" - }, - { - "subcontrolId": "ca.2.1." - }, - { - "controlId": "ca.3" - }, - { - "subcontrolId": "ca.3.5." - }, - { - "controlId": "ca.5" - }, - { - "controlId": "ca.6" - }, - { - "controlId": "ca.7" - }, - { - "subcontrolId": "ca.7.1." - }, - { - "controlId": "ca.9" - }, - { - "controlId": "cm.1" - }, - { - "controlId": "cm.2" - }, - { - "subcontrolId": "cm.2.1." - }, - { - "subcontrolId": "cm.2.3." - }, - { - "subcontrolId": "cm.2.7." - }, - { - "controlId": "cm.3" - }, - { - "controlId": "cm.4" - }, - { - "controlId": "cm.5" - }, - { - "controlId": "cm.6" - }, - { - "controlId": "cm.7" - }, - { - "subcontrolId": "cm.7.1." - }, - { - "subcontrolId": "cm.7.2." - }, - { - "controlId": "cm.8" - }, - { - "subcontrolId": "cm.8.1." - }, - { - "subcontrolId": "cm.8.3." - }, - { - "subcontrolId": "cm.8.5." - }, - { - "controlId": "cm.9" - }, - { - "controlId": "cm.10" - }, - { - "controlId": "cm.11" - }, - { - "controlId": "cp.1" - }, - { - "controlId": "cp.2" - }, - { - "subcontrolId": "cp.2.1." - }, - { - "subcontrolId": "cp.2.3." - }, - { - "subcontrolId": "cp.2.8." - }, - { - "controlId": "cp.3" - }, - { - "controlId": "cp.4" - }, - { - "subcontrolId": "cp.4.1." - }, - { - "controlId": "cp.6" - }, - { - "subcontrolId": "cp.6.1." - }, - { - "subcontrolId": "cp.6.3." - }, - { - "controlId": "cp.7" - }, - { - "subcontrolId": "cp.7.1." - }, - { - "subcontrolId": "cp.7.2." - }, - { - "subcontrolId": "cp.7.3." - }, - { - "controlId": "cp.8" - }, - { - "subcontrolId": "cp.8.1." - }, - { - "subcontrolId": "cp.8.2." - }, - { - "controlId": "cp.9" - }, - { - "subcontrolId": "cp.9.1." - }, - { - "controlId": "cp.10" - }, - { - "subcontrolId": "cp.10.2." - }, - { - "controlId": "ia.1" - }, - { - "controlId": "ia.2" - }, - { - "subcontrolId": "ia.2.1." - }, - { - "subcontrolId": "ia.2.2." - }, - { - "subcontrolId": "ia.2.3." - }, - { - "subcontrolId": "ia.2.8." - }, - { - "subcontrolId": "ia.2.11." - }, - { - "subcontrolId": "ia.2.12." - }, - { - "controlId": "ia.3" - }, - { - "controlId": "ia.4" - }, - { - "controlId": "ia.5" - }, - { - "subcontrolId": "ia.5.1." - }, - { - "subcontrolId": "ia.5.2." - }, - { - "subcontrolId": "ia.5.3." - }, - { - "subcontrolId": "ia.5.11." - }, - { - "controlId": "ia.6" - }, - { - "controlId": "ia.7" - }, - { - "controlId": "ia.8" - }, - { - "subcontrolId": "ia.8.1." - }, - { - "subcontrolId": "ia.8.2." - }, - { - "subcontrolId": "ia.8.3." - }, - { - "subcontrolId": "ia.8.4." - }, - { - "controlId": "ir.1" - }, - { - "controlId": "ir.2" - }, - { - "controlId": "ir.3" - }, - { - "subcontrolId": "ir.3.2." - }, - { - "controlId": "ir.4" - }, - { - "subcontrolId": "ir.4.1." - }, - { - "controlId": "ir.5" - }, - { - "controlId": "ir.6" - }, - { - "subcontrolId": "ir.6.1." - }, - { - "controlId": "ir.7" - }, - { - "subcontrolId": "ir.7.1." - }, - { - "controlId": "ir.8" - }, - { - "controlId": "ma.1" - }, - { - "controlId": "ma.2" - }, - { - "controlId": "ma.3" - }, - { - "subcontrolId": "ma.3.1." - }, - { - "subcontrolId": "ma.3.2." - }, - { - "controlId": "ma.4" - }, - { - "subcontrolId": "ma.4.2." - }, - { - "controlId": "ma.5" - }, - { - "controlId": "ma.6" - }, - { - "controlId": "mp.1" - }, - { - "controlId": "mp.2" - }, - { - "controlId": "mp.3" - }, - { - "controlId": "mp.4" - }, - { - "controlId": "mp.5" - }, - { - "subcontrolId": "mp.5.4." - }, - { - "controlId": "mp.6" - }, - { - "controlId": "mp.7" - }, - { - "subcontrolId": "mp.7.1." - }, - { - "controlId": "pe.1" - }, - { - "controlId": "pe.2" - }, - { - "controlId": "pe.3" - }, - { - "controlId": "pe.4" - }, - { - "controlId": "pe.5" - }, - { - "controlId": "pe.6" - }, - { - "subcontrolId": "pe.6.1." - }, - { - "controlId": "pe.8" - }, - { - "controlId": "pe.9" - }, - { - "controlId": "pe.10" - }, - { - "controlId": "pe.11" - }, - { - "controlId": "pe.12" - }, - { - "controlId": "pe.13" - }, - { - "subcontrolId": "pe.13.3." - }, - { - "controlId": "pe.14" - }, - { - "controlId": "pe.15" - }, - { - "controlId": "pe.16" - }, - { - "controlId": "pe.17" - }, - { - "controlId": "pl.1" - }, - { - "controlId": "pl.2" - }, - { - "subcontrolId": "pl.2.3." - }, - { - "controlId": "pl.4" - }, - { - "subcontrolId": "pl.4.1." - }, - { - "controlId": "pl.8" - }, - { - "controlId": "ps.1" - }, - { - "controlId": "ps.2" - }, - { - "controlId": "ps.3" - }, - { - "controlId": "ps.4" - }, - { - "controlId": "ps.5" - }, - { - "controlId": "ps.6" - }, - { - "controlId": "ps.7" - }, - { - "controlId": "ps.8" - }, - { - "controlId": "ra.1" - }, - { - "controlId": "ra.2" - }, - { - "controlId": "ra.3" - }, - { - "controlId": "ra.5" - }, - { - "subcontrolId": "ra.5.1." - }, - { - "subcontrolId": "ra.5.2." - }, - { - "subcontrolId": "ra.5.5." - }, - { - "controlId": "sa.1" - }, - { - "controlId": "sa.2" - }, - { - "controlId": "sa.3" - }, - { - "controlId": "sa.4" - }, - { - "subcontrolId": "sa.4.1." - }, - { - "subcontrolId": "sa.4.2." - }, - { - "subcontrolId": "sa.4.9." - }, - { - "subcontrolId": "sa.4.10." - }, - { - "controlId": "sa.5" - }, - { - "controlId": "sa.8" - }, - { - "controlId": "sa.9" - }, - { - "subcontrolId": "sa.9.2." - }, - { - "controlId": "sa.10" - }, - { - "controlId": "sa.11" - }, - { - "controlId": "sc.1" - }, - { - "controlId": "sc.2" - }, - { - "controlId": "sc.4" - }, - { - "controlId": "sc.5" - }, - { - "controlId": "sc.7" - }, - { - "subcontrolId": "sc.7.3." - }, - { - "subcontrolId": "sc.7.4." - }, - { - "subcontrolId": "sc.7.5." - }, - { - "subcontrolId": "sc.7.7." - }, - { - "controlId": "sc.8" - }, - { - "subcontrolId": "sc.8.1." - }, - { - "controlId": "sc.10" - }, - { - "controlId": "sc.12" - }, - { - "controlId": "sc.13" - }, - { - "controlId": "sc.15" - }, - { - "controlId": "sc.17" - }, - { - "controlId": "sc.18" - }, - { - "controlId": "sc.19" - }, - { - "controlId": "sc.20" - }, - { - "controlId": "sc.21" - }, - { - "controlId": "sc.22" - }, - { - "controlId": "sc.23" - }, - { - "controlId": "sc.28" - }, - { - "controlId": "sc.39" - }, - { - "controlId": "si.1" - }, - { - "controlId": "si.2" - }, - { - "subcontrolId": "si.2.2." - }, - { - "controlId": "si.3" - }, - { - "subcontrolId": "si.3.1." - }, - { - "subcontrolId": "si.3.2." - }, - { - "controlId": "si.4" - }, - { - "subcontrolId": "si.4.2." - }, - { - "subcontrolId": "si.4.4." - }, - { - "subcontrolId": "si.4.5." - }, - { - "controlId": "si.5" - }, - { - "controlId": "si.7" - }, - { - "subcontrolId": "si.7.1." - }, - { - "subcontrolId": "si.7.7." - }, - { - "controlId": "si.8" - }, - { - "subcontrolId": "si.8.1." - }, - { - "subcontrolId": "si.8.2." - }, - { - "controlId": "si.10" - }, - { - "controlId": "si.11" - }, - { - "controlId": "si.12" - }, - { - "controlId": "si.16" - } - ] - }, - "paramSettings": [ - { - "paramId": "ac-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-2_a", - "desc": "organization-defined information system account types", - "value": "organization-defined information system account types" - }, - { - "paramId": "ac-2_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-2_c", - "desc": "organization-defined procedures or conditions", - "value": "organization-defined procedures or conditions" - }, - { - "paramId": "ac-2_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ac-2_e", - "desc": "organization-defined time period for each type of account", - "value": "organization-defined time period for each type of account" - }, - { - "paramId": "ac-2_f", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-2_g", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-4_a", - "desc": "organization-defined information flow control policies", - "value": "organization-defined information flow control policies" - }, - { - "paramId": "ac-5_a", - "desc": "organization-defined duties of individuals", - "value": "organization-defined duties of individuals" - }, - { - "paramId": "ac-6_a", - "desc": "organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information", - "value": "organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information" - }, - { - "paramId": "ac-6_b", - "desc": "organization-defined security functions or security-relevant information", - "value": "organization-defined security functions or security-relevant information" - }, - { - "paramId": "ac-6_e", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-7_a", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ac-7_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-7_c", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-7_d", - "desc": "organization-defined delay algorithm", - "value": "organization-defined delay algorithm" - }, - { - "paramId": "ac-8_a", - "desc": "organization-defined system use notification message or banner", - "value": "organization-defined system use notification message or banner" - }, - { - "paramId": "ac-8_b", - "desc": "organization-defined conditions", - "value": "organization-defined conditions" - }, - { - "paramId": "ac-11_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ac-12_a", - "desc": "organization-defined conditions or trigger events requiring session disconnect", - "value": "organization-defined conditions or trigger events requiring session disconnect" - }, - { - "paramId": "ac-14_a", - "desc": "organization-defined user actions", - "value": "organization-defined user actions" - }, - { - "paramId": "ac-17_a", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ac-17_b", - "desc": "organization-defined needs", - "value": "organization-defined needs" - }, - { - "paramId": "ac-19_c", - "desc": "organization-defined mobile devices", - "value": "organization-defined mobile devices" - }, - { - "paramId": "ac-21_a", - "desc": "organization-defined information sharing circumstances where user discretion is required", - "value": "organization-defined information sharing circumstances where user discretion is required" - }, - { - "paramId": "ac-21_b", - "desc": "organization-defined automated mechanisms or manual processes", - "value": "organization-defined automated mechanisms or manual processes" - }, - { - "paramId": "ac-22_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "at-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "at-4_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "au-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-2_a", - "desc": "organization-defined auditable events", - "value": "organization-defined auditable events" - }, - { - "paramId": "au-2_b", - "desc": "organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event", - "value": "organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event" - }, - { - "paramId": "au-2_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-3_a", - "desc": "organization-defined additional, more detailed information", - "value": "organization-defined additional, more detailed information" - }, - { - "paramId": "au-4_a", - "desc": "organization-defined audit record storage requirements", - "value": "organization-defined audit record storage requirements" - }, - { - "paramId": "au-5_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-5_b", - "desc": "organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)", - "value": "organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)" - }, - { - "paramId": "au-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-6_b", - "desc": "organization-defined inappropriate or unusual activity", - "value": "organization-defined inappropriate or unusual activity" - }, - { - "paramId": "au-6_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "au-7_a", - "desc": "organization-defined audit fields within audit records", - "value": "organization-defined audit fields within audit records" - }, - { - "paramId": "au-8_a", - "desc": "organization-defined granularity of time measurement", - "value": "organization-defined granularity of time measurement" - }, - { - "paramId": "au-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "au-8_c", - "desc": "organization-defined authoritative time source", - "value": "organization-defined authoritative time source" - }, - { - "paramId": "au-8_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "au-9_b", - "desc": "organization-defined subset of privileged users", - "value": "organization-defined subset of privileged users" - }, - { - "paramId": "au-11_a", - "desc": "organization-defined time period consistent with records retention policy", - "value": "organization-defined time period consistent with records retention policy" - }, - { - "paramId": "au-12_a", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "au-12_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_b", - "desc": "organization-defined individuals or roles", - "value": "organization-defined individuals or roles" - }, - { - "paramId": "ca-2_c", - "desc": "organization-defined level of independence", - "value": "organization-defined level of independence" - }, - { - "paramId": "ca-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-3_h", - "desc": "organization-defined information systems", - "value": "organization-defined information systems" - }, - { - "paramId": "ca-5_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-7_a", - "desc": "organization-defined metrics", - "value": "organization-defined metrics" - }, - { - "paramId": "ca-7_b", - "desc": "organization-defined frequencies", - "value": "organization-defined frequencies" - }, - { - "paramId": "ca-7_c", - "desc": "organization-defined frequencies", - "value": "organization-defined frequencies" - }, - { - "paramId": "ca-7_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ca-7_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-7_f", - "desc": "organization-defined level of independence", - "value": "organization-defined level of independence" - }, - { - "paramId": "ca-9_a", - "desc": "organization-defined information system components or classes of components", - "value": "organization-defined information system components or classes of components" - }, - { - "paramId": "cm-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cm-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-2_b", - "desc": "Assignment organization-defined circumstances", - "value": "Assignment organization-defined circumstances" - }, - { - "paramId": "cm-2_c", - "desc": "organization-defined previous versions of baseline configurations of the information system", - "value": "organization-defined previous versions of baseline configurations of the information system" - }, - { - "paramId": "cm-2_d", - "desc": "organization-defined information systems, system components, or devices", - "value": "organization-defined information systems, system components, or devices" - }, - { - "paramId": "cm-2_e", - "desc": "organization-defined configurations", - "value": "organization-defined configurations" - }, - { - "paramId": "cm-2_f", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "cm-3_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cm-3_b", - "desc": "organization-defined configuration change control element (e.g., committee, board)", - "value": "organization-defined configuration change control element (e.g., committee, board)" - }, - { - "paramId": "cm-3_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-3_d", - "desc": "organization-defined configuration change conditions", - "value": "organization-defined configuration change conditions" - }, - { - "paramId": "cm-6_a", - "desc": "organization-defined security configuration checklists", - "value": "organization-defined security configuration checklists" - }, - { - "paramId": "cm-6_b", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "cm-6_c", - "desc": "organization-defined operational requirements", - "value": "organization-defined operational requirements" - }, - { - "paramId": "cm-7_a", - "desc": "organization-defined prohibited or restricted functions, ports, protocols, and/or services", - "value": "organization-defined prohibited or restricted functions, ports, protocols, and/or services" - }, - { - "paramId": "cm-7_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-7_c", - "desc": "organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure", - "value": "organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure" - }, - { - "paramId": "cm-7_d", - "desc": "organization-defined policies regarding software program usage and restrictions", - "value": "organization-defined policies regarding software program usage and restrictions" - }, - { - "paramId": "cm-8_a", - "desc": "organization-defined information deemed necessary to achieve effective information system component accountability", - "value": "organization-defined information deemed necessary to achieve effective information system component accountability" - }, - { - "paramId": "cm-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-8_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-8_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cm-11_a", - "desc": "organization-defined policies", - "value": "organization-defined policies" - }, - { - "paramId": "cm-11_b", - "desc": "organization-defined methods", - "value": "organization-defined methods" - }, - { - "paramId": "cm-11_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cp-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "cp-2_b", - "desc": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "cp-2_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-2_d", - "desc": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "cp-2_e", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-3_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-3_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-4_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-4_b", - "desc": "organization-defined tests", - "value": "organization-defined tests" - }, - { - "paramId": "cp-7_a", - "desc": "organization-defined information system operations", - "value": "organization-defined information system operations" - }, - { - "paramId": "cp-7_b", - "desc": "organization-defined time period consistent with recovery time and recovery point objectives", - "value": "organization-defined time period consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-8_a", - "desc": "organization-defined information system operations", - "value": "organization-defined information system operations" - }, - { - "paramId": "cp-8_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "cp-9_a", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_b", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_c", - "desc": "organization-defined frequency consistent with recovery time and recovery point objectives", - "value": "organization-defined frequency consistent with recovery time and recovery point objectives" - }, - { - "paramId": "cp-9_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ia-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ia-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ia-2_d", - "desc": "organization-defined strength of mechanism requirements", - "value": "organization-defined strength of mechanism requirements" - }, - { - "paramId": "ia-3_a", - "desc": "organization-defined specific and/or types of devices", - "value": "organization-defined specific and/or types of devices" - }, - { - "paramId": "ia-4_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-4_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ia-4_c", - "desc": "organization-defined time period of inactivity", - "value": "organization-defined time period of inactivity" - }, - { - "paramId": "ia-5_a", - "desc": "organization-defined time period by authenticator type", - "value": "organization-defined time period by authenticator type" - }, - { - "paramId": "ia-5_b", - "desc": "organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type", - "value": "organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type" - }, - { - "paramId": "ia-5_c", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ia-5_d", - "desc": "organization-defined numbers for lifetime minimum, lifetime maximum", - "value": "organization-defined numbers for lifetime minimum, lifetime maximum" - }, - { - "paramId": "ia-5_e", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "ia-5_f", - "desc": "organization-defined types of and/or specific authenticators", - "value": "organization-defined types of and/or specific authenticators" - }, - { - "paramId": "ia-5_g", - "desc": "organization-defined registration authority", - "value": "organization-defined registration authority" - }, - { - "paramId": "ia-5_h", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ia-5_l", - "desc": "organization-defined token quality requirements", - "value": "organization-defined token quality requirements" - }, - { - "paramId": "ia-8_a", - "desc": "organization-defined information systems", - "value": "organization-defined information systems" - }, - { - "paramId": "ir-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-2_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ir-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-3_b", - "desc": "organization-defined tests", - "value": "organization-defined tests" - }, - { - "paramId": "ir-6_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ir-6_b", - "desc": "organization-defined authorities", - "value": "organization-defined authorities" - }, - { - "paramId": "ir-8_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-8_b", - "desc": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "ir-8_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-8_d", - "desc": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", - "value": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" - }, - { - "paramId": "ma-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ma-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ma-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ma-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ma-2_b", - "desc": "organization-defined maintenance-related information", - "value": "organization-defined maintenance-related information" - }, - { - "paramId": "ma-6_a", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "ma-6_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "mp-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "mp-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "mp-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "mp-2_a", - "desc": "organization-defined types of digital and/or non-digital media", - "value": "organization-defined types of digital and/or non-digital media" - }, - { - "paramId": "mp-2_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "mp-3_a", - "desc": "organization-defined types of information system media", - "value": "organization-defined types of information system media" - }, - { - "paramId": "mp-3_b", - "desc": "organization-defined controlled areas", - "value": "organization-defined controlled areas" - }, - { - "paramId": "mp-4_a", - "desc": "organization-defined types of digital and/or non-digital media", - "value": "organization-defined types of digital and/or non-digital media" - }, - { - "paramId": "mp-4_b", - "desc": "organization-defined controlled areas", - "value": "organization-defined controlled areas" - }, - { - "paramId": "mp-5_a", - "desc": "organization-defined types of information system media", - "value": "organization-defined types of information system media" - }, - { - "paramId": "mp-5_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "mp-6_a", - "desc": "organization-defined information system media", - "value": "organization-defined information system media" - }, - { - "paramId": "mp-6_b", - "desc": "organization-defined sanitization techniques and procedures", - "value": "organization-defined sanitization techniques and procedures" - }, - { - "paramId": "mp-7_a", - "desc": "organization-defined types of information system media", - "value": "organization-defined types of information system media" - }, - { - "paramId": "mp-7_b", - "desc": "organization-defined information systems or system components", - "value": "organization-defined information systems or system components" - }, - { - "paramId": "mp-7_c", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pe-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-3_a", - "desc": "organization-defined entry/exit points to the facility where the information system resides", - "value": "organization-defined entry/exit points to the facility where the information system resides" - }, - { - "paramId": "pe-3_b", - "desc": "organization-defined physical access control systems/devices", - "value": "organization-defined physical access control systems/devices" - }, - { - "paramId": "pe-3_c", - "desc": "organization-defined entry/exit points", - "value": "organization-defined entry/exit points" - }, - { - "paramId": "pe-3_d", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-3_e", - "desc": "organization-defined circumstances requiring visitor escorts and monitoring", - "value": "organization-defined circumstances requiring visitor escorts and monitoring" - }, - { - "paramId": "pe-3_f", - "desc": "organization-defined physical access devices", - "value": "organization-defined physical access devices" - }, - { - "paramId": "pe-3_g", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-3_h", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-4_a", - "desc": "organization-defined information system distribution and transmission lines", - "value": "organization-defined information system distribution and transmission lines" - }, - { - "paramId": "pe-4_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "pe-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-6_b", - "desc": "organization-defined events or potential indications of events", - "value": "organization-defined events or potential indications of events" - }, - { - "paramId": "pe-8_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "pe-8_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-10_a", - "desc": "organization-defined location by information system or system component", - "value": "organization-defined location by information system or system component" - }, - { - "paramId": "pe-14_a", - "desc": "organization-defined acceptable levels", - "value": "organization-defined acceptable levels" - }, - { - "paramId": "pe-14_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-16_a", - "desc": "organization-defined types of information system components", - "value": "organization-defined types of information system components" - }, - { - "paramId": "pe-17_a", - "desc": "organization-defined security controls", - "value": "organization-defined security controls" - }, - { - "paramId": "pl-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pl-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-2_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "pl-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-2_c", - "desc": "organization-defined individuals or groups", - "value": "organization-defined individuals or groups" - }, - { - "paramId": "pl-4_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pl-8_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-2_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-3_a", - "desc": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening", - "value": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening" - }, - { - "paramId": "ps-4_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-4_b", - "desc": "organization-defined information security topics", - "value": "organization-defined information security topics" - }, - { - "paramId": "ps-4_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-4_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-5_a", - "desc": "organization-defined transfer or reassignment actions", - "value": "organization-defined transfer or reassignment actions" - }, - { - "paramId": "ps-5_b", - "desc": "organization-defined time period following the formal transfer action", - "value": "organization-defined time period following the formal transfer action" - }, - { - "paramId": "ps-5_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-5_d", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-6_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-6_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ps-7_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-7_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ps-8_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ps-8_b", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ra-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-3_a", - "desc": "organization-defined document", - "value": "organization-defined document" - }, - { - "paramId": "ra-3_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-3_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-3_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-5_a", - "desc": "organization-defined frequency and/or randomly in accordance with organization-defined process", - "value": "organization-defined frequency and/or randomly in accordance with organization-defined process" - }, - { - "paramId": "ra-5_b", - "desc": "organization-defined response times", - "value": "organization-defined response times" - }, - { - "paramId": "ra-5_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ra-5_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ra-5_f", - "desc": "organization-identified information system components", - "value": "organization-identified information system components" - }, - { - "paramId": "ra-5_g", - "desc": "organization-defined vulnerability scanning activities", - "value": "organization-defined vulnerability scanning activities" - }, - { - "paramId": "sa-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sa-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sa-3_a", - "desc": "organization-defined system development life cycle", - "value": "organization-defined system development life cycle" - }, - { - "paramId": "sa-4_a", - "desc": "organization-defined design/implementation information", - "value": "organization-defined design/implementation information" - }, - { - "paramId": "sa-4_b", - "desc": "organization-defined level of detail", - "value": "organization-defined level of detail" - }, - { - "paramId": "sa-5_a", - "desc": "organization-defined actions", - "value": "organization-defined actions" - }, - { - "paramId": "sa-5_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-9_a", - "desc": "organization-defined security controls", - "value": "organization-defined security controls" - }, - { - "paramId": "sa-9_b", - "desc": "organization-defined processes, methods, and techniques", - "value": "organization-defined processes, methods, and techniques" - }, - { - "paramId": "sa-9_d", - "desc": "organization-defined external information system services", - "value": "organization-defined external information system services" - }, - { - "paramId": "sa-10_a", - "desc": "organization-defined configuration items under configuration management", - "value": "organization-defined configuration items under configuration management" - }, - { - "paramId": "sa-10_b", - "desc": "organization-defined personnel", - "value": "organization-defined personnel" - }, - { - "paramId": "sa-11_a", - "desc": "organization-defined depth and coverage", - "value": "organization-defined depth and coverage" - }, - { - "paramId": "sc-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sc-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-5_a", - "desc": "organization-defined types of denial of service attacks or references to sources for such information", - "value": "organization-defined types of denial of service attacks or references to sources for such information" - }, - { - "paramId": "sc-5_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sc-7_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "sc-8_a", - "desc": "organization-defined alternative physical safeguards", - "value": "organization-defined alternative physical safeguards" - }, - { - "paramId": "sc-10_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "sc-12_a", - "desc": "organization-defined requirements for key generation, distribution, storage, access, and destruction", - "value": "organization-defined requirements for key generation, distribution, storage, access, and destruction" - }, - { - "paramId": "sc-13_a", - "desc": "organization-defined cryptographic uses and type of cryptography required for each use", - "value": "organization-defined cryptographic uses and type of cryptography required for each use" - }, - { - "paramId": "sc-15_a", - "desc": "organization-defined exceptions where remote activation is to be allowed", - "value": "organization-defined exceptions where remote activation is to be allowed" - }, - { - "paramId": "sc-17_a", - "desc": "organization-defined certificate policy", - "value": "organization-defined certificate policy" - }, - { - "paramId": "sc-28_a", - "desc": "organization-defined information at rest", - "value": "organization-defined information at rest" - }, - { - "paramId": "si-1_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-1_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-1_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-2_a", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "si-2_b", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-3_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-3_b", - "desc": "organization-defined action", - "value": "organization-defined action" - }, - { - "paramId": "si-4_a", - "desc": "organization-defined monitoring objectives", - "value": "organization-defined monitoring objectives" - }, - { - "paramId": "si-4_b", - "desc": "organization-defined techniques and methods", - "value": "organization-defined techniques and methods" - }, - { - "paramId": "si-4_c", - "desc": "organization-defined information system monitoring information", - "value": "organization-defined information system monitoring information" - }, - { - "paramId": "si-4_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-4_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-4_f", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-4_g", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-4_h", - "desc": "organization-defined compromise indicators", - "value": "organization-defined compromise indicators" - }, - { - "paramId": "si-5_a", - "desc": "organization-defined external organizations", - "value": "organization-defined external organizations" - }, - { - "paramId": "si-5_b", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-5_c", - "desc": "organization-defined elements within the organization", - "value": "organization-defined elements within the organization" - }, - { - "paramId": "si-5_d", - "desc": "organization-defined external organizations", - "value": "organization-defined external organizations" - }, - { - "paramId": "si-7_a", - "desc": "organization-defined software, firmware, and information", - "value": "organization-defined software, firmware, and information" - }, - { - "paramId": "si-7_b", - "desc": "organization-defined software, firmware, and information", - "value": "organization-defined software, firmware, and information" - }, - { - "paramId": "si-7_c", - "desc": "organization-defined transitional states or security-relevant events", - "value": "organization-defined transitional states or security-relevant events" - }, - { - "paramId": "si-7_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-7_g", - "desc": "organization-defined security-relevant changes to the information system", - "value": "organization-defined security-relevant changes to the information system" - }, - { - "paramId": "si-10_a", - "desc": "organization-defined information inputs", - "value": "organization-defined information inputs" - }, - { - "paramId": "si-11_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-16_a", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - } - ], - "alterations": [ - { - "controlId": "ac.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-1 (b) (1) [at least every 3 years] AC-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (j) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.1.", - "augment": true - }, - { - "subcontrolId": "ac.2.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (2) [no more than 30 days for temporary and emergency account types]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-2 (3) [90 days for user accounts]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.4.", - "augment": true - }, - { - "controlId": "ac.3", - "augment": true - }, - { - "controlId": "ac.4", - "augment": true - }, - { - "controlId": "ac.5", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-5 Additional FedRAMP Requirements and Guidance: Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.6", - "augment": true - }, - { - "subcontrolId": "ac.6.1.", - "augment": true - }, - { - "subcontrolId": "ac.6.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-6 (2) [all security functions]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-6 (2) Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.6.5.", - "augment": true - }, - { - "subcontrolId": "ac.6.9.", - "augment": true - }, - { - "subcontrolId": "ac.6.10.", - "augment": true - }, - { - "controlId": "ac.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-7(a) [not more than three] [fifteen minutes] AC-7(b) [locks the account/node for thirty minutes]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-8 (a) [see additional Requirements and Guidance] AC-8 (c) [see additional Requirements and Guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-8 Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB. AC-08 Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB. AC-8 Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. AC-8 Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.11", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-11(a) [fifteen minutes]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.11.1.", - "augment": true - }, - { - "controlId": "ac.12", - "augment": true - }, - { - "controlId": "ac.14", - "augment": true - }, - { - "controlId": "ac.17", - "augment": true - }, - { - "subcontrolId": "ac.17.1.", - "augment": true - }, - { - "subcontrolId": "ac.17.2.", - "augment": true - }, - { - "subcontrolId": "ac.17.3.", - "augment": true - }, - { - "subcontrolId": "ac.17.4.", - "augment": true - }, - { - "controlId": "ac.18", - "augment": true - }, - { - "subcontrolId": "ac.18.1.", - "augment": true - }, - { - "controlId": "ac.19", - "augment": true - }, - { - "subcontrolId": "ac.19.5.", - "augment": true - }, - { - "controlId": "ac.20", - "augment": true - }, - { - "subcontrolId": "ac.20.1.", - "augment": true - }, - { - "subcontrolId": "ac.20.2.", - "augment": true - }, - { - "controlId": "ac.21", - "augment": true - }, - { - "controlId": "ac.22", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-22 (d) [at least quarterly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.1", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURITY AWARENESS AND TRAINING POLICY ANDPROCEDURES" - } - ], - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-1 (b) (1) [at least every 3 years] AT-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-2(c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "at.2.2.", - "augment": true - }, - { - "controlId": "at.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-3 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "at.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAT-4 (b) [At least one year]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-1 (b) (1) [at least every 3 years] AU-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-2 (a) [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes] AU-2 (d) [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-2 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.2.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-2 (3) [annually or whenever there is a change in the threat environment]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-2 (3) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.3", - "augment": true - }, - { - "subcontrolId": "au.3.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-3 (1) [Assignment: organization-defined additional, more detailed information] Parameter: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-3 (1). Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the JAB/AO. Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.4", - "augment": true - }, - { - "controlId": "au.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-5 (b) [organization-defined actions to be taken (overwrite oldest record)\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-6 (a)-1 [at least weekly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-6 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.6.1.", - "augment": true - }, - { - "subcontrolId": "au.6.3.", - "augment": true - }, - { - "controlId": "au.7", - "augment": true - }, - { - "subcontrolId": "au.7.1.", - "augment": true - }, - { - "controlId": "au.8", - "augment": true - }, - { - "subcontrolId": "au.8.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-8 (1) [http://tfnistgov/tf-cgi/serverscgi] [At least hourly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-8 (1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. AU-8 (1) Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server. AU-8 (1) Guidance: Synchronization of system clocks improves the accuracy of log analysis.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.9", - "augment": true - }, - { - "subcontrolId": "au.9.4.", - "augment": true - }, - { - "controlId": "au.11", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-11 [at least ninety days]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eAU-11. Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "au.12", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-12 (a) [all information system and network components where audit capability is deployed/available]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-1 (b) (1) [at least every 3 years] CA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-2 (b) [at least annually] CA-2 (d) [individuals or roles to include FedRAMP PMO]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.2.1.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-2(1) Requirement: Must use an accredited 3PAO for JAB authorization\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-3 (c) [at least annually and on input from FedRAMP]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.3.5.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-3 (5) For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-5 (b) [at least monthly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-5 Guidance: Requirement: POA\u0026amp;Ms must be provided at least monthly.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-6 (c) [at least every three years or when a significant change occurs]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-6c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-7 (g) [To meet Federal and FedRAMP requirements]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-7 Requirement: Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually CA-7 Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA\u0026amp;M updates. Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.7.1.", - "augment": true - }, - { - "controlId": "ca.9", - "augment": true - }, - { - "controlId": "cm.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-1 (b) (1) [at least every 3 years] CM-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.2", - "augment": true - }, - { - "subcontrolId": "cm.2.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-2 (1) (a) [at least annually or when a significant change occurs] CM-2 (1) (b) [to include when directed by the JAB]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.2.3.", - "augment": true - }, - { - "subcontrolId": "cm.2.7.", - "augment": true - }, - { - "controlId": "cm.3", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-3 Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.\u003c/p\u003e", - "\u003cp\u003eCM-3e Guidance: In accordance with record retention policies and procedures.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.4", - "augment": true - }, - { - "controlId": "cm.5", - "augment": true - }, - { - "controlId": "cm.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-6 (a) [United States Government Configuration Baseline (USGCB)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-6 (a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-7 (b) [United States Government Configuration Baseline (USGCB)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-7 (b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived from AC-17(8).)\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.7.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-7 (1) (a) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.7.2.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-7(2) Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cm.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-8 (b) [at least monthly]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-8 Requirement: must be provided at least monthly or when there is a change.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.8.1.", - "augment": true - }, - { - "subcontrolId": "cm.8.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-8 (3) (a) [Continuously, using automated mechanisms with a maximum five-minute delay in detection]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.8.5.", - "augment": true - }, - { - "controlId": "cm.9", - "augment": true - }, - { - "controlId": "cm.10", - "augment": true - }, - { - "controlId": "cm.11", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-11 (c) [Continuously (via CM-7 (5))]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-1 (b)(1) [at least every 3 years] CP-1 (b)(2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-2 (d) [at least annually]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-2 Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.1.", - "augment": true - }, - { - "subcontrolId": "cp.2.3.", - "augment": true - }, - { - "subcontrolId": "cp.2.8.", - "augment": true - }, - { - "controlId": "cp.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-3 (a) [10 days] CP-3 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-4 (a)-1 [at least annually for moderate impact systems; at least every three years for low impact systems] CP-4 (a)-2 [functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-4 (a). Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.4.1.", - "augment": true - }, - { - "controlId": "cp.6", - "augment": true - }, - { - "subcontrolId": "cp.6.1.", - "augment": true - }, - { - "subcontrolId": "cp.6.3.", - "augment": true - }, - { - "controlId": "cp.7", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-7 (a). Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.7.1.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-7 (1) Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.7.2.", - "augment": true - }, - { - "subcontrolId": "cp.7.3.", - "augment": true - }, - { - "controlId": "cp.8", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-8 Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.8.1.", - "augment": true - }, - { - "subcontrolId": "cp.8.2.", - "augment": true - }, - { - "controlId": "cp.9", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check. CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.9.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCP-9 (1) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "cp.10", - "augment": true - }, - { - "subcontrolId": "cp.10.2.", - "augment": true - }, - { - "controlId": "ia.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-1 (b) (1) [at least every 3 years] IA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.2", - "augment": true - }, - { - "subcontrolId": "ia.2.1.", - "augment": true - }, - { - "subcontrolId": "ia.2.2.", - "augment": true - }, - { - "subcontrolId": "ia.2.3.", - "augment": true - }, - { - "subcontrolId": "ia.2.8.", - "augment": true - }, - { - "subcontrolId": "ia.2.11.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-2 (11) [FIPS 140-2, NIAP Certification, or NSA approval]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-2 (11) Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.2.12.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-2 (12) Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.3", - "augment": true - }, - { - "controlId": "ia.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-4 (d) [at least two years] IA-4 (e) [ninety days for user identifiers] (See additional requirements and guidance)\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-4 (e) Requirement: The service provider defines time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ia.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (g) [to include sixty days for passwords]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (1) (a) [case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b) [at least one] IA-5 (1) (d) [one day minimum, sixty day maximum] IA-5 (1) (e) [twenty four]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.2.", - "augment": true - }, - { - "subcontrolId": "ia.5.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-5 (3)-1 [All hardware/biometric (multifactor authenticators] IA-5 (3)-2 [in person]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.11.", - "augment": true - }, - { - "controlId": "ia.6", - "augment": true - }, - { - "controlId": "ia.7", - "augment": true - }, - { - "controlId": "ia.8", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS)" - } - ] - } - }, - { - "subcontrolId": "ia.8.1.", - "augment": true - }, - { - "subcontrolId": "ia.8.2.", - "augment": true - }, - { - "subcontrolId": "ia.8.3.", - "augment": true - }, - { - "subcontrolId": "ia.8.4.", - "augment": true - }, - { - "controlId": "ir.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-1 (b) (1) [at least every 3 years] IR-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ir.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-3-1 [at least annually] IR-3-2 [see additional FedRAMP Requirements and Guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-3-2 Requirement 1: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). IR-3-2 Requirement 2: For JAB Authorization, the service provider provides test plans to the JAB/AO annually. IR-3-2 Requirement 3: Test plans are approved and accepted by the Authorizing Official (AO) prior to test commencing.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.3.2.", - "augment": true - }, - { - "controlId": "ir.4", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-4 Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.4.1.", - "augment": true - }, - { - "controlId": "ir.5", - "augment": true - }, - { - "controlId": "ir.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-6 (a) [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-6 Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ir.6.1.", - "augment": true - }, - { - "controlId": "ir.7", - "augment": true - }, - { - "subcontrolId": "ir.7.1.", - "augment": true - }, - { - "controlId": "ir.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (c) [at least annually] IR-8 (e) [see additional FedRAMP Requirements and Guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eIR-8 (b) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8 (e) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMA-1 (b) (1) [at least every 3 years] MA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ma.2", - "augment": true - }, - { - "controlId": "ma.3", - "augment": true - }, - { - "subcontrolId": "ma.3.1.", - "augment": true - }, - { - "subcontrolId": "ma.3.2.", - "augment": true - }, - { - "controlId": "ma.4", - "augment": true - }, - { - "subcontrolId": "ma.4.2.", - "augment": true - }, - { - "controlId": "ma.5", - "augment": true - }, - { - "controlId": "ma.6", - "augment": true - }, - { - "controlId": "mp.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-1 (b) (1) [at least every 3 years] MP-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.2", - "augment": true - }, - { - "controlId": "mp.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-3 (b) [no removable media types]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-3 (b) Guidance: Second parameter not-applicable\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-4 (a)-1 [all types of digital and non-digital media with sensitive information] MP-4 (a)-2 [FedRAMP Assignment: see additional FedRAMP requirements and guidance]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-4 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines controlled areas within facilities where the information and information system reside.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "mp.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-5 (a) [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-5 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "mp.5.4.", - "augment": true - }, - { - "controlId": "mp.6", - "augment": true - }, - { - "controlId": "mp.7", - "augment": true - }, - { - "subcontrolId": "mp.7.1.", - "augment": true - }, - { - "controlId": "pe.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-1 (b) (1) [at least every 3 years] PE-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 (d) [in all circumstances within restricted access area where the information system resides] PE-3 (f) [at least annually] PE-3 (g) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.4", - "augment": true - }, - { - "controlId": "pe.5", - "augment": true - }, - { - "controlId": "pe.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-6 (b) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.6.1.", - "augment": true - }, - { - "controlId": "pe.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-8 (a) [for a minimum of one year] PE-8 (b) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.9", - "augment": true - }, - { - "controlId": "pe.10", - "augment": true - }, - { - "controlId": "pe.11", - "augment": true - }, - { - "controlId": "pe.12", - "augment": true - }, - { - "controlId": "pe.13", - "augment": true - }, - { - "subcontrolId": "pe.13.3.", - "augment": true - }, - { - "controlId": "pe.14", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-14 (a) [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14 (b) [continuously]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003ePE-14 (a). Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.15", - "augment": true - }, - { - "controlId": "pe.16", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePE-16 [all information system components]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pe.17", - "augment": true - }, - { - "controlId": "pl.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-1 (b) (1) [at least every 3 years] PL-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "pl.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-2 (c) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pl.2.3.", - "augment": true - }, - { - "controlId": "pl.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-4 (c) [At least every 3 years]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pl.4.1.", - "augment": true - }, - { - "controlId": "pl.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePL-8 (b) [At least annually or when a significant change occurs]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003ePL-8 (b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-1 (b) (1) [at least every 3 years] PS-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-2 (c) [at least every three years]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-3 (b) [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year There is no reinvestigation for other moderate risk positions or any low risk positions]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.4", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-4 (a) [same day]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-5 (d)-2 [five days of the time period following the formal transfer action (DoD 24 hours)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-6 (b) [at least annually] PS-6 (c) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.7", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-7 (d)-2 [organization-defined time period – same day]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ps.8", - "augment": true - }, - { - "controlId": "ra.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-1 (b) (1) [at least every 3 years] RA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.2", - "augment": true - }, - { - "controlId": "ra.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-3 (b) [security assessment report] RA-3 (c) [at least every three (3) years or when a significant change occurs] RA-3 (e) [at least every three (3) years or when a significant change occurs]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-3 Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3 (d) Requirement: Include all Authoring Officials and FedRAMP ISSOs.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ra.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (a) [monthly operating system/infrastructure; monthly web applications and databases] RA-5 (d) [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. RA-5 (e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.1.", - "augment": true - }, - { - "subcontrolId": "ra.5.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (2) [prior to a new scan]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.5.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eRA-5 (5)-1 [operating systems / web applications / databases] RA-5 (5)-2 [all scans]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-1 (b) (1) [at least every 3 years] SA-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.2", - "augment": true - }, - { - "controlId": "sa.3", - "augment": true - }, - { - "controlId": "sa.4", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.1.", - "augment": true - }, - { - "subcontrolId": "sa.4.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-4 (2)-1 [to include security-relevant external system interfaces and high-level design]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.9.", - "augment": true - }, - { - "subcontrolId": "sa.4.10.", - "augment": true - }, - { - "controlId": "sa.5", - "augment": true - }, - { - "controlId": "sa.8", - "augment": true - }, - { - "controlId": "sa.9", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (a) [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] SA-9 (c) [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.9.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (2) [All external systems where Federal information is processed or stored]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.10", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-10 (a) [development, implementation, AND operation]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-10 (e) Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sa.11", - "augment": true - }, - { - "controlId": "sc.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-1 (b) (1) [at least every 3 years] SC-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.2", - "augment": true - }, - { - "controlId": "sc.4", - "augment": true - }, - { - "controlId": "sc.5", - "augment": true - }, - { - "controlId": "sc.7", - "augment": true - }, - { - "subcontrolId": "sc.7.3.", - "augment": true - }, - { - "subcontrolId": "sc.7.4.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-7 (4) (e) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.7.5.", - "augment": true - }, - { - "subcontrolId": "sc.7.7.", - "augment": true - }, - { - "controlId": "sc.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-8 [confidentiality AND integrity]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.8.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-8 (1)-1 [prevent unauthorized disclosure of information AND detect changes to information] SC-8 (1)-1 [a hardened or alarmed carrier Protective Distribution System (PDS)]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.10", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-10 [no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.12", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-12 Guidance: Federally approved cryptography\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.13", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-13 [FIPS-validated or NSA-approved cryptography]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.15", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-15 (a) [no exceptions]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-15 Additional FedRAMP Requirements and Guidance: Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.17", - "augment": true - }, - { - "controlId": "sc.18", - "augment": true - }, - { - "controlId": "sc.19", - "augment": true - }, - { - "controlId": "sc.20", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURE NAME /ADDRESS RESOLUTION SERVICE\n(AUTHORITATIVE SOURCE)" - } - ] - } - }, - { - "controlId": "sc.21", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "SECURE NAME /ADDRESS RESOLUTION SERVICE\n(RECURSIVE OR CACHING RESOLVER)" - } - ] - } - }, - { - "controlId": "sc.22", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "ARCHITECTURE AND PROVISIONING FOR\nNAME/ADDRESS RESOLUTION SERVICE" - } - ] - } - }, - { - "controlId": "sc.23", - "augment": true - }, - { - "controlId": "sc.28", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-28 [confidentiality AND integrity]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.39", - "augment": true - }, - { - "controlId": "si.1", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-1 (b) (1) [at least every 3 years] SI-1 (b) (2) [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.2", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-2 (c) [within 30 days of release of updates]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.2.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-2 (2) [at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.3", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-3 (c) (1)-1 [at least weekly] SI-3 (c) (1)-2 [to include endpoints] SI-3 (c) (2) [to include alerting administrator or defined security personnel]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.3.1.", - "augment": true - }, - { - "subcontrolId": "si.3.2.", - "augment": true - }, - { - "controlId": "si.4", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSI-4 Guidance: See US-CERT Incident Response Reporting Guidelines.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.2.", - "augment": true - }, - { - "subcontrolId": "si.4.4.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-4 (4) [continuously]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.4.5.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSI-4 (5) Guidance: In accordance with the incident response plan.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.5", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-5 (a) [to include US-CERT] SI-5 (c) [to include system security personnel and administrators with configuration/patch-management responsibilities]\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "si.7", - "augment": true - }, - { - "subcontrolId": "si.7.1.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-7 (1) [Selection to include security relevant events and at least monthly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "si.7.7.", - "augment": true - }, - { - "controlId": "si.8", - "augment": true - }, - { - "subcontrolId": "si.8.1.", - "augment": true - }, - { - "subcontrolId": "si.8.2.", - "augment": true - }, - { - "controlId": "si.10", - "augment": true - }, - { - "controlId": "si.11", - "augment": true - }, - { - "controlId": "si.12", - "augment": true - }, - { - "controlId": "si.16", - "augment": true - } - ] - }, - { - "href": "../SP800-53/SP800-53-HIGH-baseline.json", - "include": { - "calls": [ - { - "subcontrolId": "ac.2.5." - }, - { - "subcontrolId": "ac.2.12." - }, - { - "controlId": "ac.10" - }, - { - "subcontrolId": "au.9.2." - }, - { - "subcontrolId": "ca.2.2." - }, - { - "controlId": "ca.8" - }, - { - "subcontrolId": "cm.2.2." - }, - { - "subcontrolId": "cm.5.1." - }, - { - "subcontrolId": "cm.5.3." - }, - { - "subcontrolId": "cm.6.1." - }, - { - "subcontrolId": "cm.7.5." - }, - { - "subcontrolId": "cp.2.2." - }, - { - "subcontrolId": "cp.9.3." - }, - { - "subcontrolId": "ma.3.3." - }, - { - "subcontrolId": "ma.5.1." - }, - { - "subcontrolId": "mp.6.2." - }, - { - "subcontrolId": "pe.13.2." - }, - { - "subcontrolId": "sc.7.8." - }, - { - "subcontrolId": "sc.7.18." - }, - { - "controlId": "si.6" - } - ] - }, - "paramSettings": [ - { - "paramId": "ac-2_h", - "desc": "organization-defined time-period of expected inactivity or description of when to log out", - "value": "organization-defined time-period of expected inactivity or description of when to log out" - }, - { - "paramId": "ac-2_o", - "desc": "organization-defined atypical usage", - "value": "organization-defined atypical usage" - }, - { - "paramId": "ac-2_p", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ac-10_a", - "desc": "organization-defined account and/or account type", - "value": "organization-defined account and/or account type" - }, - { - "paramId": "ac-10_b", - "desc": "organization-defined number", - "value": "organization-defined number" - }, - { - "paramId": "au-9_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-2_e", - "desc": "organization-defined other forms of security assessment", - "value": "organization-defined other forms of security assessment" - }, - { - "paramId": "ca-8_a", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ca-8_b", - "desc": "organization-defined information systems or system components", - "value": "organization-defined information systems or system components" - }, - { - "paramId": "cm-5_c", - "desc": "organization-defined software and firmware components", - "value": "organization-defined software and firmware components" - }, - { - "paramId": "cm-6_d", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "cm-7_h", - "desc": "organization-defined software programs authorized to execute on the information system", - "value": "organization-defined software programs authorized to execute on the information system" - }, - { - "paramId": "cm-7_i", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cp-9_e", - "desc": "organization-defined critical information system software and other security-related information", - "value": "organization-defined critical information system software and other security-related information" - }, - { - "paramId": "ma-3_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "mp-6_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "pe-13_c", - "desc": "organization-defined emergency responders", - "value": "organization-defined emergency responders" - }, - { - "paramId": "sc-7_b", - "desc": "organization-defined internal communications traffic", - "value": "organization-defined internal communications traffic" - }, - { - "paramId": "sc-7_c", - "desc": "organization-defined external networks", - "value": "organization-defined external networks" - }, - { - "paramId": "si-6_a", - "desc": "organization-defined security functions", - "value": "organization-defined security functions" - }, - { - "paramId": "si-6_b", - "desc": "organization-defined system transitional states", - "value": "organization-defined system transitional states" - }, - { - "paramId": "si-6_c", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "si-6_d", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "si-6_e", - "desc": "organization-defined alternative action(s)", - "value": "organization-defined alternative action(s)" - } - ], - "alterations": [ - { - "subcontrolId": "ac.2.5.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2(5) should use a shorter timeframe than AC-12.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.12.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (12)(a) and AC-2 (12)(b) Additional FedRAMP Requirements and Guidance: Required for privileged accounts.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ac.10", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-10 [three (3) sessions for privileged access and two (2) sessions for non-privileged access]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "au.9.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAU-9 (2) [at least weekly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.2.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-2 (2) [at least annually]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-2 (2) Requirement: To include 'announced', 'vulnerability scanning'\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "ca.8", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-8-1 [at least annually]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.2.2.", - "augment": true - }, - { - "subcontrolId": "cm.5.1.", - "augment": true - }, - { - "subcontrolId": "cm.5.3.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eCM-5 (3) Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.6.1.", - "augment": true - }, - { - "subcontrolId": "cm.7.5.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-7(5) (c) [ at least Annually or when there is a change]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cp.2.2.", - "augment": true - }, - { - "subcontrolId": "cp.9.3.", - "augment": true - }, - { - "subcontrolId": "ma.3.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMA-3 (3) (d) [the information owner explicitly authorizing removal of the equipment from the facility]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ma.5.1.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eMA-5 (1) Requirement: Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "mp.6.2.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eMP-6 (2) [At least annually]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eMP-6 (2) Guidance: Equipment and procedures may be tested or validated for effectiveness\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "pe.13.2.", - "augment": true - }, - { - "subcontrolId": "sc.7.8.", - "augment": true - }, - { - "subcontrolId": "sc.7.18.", - "augment": true - }, - { - "controlId": "si.6", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSI-6 (b) [to include upon system startup and/or restart and at least monthly] SI-6 (c) [to include system administrators and security personnel] SI-6 (d) [to include notification of system administrators and security personnel]\u003c/p\u003e" - ] - } - ] - } - } - ] - }, - { - "href": "../SP800-53/SP800-53-rev4-catalog.json", - "include": { - "calls": [ - { - "subcontrolId": "ac.2.7." - }, - { - "subcontrolId": "ac.2.9." - }, - { - "subcontrolId": "ac.2.10." - }, - { - "subcontrolId": "ac.4.21." - }, - { - "subcontrolId": "ac.17.9." - }, - { - "subcontrolId": "ca.2.3." - }, - { - "subcontrolId": "ca.3.3." - }, - { - "subcontrolId": "ca.8.1." - }, - { - "subcontrolId": "cm.5.5." - }, - { - "subcontrolId": "cm.10.1." - }, - { - "subcontrolId": "ia.2.5." - }, - { - "subcontrolId": "ia.4.4." - }, - { - "subcontrolId": "ia.5.4." - }, - { - "subcontrolId": "ia.5.6." - }, - { - "subcontrolId": "ia.5.7." - }, - { - "subcontrolId": "ir.7.2." - }, - { - "controlId": "ir.9" - }, - { - "subcontrolId": "ir.9.1." - }, - { - "subcontrolId": "ir.9.2." - }, - { - "subcontrolId": "ir.9.3." - }, - { - "subcontrolId": "ir.9.4." - }, - { - "subcontrolId": "pe.14.2." - }, - { - "subcontrolId": "ps.3.3." - }, - { - "subcontrolId": "ra.5.3." - }, - { - "subcontrolId": "ra.5.6." - }, - { - "subcontrolId": "ra.5.8." - }, - { - "subcontrolId": "sa.4.8." - }, - { - "subcontrolId": "sa.9.1." - }, - { - "subcontrolId": "sa.9.4." - }, - { - "subcontrolId": "sa.9.5." - }, - { - "subcontrolId": "sa.10.1." - }, - { - "subcontrolId": "sa.11.1." - }, - { - "subcontrolId": "sa.11.2." - }, - { - "subcontrolId": "sa.11.8." - }, - { - "controlId": "sc.6" - }, - { - "subcontrolId": "sc.7.12." - }, - { - "subcontrolId": "sc.7.13." - }, - { - "subcontrolId": "sc.12.2." - }, - { - "subcontrolId": "sc.12.3." - }, - { - "subcontrolId": "sc.28.1." - }, - { - "subcontrolId": "si.2.3." - }, - { - "subcontrolId": "si.3.7." - }, - { - "subcontrolId": "si.4.1." - }, - { - "subcontrolId": "si.4.14." - }, - { - "subcontrolId": "si.4.16." - }, - { - "subcontrolId": "si.4.23." - } - ] - }, - "paramSettings": [ - { - "paramId": "ac-2_j", - "desc": "organization-defined actions", - "value": "organization-defined actions" - }, - { - "paramId": "ac-2_l", - "desc": "organization-defined conditions for establishing shared/group accounts", - "value": "organization-defined conditions for establishing shared/group accounts" - }, - { - "paramId": "ac-4_z", - "desc": "organization-defined mechanisms and/or techniques", - "value": "organization-defined mechanisms and/or techniques" - }, - { - "paramId": "ac-4_aa", - "desc": "organization-defined required separations by types of information", - "value": "organization-defined required separations by types of information" - }, - { - "paramId": "ac-17_c", - "desc": "organization-defined time period", - "value": "organization-defined time period" - }, - { - "paramId": "ca-2_f", - "desc": "organization-defined information system", - "value": "organization-defined information system" - }, - { - "paramId": "ca-2_g", - "desc": "organization-defined external organization", - "value": "organization-defined external organization" - }, - { - "paramId": "ca-2_h", - "desc": "organization-defined requirements", - "value": "organization-defined requirements" - }, - { - "paramId": "ca-3_e", - "desc": "organization-defined unclassified, non-national security system", - "value": "organization-defined unclassified, non-national security system" - }, - { - "paramId": "ca-3_f", - "desc": "Assignment; organization-defined boundary protection device", - "value": "Assignment; organization-defined boundary protection device" - }, - { - "paramId": "cm-5_e", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "cm-10_a", - "desc": "organization-defined restrictions", - "value": "organization-defined restrictions" - }, - { - "paramId": "ia-4_d", - "desc": "organization-defined characteristic identifying individual status", - "value": "organization-defined characteristic identifying individual status" - }, - { - "paramId": "ia-5_i", - "desc": "organization-defined requirements", - "value": "organization-defined requirements" - }, - { - "paramId": "ir-9_a", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-9_b", - "desc": "organization-defined actions", - "value": "organization-defined actions" - }, - { - "paramId": "ir-9_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "ir-9_d", - "desc": "organization-defined frequency", - "value": "organization-defined frequency" - }, - { - "paramId": "ir-9_e", - "desc": "organization-defined procedures", - "value": "organization-defined procedures" - }, - { - "paramId": "ir-9_f", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "ps-3_b", - "desc": "organization-defined additional personnel screening criteria", - "value": "organization-defined additional personnel screening criteria" - }, - { - "paramId": "sa-4_e", - "desc": "organization-defined level of detail", - "value": "organization-defined level of detail" - }, - { - "paramId": "sa-9_c", - "desc": "organization-defined personnel or roles", - "value": "organization-defined personnel or roles" - }, - { - "paramId": "sa-9_f", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sa-9_g", - "desc": "organization-defined external service providers", - "value": "organization-defined external service providers" - }, - { - "paramId": "sa-9_h", - "desc": "organization-defined locations", - "value": "organization-defined locations" - }, - { - "paramId": "sa-9_i", - "desc": "organization-defined requirements or conditions", - "value": "organization-defined requirements or conditions" - }, - { - "paramId": "sc-6_a", - "desc": "organization-defined resources", - "value": "organization-defined resources" - }, - { - "paramId": "sc-6_b", - "desc": "organization-defined security safeguards", - "value": "organization-defined security safeguards" - }, - { - "paramId": "sc-7_f", - "desc": "organization-defined host-based boundary protection mechanisms", - "value": "organization-defined host-based boundary protection mechanisms" - }, - { - "paramId": "sc-7_g", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "sc-7_h", - "desc": "organization-defined information security tools, mechanisms, and support components", - "value": "organization-defined information security tools, mechanisms, and support components" - }, - { - "paramId": "sc-28_b", - "desc": "organization-defined information", - "value": "organization-defined information" - }, - { - "paramId": "sc-28_c", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - }, - { - "paramId": "si-2_c", - "desc": "organization-defined benchmarks", - "value": "organization-defined benchmarks" - }, - { - "paramId": "si-4_x", - "desc": "organization-defined host-based monitoring mechanisms", - "value": "organization-defined host-based monitoring mechanisms" - }, - { - "paramId": "si-4_y", - "desc": "organization-defined information system components", - "value": "organization-defined information system components" - } - ], - "alterations": [ - { - "subcontrolId": "ac.2.7.", - "augment": true - }, - { - "subcontrolId": "ac.2.9.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS" - } - ], - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (9) Required if shared/group accounts are deployed\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.2.10.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eAC-2 (10) Required if shared/group accounts are deployed\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ac.4.21.", - "augment": true - }, - { - "subcontrolId": "ac.17.9.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eAC-17 (9) [no greater than 15 minutes]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.2.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-2 (3)-1 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-2 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-3 [the conditions of a Authorizing Official in the FedRAMP Repository]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.3.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCA-3 (3)-2 [Boundary Protections which meet the Trusted Internet Connection (TIC) requirements]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eCA-3(3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 Reference Architecture document.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ca.8.1.", - "augment": true - }, - { - "subcontrolId": "cm.5.5.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eCM-5 (5) (b) [at least quarterly]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "cm.10.1.", - "augment": true - }, - { - "subcontrolId": "ia.2.5.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |\nGROUP AUTHENTICATION" - } - ] - } - }, - { - "subcontrolId": "ia.4.4.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eIA-4 (4) [contractors; foreign nationals]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.4.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eIA-5 (4) Additional FedRAMP Requirements and Guidance: Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ia.5.6.", - "augment": true - }, - { - "subcontrolId": "ia.5.7.", - "augment": true - }, - { - "subcontrolId": "ir.7.2.", - "augment": true - }, - { - "controlId": "ir.9", - "augment": true - }, - { - "subcontrolId": "ir.9.1.", - "augment": true - }, - { - "subcontrolId": "ir.9.2.", - "augment": true - }, - { - "subcontrolId": "ir.9.3.", - "augment": true - }, - { - "subcontrolId": "ir.9.4.", - "augment": true - }, - { - "subcontrolId": "pe.14.2.", - "augment": true - }, - { - "subcontrolId": "ps.3.3.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003ePS-3 (3) (b) [personnel screening criteria – as required by specific information]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.3.", - "augment": true - }, - { - "subcontrolId": "ra.5.6.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (6) Guidance: include in Continuous Monitoring ISSO digest/report to JAB/AO\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "ra.5.8.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eRA-5 (8) Requirements: This enhancement is required for all high vulnerability scan findings. Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.4.8.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-4 (8) [at least the minimum requirement as defined in control CA-7]\u003c/p\u003e" - ] - }, - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-4 (8) Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.9.1.", - "augment": { - "props": [ - { - "class": "has_params" - } - ] - } - }, - { - "subcontrolId": "sa.9.4.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (4)-2 [All external systems where Federal information is processed or stored]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.9.5.", - "augment": { - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSA-9 (5)-1 [information processing, information data, AND information services]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.10.1.", - "augment": true - }, - { - "subcontrolId": "sa.11.1.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-11 (1) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sa.11.2.", - "augment": true - }, - { - "subcontrolId": "sa.11.8.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSA-11 (8) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.\u003c/p\u003e" - ] - } - ] - } - }, - { - "controlId": "sc.6", - "augment": true - }, - { - "subcontrolId": "sc.7.12.", - "augment": true - }, - { - "subcontrolId": "sc.7.13.", - "augment": { - "parts": [ - { - "class": "additional", - "prose": [ - "\u003cp\u003eSC-7 (13) Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.12.2.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |\nSYMMETRIC KEYS" - } - ], - "parts": [ - { - "class": "parameters", - "prose": [ - "\u003cp\u003eSC-12 (2) [NIST FIPS-compliant]\u003c/p\u003e" - ] - } - ] - } - }, - { - "subcontrolId": "sc.12.3.", - "augment": { - "props": [ - { - "class": "profile-title", - "value": "CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |\nASYMMETRIC KEYS" - } - ] - } - }, - { - "subcontrolId": "sc.28.1.", - "augment": true - }, - { - "subcontrolId": "si.2.3.", - "augment": true - }, - { - "subcontrolId": "si.3.7.", - "augment": true - }, - { - "subcontrolId": "si.4.1.", - "augment": true - }, - { - "subcontrolId": "si.4.14.", - "augment": true - }, - { - "subcontrolId": "si.4.16.", - "augment": true - }, - { - "subcontrolId": "si.4.23.", - "augment": true - } - ] - } - ] -} \ No newline at end of file diff --git a/working/FedRAMP/FedRAMP-MODERATE-working.xml b/working/FedRAMP/FedRAMP-MODERATE-working.xml index 652ef9e387..dc852290bd 100644 --- a/working/FedRAMP/FedRAMP-MODERATE-working.xml +++ b/working/FedRAMP/FedRAMP-MODERATE-working.xml @@ -1,10 +1,10 @@ + - + FedRAMP MODERATE Baseline PROFILE (extracted and aligned, no edits) - + @@ -266,6 +266,82 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles @@ -366,7 +442,8 @@ -

    AC-5 Additional FedRAMP Requirements and Guidance: Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

    +

    AC-5 Additional FedRAMP Requirements and Guidance: Guidance: CSPs have the option + to provide a separation of duties matrix as an attachment to the SSP.

    @@ -376,7 +453,8 @@ - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + organization-defined security functions (deployed in hardware, software, and + firmware) and security-relevant information organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information @@ -393,7 +471,11 @@

    AC-6 (2) [all security functions]

    -

    AC-6 (2) Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

    +

    AC-6 (2) Guidance: Examples of security functions include but are not limited to: + establishing system accounts, configuring access authorizations (i.e., + permissions, privileges), setting events to be audited, and setting intrusion + detection parameters, system programming, system and security administration, + other privileged functions.

    @@ -433,7 +515,8 @@ -

    AC-7(a) [not more than three] [fifteen minutes] AC-7(b) [locks the account/node for thirty minutes]

    +

    AC-7(a) [not more than three] [fifteen minutes] AC-7(b) [locks the account/node + for thirty minutes]

    @@ -449,10 +532,23 @@ -

    AC-8 (a) [see additional Requirements and Guidance] AC-8 (c) [see additional Requirements and Guidance]

    +

    AC-8 (a) [see additional Requirements and Guidance] AC-8 (c) [see additional + Requirements and Guidance]

    -

    AC-8 Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB. AC-08 Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB. AC-8 Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. AC-8 Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB.

    +

    AC-8 Requirement: The service provider shall determine elements of the cloud + environment that require the System Use Notification control. The elements of the + cloud environment that require System Use Notification are approved and accepted + by the JAB. AC-08 Requirement: The service provider shall determine how System Use + Notification is going to be verified and provide appropriate periodicity of the + check. The System Use Notification verification and periodicity are approved and + accepted by the JAB. AC-8 Guidance: If performed as part of a Configuration + Baseline check, then the % of items requiring setting that are checked and that + pass (or fail) check can be provided. AC-8 Requirement: If not performed as part + of a Configuration Baseline check, then there must be documented agreement on how + to provide results of verification and the necessary periodicity of the + verification by the service provider. The documented agreement on how to provide + verification of the results are approved and accepted by the JAB.

    @@ -550,7 +646,8 @@ - organization-defined information sharing circumstances where user discretion is required + organization-defined information sharing circumstances where user discretion is + required organization-defined information sharing circumstances where user discretion is required @@ -659,16 +756,24 @@ organization-defined auditable events - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in + AU-2 a.) along with the frequency of (or situation requiring) auditing for each + identified event organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event -

    AU-2 (a) [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes] AU-2 (d) [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event]

    +

    AU-2 (a) [Successful and unsuccessful account logon events, account management + events, object access, policy change, privilege functions, process tracking, and + system events For Web applications: all administrator activity, authentication + checks, authorization checks, data deletions, data access, data changes, and + permission changes] AU-2 (d) [organization-defined subset of the auditable events + defined in AU-2 a to be audited continually for each identified event]

    -

    AU-2 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

    +

    AU-2 Requirement: Coordination between service provider and consumer shall be + documented and accepted by the JAB/AO.

    @@ -683,7 +788,8 @@

    AU-2 (3) [annually or whenever there is a change in the threat environment]

    -

    AU-2 (3) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB.

    +

    AU-2 (3) Guidance: Annually or whenever changes in the threat environment are + communicated to the service provider by the JAB.

    @@ -699,10 +805,18 @@ -

    AU-3 (1) [Assignment: organization-defined additional, more detailed information] Parameter: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon]

    +

    AU-3 (1) [Assignment: organization-defined additional, more detailed information] + Parameter: [session, connection, transaction, or activity duration; for + client-server transactions, the number of bytes received and bytes sent; + additional informational messages to diagnose or identify the event; + characteristics that describe or identify the object or resource being acted + upon]

    -

    AU-3 (1). Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the JAB/AO. Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

    +

    AU-3 (1). Requirement: The service provider defines audit record types. The audit + record types are approved and accepted by the JAB/AO. Guidance: For client-server + transactions, the number of bytes sent and received gives bidirectional transfer + information that can be helpful during an investigation or inquiry.

    @@ -720,7 +834,8 @@ organization-defined personnel or roles
    - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, + overwrite oldest audit records, stop generating audit records) organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) @@ -749,7 +864,10 @@

    AU-6 (a)-1 [at least weekly]

    -

    AU-6 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

    +

    AU-6 Requirement: Coordination between service provider and consumer shall be + documented and accepted by the JAB/AO. In multi-tennant environments, capability + and means for providing review, analysis, and reporting to consumer for data + pertaining to consumer shall be documented.

    @@ -800,7 +918,13 @@

    AU-8 (1) [http://tfnistgov/tf-cgi/serverscgi] [At least hourly]

    -

    AU-8 (1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. AU-8 (1) Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server. AU-8 (1) Guidance: Synchronization of system clocks improves the accuracy of log analysis.

    +

    AU-8 (1) Requirement: The service provider selects primary and secondary time + servers used by the NIST Internet time service. The secondary server is selected + from a different geographic region than the primary server. AU-8 (1) Requirement: + The service provider synchronizes the system clocks of network computers that run + operating systems other than Windows to the Windows Server Domain Controller + emulator or to the same time source for that server. AU-8 (1) Guidance: + Synchronization of system clocks improves the accuracy of log analysis.

    @@ -827,7 +951,9 @@

    AU-11 [at least ninety days]

    -

    AU-11. Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

    +

    AU-11. Requirement: The service provider retains audit records on-line for at + least ninety days and further preserves audit records off-line for a period that + is in accordance with NARA requirements.

    @@ -843,7 +969,8 @@ -

    AU-12 (a) [all information system and network components where audit capability is deployed/available]

    +

    AU-12 (a) [all information system and network components where audit capability is + deployed/available]

    @@ -879,7 +1006,8 @@ -

    CA-2 (b) [at least annually] CA-2 (d) [individuals or roles to include FedRAMP PMO]

    +

    CA-2 (b) [at least annually] CA-2 (d) [individuals or roles to include FedRAMP + PMO]

    @@ -915,7 +1043,8 @@ -

    CA-3 (5) For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

    +

    CA-3 (5) For JAB Authorization, CSPs shall include details of this control in + their Architecture Briefing

    @@ -945,7 +1074,10 @@

    CA-6 (c) [at least every three years or when a significant change occurs]

    -

    CA-6c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

    +

    CA-6c. Guidance: Significant change is defined in NIST Special Publication 800-37 + Revision 1, Appendix F. The service provider describes the types of changes to the + information system or the environment of operations that would impact the risk + posture. The types of changes are approved and accepted by the JAB/AO.

    @@ -976,7 +1108,13 @@

    CA-7 (g) [To meet Federal and FedRAMP requirements]

    -

    CA-7 Requirement: Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually CA-7 Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates. Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually

    +

    CA-7 Requirement: Operating System Scans: at least monthly Database and Web + Application Scans: at least monthly All scans performed by Independent Assessor: + at least annually CA-7 Guidance: CSPs must provide evidence of closure and + remediation of high vulnerabilities within the timeframe for standard POA&M + updates. Operating System Scans: at least monthly Database and Web Application + Scans: at least monthly All scans performed by Independent Assessor: at least + annually

    @@ -1032,13 +1170,15 @@ -

    CM-2 (1) (a) [at least annually or when a significant change occurs] CM-2 (1) (b) [to include when directed by the JAB]

    +

    CM-2 (1) (a) [at least annually or when a significant change occurs] CM-2 (1) (b) + [to include when directed by the JAB]

    - organization-defined previous versions of baseline configurations of the information system + organization-defined previous versions of baseline configurations of the information + system organization-defined previous versions of baseline configurations of the information system @@ -1066,7 +1206,8 @@ organization-defined time period - organization-defined configuration change control element (e.g., committee, board) + organization-defined configuration change control element (e.g., committee, + board) organization-defined configuration change control element (e.g., committee, board) @@ -1080,7 +1221,11 @@ -

    CM-3 Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

    +

    CM-3 Requirement: The service provider establishes a central means of + communicating major changes to or developments in the information system or + environment of operations that may affect its services to the federal government + and associated service consumers (e.g., electronic bulletin board, web status + page). The means of communication are approved and accepted by the JAB/AO.

    CM-3e Guidance: In accordance with record retention policies and procedures.

    @@ -1112,13 +1257,21 @@

    CM-6 (a) [United States Government Configuration Baseline (USGCB)]

    -

    CM-6 (a) Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6 (a) Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc

    +

    CM-6 (a) Requirement 1: The service provider shall use the Center for Internet + Security guidelines (Level 1) to establish configuration settings or establishes + its own configuration settings if USGCB is not available. CM-6 (a) Requirement 2: + The service provider shall ensure that checklists for configuration settings are + Security Content Automation Protocol (SCAP) validated or SCAP compatible (if + validated checklists are not available). CM-6 (a) Guidance: Information on the + USGCB checklists can be found at: + http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc

    - organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or + services organization-defined prohibited or restricted functions, ports, protocols, and/or services @@ -1127,7 +1280,13 @@

    CM-7 (b) [United States Government Configuration Baseline (USGCB)]

    -

    CM-7 (b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived from AC-17(8).)

    +

    CM-7 (b) Requirement: The service provider shall use the Center for Internet + Security guidelines (Level 1) to establish list of prohibited or restricted + functions, ports, protocols, and/or services or establishes its own list of + prohibited or restricted functions, ports, protocols, and/or services if USGCB is + not available. CM-7. Guidance: Information on the USGCB checklists can be found + at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived + from AC-17(8).)

    @@ -1137,7 +1296,8 @@ organization-defined frequency
    - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + organization-defined functions, ports, protocols, and services within the information + system deemed to be unnecessary and/or nonsecure organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure @@ -1149,19 +1309,24 @@ - organization-defined policies regarding software program usage and restrictions + organization-defined policies regarding software program usage and + restrictions organization-defined policies regarding software program usage and restrictions -

    CM-7(2) Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

    +

    CM-7(2) Guidance: This control shall be implemented in a technical manner on the + information system to only allow programs to run that adhere to the policy (i.e. + white listing). This control is not to be based off of strictly written policy on + what is allowed or not allowed to run.

    - organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information + system component accountability organization-defined information deemed necessary to achieve effective information system component accountability @@ -1194,7 +1359,8 @@ -

    CM-8 (3) (a) [Continuously, using automated mechanisms with a maximum five-minute delay in detection]

    +

    CM-8 (3) (a) [Continuously, using automated mechanisms with a maximum five-minute + delay in detection]

    @@ -1256,7 +1422,8 @@ organization-defined personnel or roles
    - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) + and organizational elements organization-defined key contingency personnel (identified by name and/or by role) and organizational elements @@ -1264,7 +1431,8 @@ organization-defined frequency - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) + and organizational elements organization-defined key contingency personnel (identified by name and/or by role) and organizational elements @@ -1273,7 +1441,8 @@

    CP-2 (d) [at least annually]

    -

    CP-2 Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.

    +

    CP-2 Requirement: For JAB authorizations the contingency lists include designated + FedRAMP personnel.

    @@ -1321,10 +1490,14 @@ -

    CP-4 (a)-1 [at least annually for moderate impact systems; at least every three years for low impact systems] CP-4 (a)-2 [functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems]

    +

    CP-4 (a)-1 [at least annually for moderate impact systems; at least every three + years for low impact systems] CP-4 (a)-2 [functional exercises for moderate impact + systems; classroom exercises/table top written tests for low impact systems]

    -

    CP-4 (a). Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

    +

    CP-4 (a). Requirement: The service provider develops test plans in accordance with + NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO + prior to initiating testing.

    @@ -1350,13 +1523,15 @@ organization-defined information system operations - organization-defined time period consistent with recovery time and recovery point objectives + organization-defined time period consistent with recovery time and recovery point + objectives organization-defined time period consistent with recovery time and recovery point objectives -

    CP-7 (a). Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    +

    CP-7 (a). Requirement: The service provider defines a time period consistent with + the recovery time objectives and business impact analysis.

    @@ -1364,7 +1539,11 @@ -

    CP-7 (1) Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

    +

    CP-7 (1) Guidance: The service provider may determine what is considered a + sufficient degree of separation between the primary and alternate processing + sites, based on the types of threats that are of concern. For one particular type + of threat (i.e., hostile cyber attack), the degree of separation between sites + will be less relevant.

    @@ -1388,7 +1567,8 @@ -

    CP-8 Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    +

    CP-8 Requirement: The service provider defines a time period consistent with the + recovery time objectives and business impact analysis.

    @@ -1402,24 +1582,39 @@
    - organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point + objectives organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point + objectives organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point + objectives organization-defined frequency consistent with recovery time and recovery point objectives -

    CP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly full] CP-9 (c) [daily incremental; weekly full]

    +

    CP-9 (a) [daily incremental; weekly full] CP-9 (b) [daily incremental; weekly + full] CP-9 (c) [daily incremental; weekly full]

    -

    CP-9 Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check. CP-9 (a) Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (b) Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

    +

    CP-9 Requirement: The service provider shall determine what elements of the cloud + environment require the Information System Backup control. The service provider + shall determine how Information System Backup is going to be verified and + appropriate periodicity of the check. CP-9 (a) Requirement: The service provider + maintains at least three backup copies of user-level information (at least one of + which is available online) or provides an equivalent alternative. CP-9 (b) + Requirement: The service provider maintains at least three backup copies of + system-level information (at least one of which is available online) or provides + an equivalent alternative. CP-9 (c) Requirement: The service provider maintains at + least three backup copies of information system documentation including security + information (at least one of which is available online) or provides an equivalent + alternative.

    @@ -1494,7 +1689,8 @@

    IA-2 (11) [FIPS 140-2, NIAP Certification, or NSA approval]

    -

    IA-2 (11) Guidance: PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

    +

    IA-2 (11) Guidance: PIV=separate device. Please refer to NIST SP 800-157 + Guidelines for Derived Personal Identity Verification (PIV) Credentials.

    @@ -1502,7 +1698,8 @@ -

    IA-2 (12) Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

    +

    IA-2 (12) Guidance: Include Common Access Card (CAC), i.e., the DoD technical + implementation of PIV/FIPS 201/HSPD-12.

    @@ -1530,10 +1727,14 @@ -

    IA-4 (d) [at least two years] IA-4 (e) [ninety days for user identifiers] (See additional requirements and guidance)

    +

    IA-4 (d) [at least two years] IA-4 (e) [ninety days for user identifiers] (See + additional requirements and guidance)

    -

    IA-4 (e) Requirement: The service provider defines time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.

    +

    IA-4 (e) Requirement: The service provider defines time period of inactivity for + device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific + DoD requirements that go above and beyond FedRAMP + http://iase.disa.mil/cloud_security/Pages/index.aspx.

    @@ -1551,7 +1752,9 @@ - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of + upper-case letters, lower-case letters, numbers, and special characters, including + minimum requirements for each type organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type @@ -1569,7 +1772,10 @@ -

    IA-5 (1) (a) [case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b) [at least one] IA-5 (1) (d) [one day minimum, sixty day maximum] IA-5 (1) (e) [twenty four]

    +

    IA-5 (1) (a) [case sensitive, minimum of twelve characters, and at least one each + of upper-case letters, lower-case letters, numbers, and special characters] IA-5 + (1) (b) [at least one] IA-5 (1) (d) [one day minimum, sixty day maximum] IA-5 (1) + (e) [twenty four]

    @@ -1593,7 +1799,8 @@ -

    IA-5 (3)-1 [All hardware/biometric (multifactor authenticators] IA-5 (3)-2 [in person]

    +

    IA-5 (3)-1 [All hardware/biometric (multifactor authenticators] IA-5 (3)-2 [in + person]

    @@ -1616,7 +1823,8 @@ - IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) + IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL + USERS) @@ -1687,10 +1895,15 @@ -

    IR-3-1 [at least annually] IR-3-2 [see additional FedRAMP Requirements and Guidance]

    +

    IR-3-1 [at least annually] IR-3-2 [see additional FedRAMP Requirements and + Guidance]

    -

    IR-3-2 Requirement 1: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). IR-3-2 Requirement 2: For JAB Authorization, the service provider provides test plans to the JAB/AO annually. IR-3-2 Requirement 3: Test plans are approved and accepted by the Authorizing Official (AO) prior to test commencing.

    +

    IR-3-2 Requirement 1: The service provider defines tests and/or exercises in + accordance with NIST Special Publication 800-61 (as amended). IR-3-2 Requirement + 2: For JAB Authorization, the service provider provides test plans to the JAB/AO + annually. IR-3-2 Requirement 3: Test plans are approved and accepted by the + Authorizing Official (AO) prior to test commencing.

    @@ -1702,7 +1915,10 @@ -

    IR-4 Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    +

    IR-4 Requirement: The service provider ensures that individuals conducting + incident handling meet personnel security requirements commensurate with the + criticality/sensitivity of the information being processed, stored, and + transmitted by the information system.

    @@ -1726,10 +1942,12 @@ -

    IR-6 (a) [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]

    +

    IR-6 (a) [US-CERT incident reporting timelines as specified in NIST Special + Publication 800-61 (as amended)]

    -

    IR-6 Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure.

    +

    IR-6 Requirement: Reports security incident information according to FedRAMP + Incident Communications Procedure.

    @@ -1751,7 +1969,8 @@ organization-defined personnel or roles
    - organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) + and organizational elements organization-defined incident response personnel (identified by name and/or by role) and organizational elements @@ -1759,16 +1978,24 @@ organization-defined frequency - organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) + and organizational elements organization-defined incident response personnel (identified by name and/or by role) and organizational elements -

    IR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (c) [at least annually] IR-8 (e) [see additional FedRAMP Requirements and Guidance]

    +

    IR-8 (b) [see additional FedRAMP Requirements and Guidance] IR-8 (c) [at least + annually] IR-8 (e) [see additional FedRAMP Requirements and Guidance]

    -

    IR-8 (b) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8 (e) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    +

    IR-8 (b) Additional FedRAMP Requirements and Guidance: The service provider + defines a list of incident response personnel (identified by name and/or by role) + and organizational elements. The incident response list includes designated + FedRAMP personnel. IR-8 (e) Additional FedRAMP Requirements and Guidance: The + service provider defines a list of incident response personnel (identified by name + and/or by role) and organizational elements. The incident response list includes + designated FedRAMP personnel.

    @@ -1903,10 +2130,14 @@ -

    MP-4 (a)-1 [all types of digital and non-digital media with sensitive information] MP-4 (a)-2 [FedRAMP Assignment: see additional FedRAMP requirements and guidance]

    +

    MP-4 (a)-1 [all types of digital and non-digital media with sensitive information] + MP-4 (a)-2 [FedRAMP Assignment: see additional FedRAMP requirements and + guidance]

    -

    MP-4 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines controlled areas within facilities where the information and information system reside.

    +

    MP-4 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service + provider defines controlled areas within facilities where the information and + information system reside.

    @@ -1922,10 +2153,15 @@ -

    MP-5 (a) [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container]

    +

    MP-5 (a) [all media with sensitive information] [prior to leaving + secure/controlled environment: for digital media, encryption using a FIPS 140-2 + validated encryption module; for non-digital media, secured in locked + container]

    -

    MP-5 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.

    +

    MP-5 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service + provider defines security measures to protect digital and non-digital media in + transport. The security measures are approved and accepted by the JAB.

    @@ -1999,7 +2235,8 @@ - organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system + resides organization-defined entry/exit points to the facility where the information system resides @@ -2033,7 +2270,9 @@ -

    PE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 (d) [in all circumstances within restricted access area where the information system resides] PE-3 (f) [at least annually] PE-3 (g) [at least annually]

    +

    PE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 + (d) [in all circumstances within restricted access area where the information + system resides] PE-3 (f) [at least annually] PE-3 (g) [at least annually]

    @@ -2129,10 +2368,13 @@ -

    PE-14 (a) [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14 (b) [continuously]

    +

    PE-14 (a) [consistent with American Society of Heating, Refrigerating and + Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data + Processing Environments] PE-14 (b) [continuously]

    -

    PE-14 (a). Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.

    +

    PE-14 (a). Requirements: The service provider measures temperature at server + inlets and humidity levels by dew point.

    @@ -2231,7 +2473,8 @@

    PL-8 (b) [At least annually or when a significant change occurs]

    -

    PL-8 (b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

    +

    PL-8 (b) Guidance: Significant change is defined in NIST Special Publication + 800-37 Revision 1, Appendix F, page F-7.

    @@ -2269,13 +2512,19 @@ - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so + indicated, the frequency of such rescreening organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening -

    PS-3 (b) [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year There is no reinvestigation for other moderate risk positions or any low risk positions]

    +

    PS-3 (b) [for national security clearances; a reinvestigation is required during + the 5th year for top secret security clearance, the 10th year for secret security + clearance, and 15th year for confidential security clearance For moderate risk law + enforcement and high impact public trust level, a reinvestigation is required + during the 5th year There is no reinvestigation for other moderate risk positions + or any low risk positions]

    @@ -2323,7 +2572,8 @@ -

    PS-5 (d)-2 [five days of the time period following the formal transfer action (DoD 24 hours)]

    +

    PS-5 (d)-2 [five days of the time period following the formal transfer action (DoD + 24 hours)]

    @@ -2415,16 +2665,21 @@ -

    RA-3 (b) [security assessment report] RA-3 (c) [at least every three (3) years or when a significant change occurs] RA-3 (e) [at least every three (3) years or when a significant change occurs]

    +

    RA-3 (b) [security assessment report] RA-3 (c) [at least every three (3) years or + when a significant change occurs] RA-3 (e) [at least every three (3) years or when + a significant change occurs]

    -

    RA-3 Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3 (d) Requirement: Include all Authoring Officials and FedRAMP ISSOs.

    +

    RA-3 Guidance: Significant change is defined in NIST Special Publication 800-37 + Revision 1, Appendix F. RA-3 (d) Requirement: Include all Authoring Officials and + FedRAMP ISSOs.

    - organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with + organization-defined process organization-defined frequency and/or randomly in accordance with organization-defined process @@ -2438,10 +2693,16 @@ -

    RA-5 (a) [monthly operating system/infrastructure; monthly web applications and databases] RA-5 (d) [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery]

    +

    RA-5 (a) [monthly operating system/infrastructure; monthly web applications and + databases] RA-5 (d) [high-risk vulnerabilities mitigated within thirty days from + date of discovery; moderate-risk vulnerabilities mitigated within ninety days from + date of discovery]

    -

    RA-5 (a) Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. RA-5 (e) Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP

    +

    RA-5 (a) Requirement: an accredited independent assessor scans operating + systems/infrastructure, web applications, and databases once annually. RA-5 (e) + Requirement: to include the Risk Executive; for JAB authorizations to include + FedRAMP

    @@ -2473,7 +2734,8 @@ -

    RA-5 (5)-1 [operating systems / web applications / databases] RA-5 (5)-2 [all scans]

    +

    RA-5 (5)-1 [operating systems / web applications / databases] RA-5 (5)-2 [all + scans]

    @@ -2513,7 +2775,9 @@ -

    SA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.

    +

    SA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is + strongly preferred. See http://www.niap-ccevs.org/vpl or + http://www.commoncriteriaportal.org/products.html.

    @@ -2533,7 +2797,8 @@ -

    SA-4 (2)-1 [to include security-relevant external system interfaces and high-level design]

    +

    SA-4 (2)-1 [to include security-relevant external system interfaces and high-level + design]

    @@ -2573,7 +2838,10 @@ -

    SA-9 (a) [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] SA-9 (c) [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored]

    +

    SA-9 (a) [FedRAMP Security Controls Baseline(s) if Federal information is + processed or stored within the external system] SA-9 (c) [Federal/FedRAMP + Continuous Monitoring requirements must be met for external systems where Federal + information is processed or stored]

    @@ -2585,7 +2853,8 @@ -

    SA-9 (2) [All external systems where Federal information is processed or stored]

    +

    SA-9 (2) [All external systems where Federal information is processed or + stored]

    @@ -2604,7 +2873,9 @@

    SA-10 (a) [development, implementation, AND operation]

    -

    SA-10 (e) Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

    +

    SA-10 (e) Requirement: for JAB authorizations, track security flaws and flaw + resolution within the system, component, or service and report findings to + organization-defined personnel, to include FedRAMP.

    @@ -2646,7 +2917,8 @@ - organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for + such information organization-defined types of denial of service attacks or references to sources for such information @@ -2700,7 +2972,9 @@ -

    SC-8 (1)-1 [prevent unauthorized disclosure of information AND detect changes to information] SC-8 (1)-1 [a hardened or alarmed carrier Protective Distribution System (PDS)]

    +

    SC-8 (1)-1 [prevent unauthorized disclosure of information AND detect changes to + information] SC-8 (1)-1 [a hardened or alarmed carrier Protective Distribution + System (PDS)]

    @@ -2712,13 +2986,15 @@ -

    SC-10 [no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions]

    +

    SC-10 [no longer than 30 minutes for RAS-based sessions or no longer than 60 + minutes for non-interactive user sessions]

    - organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, + and destruction organization-defined requirements for key generation, distribution, storage, access, and destruction @@ -2730,7 +3006,8 @@ - organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each + use organization-defined cryptographic uses and type of cryptography required for each use @@ -2751,7 +3028,9 @@

    SC-15 (a) [no exceptions]

    -

    SC-15 Additional FedRAMP Requirements and Guidance: Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

    +

    SC-15 Additional FedRAMP Requirements and Guidance: Requirement: The information + system provides disablement (instead of physical disconnect) of collaborative + computing devices in a manner that supports ease of use.

    @@ -2774,22 +3053,22 @@ - SECURE NAME /ADDRESS RESOLUTION SERVICE -(AUTHORITATIVE SOURCE) + SECURE NAME /ADDRESS RESOLUTION SERVICE (AUTHORITATIVE + SOURCE) - SECURE NAME /ADDRESS RESOLUTION SERVICE -(RECURSIVE OR CACHING RESOLVER) + SECURE NAME /ADDRESS RESOLUTION SERVICE (RECURSIVE OR + CACHING RESOLVER) - ARCHITECTURE AND PROVISIONING FOR -NAME/ADDRESS RESOLUTION SERVICE + ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION + SERVICE @@ -2807,7 +3086,8 @@ NAME/ADDRESS RESOLUTION SERVICE

    SC-28 [confidentiality AND integrity]

    -

    SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.

    +

    SC-28 Guidance: The organization supports the capability to use cryptographic + mechanisms to protect information at rest.

    @@ -2871,7 +3151,8 @@ NAME/ADDRESS RESOLUTION SERVICE -

    SI-3 (c) (1)-1 [at least weekly] SI-3 (c) (1)-2 [to include endpoints] SI-3 (c) (2) [to include alerting administrator or defined security personnel]

    +

    SI-3 (c) (1)-1 [at least weekly] SI-3 (c) (1)-2 [to include endpoints] SI-3 (c) + (2) [to include alerting administrator or defined security personnel]

    @@ -2963,7 +3244,8 @@ NAME/ADDRESS RESOLUTION SERVICE -

    SI-5 (a) [to include US-CERT] SI-5 (c) [to include system security personnel and administrators with configuration/patch-management responsibilities]

    +

    SI-5 (a) [to include US-CERT] SI-5 (c) [to include system security personnel and + administrators with configuration/patch-management responsibilities]

    @@ -3044,33 +3326,11 @@ NAME/ADDRESS RESOLUTION SERVICE -
    - - - - - - - - - - - - - - - - - - - - - - - + - organization-defined time-period of expected inactivity or description of when to log out + organization-defined time-period of expected inactivity or description of when to log + out organization-defined time-period of expected inactivity or description of when to log out @@ -3092,7 +3352,8 @@ NAME/ADDRESS RESOLUTION SERVICE -

    AC-2 (12)(a) and AC-2 (12)(b) Additional FedRAMP Requirements and Guidance: Required for privileged accounts.

    +

    AC-2 (12)(a) and AC-2 (12)(b) Additional FedRAMP Requirements and Guidance: + Required for privileged accounts.

    @@ -3108,7 +3369,8 @@ NAME/ADDRESS RESOLUTION SERVICE -

    AC-10 [three (3) sessions for privileged access and two (2) sessions for non-privileged access]

    +

    AC-10 [three (3) sessions for privileged access and two (2) sessions for + non-privileged access]

    @@ -3175,7 +3437,9 @@ NAME/ADDRESS RESOLUTION SERVICE -

    CM-5 (3) Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

    +

    CM-5 (3) Guidance: If digital signatures/certificates are unavailable, alternative + cryptographic integrity checks (hashes, self-signed certs, etc.) can be + utilized.

    @@ -3189,7 +3453,8 @@ NAME/ADDRESS RESOLUTION SERVICE
    - organization-defined software programs authorized to execute on the information system + organization-defined software programs authorized to execute on the information + system organization-defined software programs authorized to execute on the information system @@ -3209,7 +3474,8 @@ NAME/ADDRESS RESOLUTION SERVICE - organization-defined critical information system software and other security-related information + organization-defined critical information system software and other security-related + information organization-defined critical information system software and other security-related information @@ -3223,7 +3489,8 @@ NAME/ADDRESS RESOLUTION SERVICE -

    MA-3 (3) (d) [the information owner explicitly authorizing removal of the equipment from the facility]

    +

    MA-3 (3) (d) [the information owner explicitly authorizing removal of the + equipment from the facility]

    @@ -3231,7 +3498,8 @@ NAME/ADDRESS RESOLUTION SERVICE -

    MA-5 (1) Requirement: Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline

    +

    MA-5 (1) Requirement: Only MA-5 (1)(a)(1) is required by FedRAMP Moderate + Baseline

    @@ -3246,7 +3514,8 @@ NAME/ADDRESS RESOLUTION SERVICE

    MP-6 (2) [At least annually]

    -

    MP-6 (2) Guidance: Equipment and procedures may be tested or validated for effectiveness

    +

    MP-6 (2) Guidance: Equipment and procedures may be tested or validated for + effectiveness

    @@ -3298,61 +3567,14 @@ NAME/ADDRESS RESOLUTION SERVICE -

    SI-6 (b) [to include upon system startup and/or restart and at least monthly] SI-6 (c) [to include system administrators and security personnel] SI-6 (d) [to include notification of system administrators and security personnel]

    +

    SI-6 (b) [to include upon system startup and/or restart and at least monthly] SI-6 + (c) [to include system administrators and security personnel] SI-6 (d) [to include + notification of system administrators and security personnel]

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + organization-defined actions @@ -3422,7 +3644,9 @@ NAME/ADDRESS RESOLUTION SERVICE -

    CA-2 (3)-1 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-2 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-3 [the conditions of a Authorizing Official in the FedRAMP Repository]

    +

    CA-2 (3)-1 [any FedRAMP Accredited 3PAO] CA-2 (3)-1-2 [any FedRAMP Accredited + 3PAO] CA-2 (3)-1-3 [the conditions of a Authorizing Official in the FedRAMP + Repository]

    @@ -3438,10 +3662,12 @@ NAME/ADDRESS RESOLUTION SERVICE -

    CA-3 (3)-2 [Boundary Protections which meet the Trusted Internet Connection (TIC) requirements]

    +

    CA-3 (3)-2 [Boundary Protections which meet the Trusted Internet Connection (TIC) + requirements]

    -

    CA-3(3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 Reference Architecture document.

    +

    CA-3(3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 + Reference Architecture document.

    @@ -3473,7 +3699,7 @@ NAME/ADDRESS RESOLUTION SERVICE IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | -GROUP AUTHENTICATION + GROUP AUTHENTICATION @@ -3496,7 +3722,10 @@ GROUP AUTHENTICATION -

    IA-5 (4) Additional FedRAMP Requirements and Guidance: Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.

    +

    IA-5 (4) Additional FedRAMP Requirements and Guidance: Guidance: If automated + mechanisms which enforce password authenticator strength at creation are not used, + automated mechanisms must be used to audit strength of created password + authenticators.

    @@ -3568,7 +3797,8 @@ GROUP AUTHENTICATION -

    PS-3 (3) (b) [personnel screening criteria – as required by specific information]

    +

    PS-3 (3) (b) [personnel screening criteria – as required by specific + information]

    @@ -3580,7 +3810,8 @@ GROUP AUTHENTICATION -

    RA-5 (6) Guidance: include in Continuous Monitoring ISSO digest/report to JAB/AO

    +

    RA-5 (6) Guidance: include in Continuous Monitoring ISSO digest/report to + JAB/AO

    @@ -3588,7 +3819,10 @@ GROUP AUTHENTICATION -

    RA-5 (8) Requirements: This enhancement is required for all high vulnerability scan findings. Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.

    +

    RA-5 (8) Requirements: This enhancement is required for all high vulnerability + scan findings. Guidance: While scanning tools may label findings as high or + critical, the intent of the control is based around NIST's definition of high + vulnerability.

    @@ -3603,7 +3837,8 @@ GROUP AUTHENTICATION

    SA-4 (8) [at least the minimum requirement as defined in control CA-7]

    -

    SA-4 (8) Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired.

    +

    SA-4 (8) Guidance: CSP must use the same security standards regardless of where + the system component or information system service is acquired.

    @@ -3629,7 +3864,8 @@ GROUP AUTHENTICATION -

    SA-9 (4)-2 [All external systems where Federal information is processed or stored]

    +

    SA-9 (4)-2 [All external systems where Federal information is processed or + stored]

    @@ -3645,7 +3881,8 @@ GROUP AUTHENTICATION -

    SA-9 (5)-1 [information processing, information data, AND information services]

    +

    SA-9 (5)-1 [information processing, information data, AND information + services]

    @@ -3657,7 +3894,8 @@ GROUP AUTHENTICATION -

    SA-11 (1) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

    +

    SA-11 (1) Requirement: The service provider documents in the Continuous Monitoring + Plan, how newly developed code for the information system is reviewed.

    @@ -3669,7 +3907,8 @@ GROUP AUTHENTICATION -

    SA-11 (8) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

    +

    SA-11 (8) Requirement: The service provider documents in the Continuous Monitoring + Plan, how newly developed code for the information system is reviewed.

    @@ -3699,21 +3938,26 @@ GROUP AUTHENTICATION - organization-defined information security tools, mechanisms, and support components + organization-defined information security tools, mechanisms, and support + components organization-defined information security tools, mechanisms, and support components -

    SC-7 (13) Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.

    +

    SC-7 (13) Requirement: The service provider defines key information security + tools, mechanisms, and support components associated with system and security + administration and isolates those tools, mechanisms, and support components from + other internal information system components via physically or logically separate + subnets.

    - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | -SYMMETRIC KEYS + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC + KEYS

    SC-12 (2) [NIST FIPS-compliant]

    @@ -3722,8 +3966,8 @@ SYMMETRIC KEYS - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | -ASYMMETRIC KEYS + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC + KEYS @@ -3775,5 +4019,5 @@ ASYMMETRIC KEYS
    -
    +
    diff --git a/working/FedRAMP/sprint4/fedramp-oscal-worksheet.xml b/working/FedRAMP/sprint4/fedramp-oscal-worksheet.xml index 6f1bdf7833..e4d280cc26 100644 --- a/working/FedRAMP/sprint4/fedramp-oscal-worksheet.xml +++ b/working/FedRAMP/sprint4/fedramp-oscal-worksheet.xml @@ -1,5 +1,5 @@ - + FedRAMP in OSCAL PROTOTYPE diff --git a/working/ISO-27002/Convert-ISO-epub-to-OSCAL.xsl b/working/ISO-27002/Convert-ISO-epub-to-OSCAL.xsl index a09b5b0bb5..14606d9cb7 100644 --- a/working/ISO-27002/Convert-ISO-epub-to-OSCAL.xsl +++ b/working/ISO-27002/Convert-ISO-epub-to-OSCAL.xsl @@ -25,7 +25,7 @@ - .1 + .1 @@ -33,43 +33,13 @@ - - - .1 - - + .1 - @@ -242,7 +212,7 @@ - + diff --git a/working/ISO-27002/ISO-27002-OSCAL-obfuscated.xml b/working/ISO-27002/ISO-27002-OSCAL-obfuscated.xml new file mode 100644 index 0000000000..234fba31d4 --- /dev/null +++ b/working/ISO-27002/ISO-27002-OSCAL-obfuscated.xml @@ -0,0 +1,2971 @@ + + + + + ISO/IEC 27002 + + + + + ^\d\d?$ + + + + + + + .1 + + + + + + + + + + + .1 + + + + + + + + + + Information security policies + 5 + + Management direction for information security + 5.1 + +

    Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

    +
    + + Policies for information security + 5.1.1 + +

    A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.

    +
    + +

    At the highest level, organizations should define an “information security policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives.

    +

    Information security policies should address requirements created by:

    +
      +
    1. business strategy;
    2. +
    3. regulations, legislation and contracts;
    4. +
    5. the current and projected information security threat environment.
    6. +
    +

    The information security policy should contain statements concerning:

    +
      +
    1. definition of information security, objectives and principles to guide all activities relating to information security;
    2. +
    3. assignment of general and specific responsibilities for information security management to defined roles;
    4. +
    5. processes for handling deviations and exceptions.
    6. +
    +

    At a lower level, the information security policy should be supported by topic-specific policies, which further mandate the implementation of information security controls and are typically structured to address the needs of certain target groups within an organization or to cover certain topics.

    +

    Examples of such policy topics include:

    +
      +
    1. access control (see Clause 9);
    2. +
    3. information classification (and handling) (see 8.2);
    4. +
    5. physical and environmental security (see Clause 11);
    6. +
    7. end user oriented topics such as:
        +
      1. acceptable use of assets (see 8.1.3);
      2. +
      3. clear desk and clear screen (see 11.2.9);
      4. +
      5. information transfer (see 13.2.1);
      6. +
      7. mobile devices and teleworking (see 6.2);
      8. +
      9. restrictions on software installations and use (see 12.6.2);
      10. +
      +
    8. +
    9. backup (see 12.3);
    10. +
    11. information transfer (see 13.2);
    12. +
    13. protection from malware (see 12.2);
    14. +
    15. management of technical vulnerabilities (see 12.6.1);
    16. +
    17. cryptographic controls (see Clause 10);
    18. +
    19. communications security (see Clause 13);
    20. +
    21. privacy and protection of personally identifiable information (see 18.1.4);
    22. +
    23. supplier relationships (see Clause 15).
    24. +
    +

    These policies should be communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an “information security awareness, education and training programme” (see 7.2.2).

    +
    + +

    The need for internal policies for information security varies across organizations. Internal policies are especially useful in larger and more complex organizations where those defining and approving the expected levels of control are segregated from those implementing the controls or in situations where a policy applies to many different people or functions in the organization. Policies for information security can be issued in a single “information security policy” document or as a set of individual but related documents.

    +

    If any of the information security policies are distributed outside the organization, care should be taken not to disclose confidential information.

    +

    Some organizations use other terms for these policy documents, such as “Standards”, “Directives” or “Rules”.

    +
    +
    + + Review of the policies for information security + 5.1.2 + +

    The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

    +
    + +

    Each policy should have an owner who has approved management responsibility for the development, review and evaluation of the policies. The review should include assessing opportunities for improvement of the organization’s policies and approach to managing information security in response to changes to the organizational environment, business circumstances, legal conditions or technical environment.

    +

    The review of policies for information security should take the results of management reviews into account.

    +

    Management approval for a revised policy should be obtained.

    +
    +
    +
    +
    + + Organization of information security + 6 + + Internal organization + 6.1 + +

    Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

    +
    + + Information security roles and responsibilities + 6.1.1 + +

    All information security responsibilities should be defined and allocated.

    +
    + +

    Allocation of information security responsibilities should be done in accordance with the information security policies (see 5.1.1). Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined.

    +

    Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed.

    +

    Areas for which individuals are responsible should be stated. In particular the following should take place:

    +
      +
    1. the assets and information security processes should be identified and defined;
    2. +
    3. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented (see 8.1.2);
    4. +
    5. authorization levels should be defined and documented;
    6. +
    7. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;
    8. +
    9. coordination and oversight of information security aspects of supplier relationships should be identified and documented.
    10. +
    +
    + +

    Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.

    +

    However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection.

    +
    +
    + + Segregation of duties + 6.1.2 + +

    Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

    +
    + +

    Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls.

    +

    Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered.

    +
    + +

    Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets.

    +
    +
    + + Contact with authorities + 6.1.3 + +

    Appropriate contacts with relevant authorities should be maintained.

    +
    + +

    Organizations should have procedures in place that specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner (e.g. if it is suspected that laws may have been broken).

    +
    + +

    Organizations under attack from the Internet may need authorities to take action against the attack source.

    +

    Maintaining such contacts may be a requirement to support information security incident management (see Clause 16) or the business continuity and contingency planning process (see Clause 17). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in laws or regulations, which have to be implemented by the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety, e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment).

    +
    +
    + + Contact with special interest groups + 6.1.4 + +

    Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.

    +
    + +

    Membership in special interest groups or forums should be considered as a means to:

    +
      +
    1. improve knowledge about best practices and stay up to date with relevant security information;
    2. +
    3. ensure the understanding of the information security environment is current and complete;
    4. +
    5. receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities;
    6. +
    7. gain access to specialist information security advice;
    8. +
    9. share and exchange information about new technologies, products, threats or vulnerabilities;
    10. +
    11. provide suitable liaison points when dealing with information security incidents (see Clause 16).
    12. +
    +
    + +

    Information sharing agreements can be established to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.

    +
    +
    + + Information security in project management + 6.1.5 + +

    Information security should be addressed in project management, regardless of the type of the project.

    +
    + +

    Information security should be integrated into the organization’s project management method(s) to ensure that information security risks are identified and addressed as part of a project. This applies generally to any project regardless of its character, e.g. a project for a core business process, IT, facility management and other supporting processes. The project management methods in use should require that:

    +
      +
    1. information security objectives are included in project objectives;
    2. +
    3. an information security risk assessment is conducted at an early stage of the project to identify necessary controls;
    4. +
    5. information security is part of all phases of the applied project methodology.
    6. +
    +

    Information security implications should be addressed and reviewed regularly in all projects. Responsibilities for information security should be defined and allocated to specified roles defined in the project management methods.

    +
    +
    +
    + + Mobile devices and teleworking + 6.2 + +

    Objective: To ensure the security of teleworking and use of mobile devices.

    +
    + + Mobile device policy + 6.2.1 + +

    A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices.

    +
    + +

    When using mobile devices, special care should be taken to ensure that business information is not compromised. The mobile device policy should take into account the risks of working with mobile devices in unprotected environments.

    +

    The mobile device policy should consider:

    +
      +
    1. registration of mobile devices;
    2. +
    3. requirements for physical protection;
    4. +
    5. restriction of software installation;
    6. +
    7. requirements for mobile device software versions and for applying patches;
    8. +
    9. restriction of connection to information services;
    10. +
    11. access controls;
    12. +
    13. cryptographic techniques;
    14. +
    15. malware protection;
    16. +
    17. remote disabling, erasure or lockout;
    18. +
    19. backups;
    20. +
    21. usage of web services and web apps.
    22. +
    +

    Care should be taken when using mobile devices in public places, meeting rooms and other unprotected areas. Protection should be in place to avoid the unauthorized access to or disclosure of the information stored and processed by these devices, e.g. using cryptographic techniques (see Clause 10) and enforcing use of secret authentication information (see 9.2.4).

    +

    Mobile devices should also be physically protected against theft especially when left, for example, in cars and other forms of transport, hotel rooms, conference centres and meeting places. A specific procedure taking into account legal, insurance and other security requirements of the organization should be established for cases of theft or loss of mobile devices. Devices carrying important, sensitive or critical business information should not be left unattended and, where possible, should be physically locked away, or special locks should be used to secure the devices.

    +

    Training should be arranged for personnel using mobile devices to raise their awareness of the additional risks resulting from this way of working and the controls that should be implemented.

    +

    Where the mobile device policy allows the use of privately owned mobile devices, the policy and related security measures should also consider:

    +
      +
    1. separation of private and business use of the devices, including using software to support such separation and protect business data on a private device;
    2. +
    3. providing access to business information only after users have signed an end user agreement acknowledging their duties (physical protection, software updating, etc.), waiving ownership of business data, allowing remote wiping of data by the organization in case of theft or loss of the device or when no longer authorized to use the service. This policy needs to take account of privacy legislation.
    4. +
    +
    + +

    Mobile device wireless connections are similar to other types of network connection, but have important differences that should be considered when identifying controls. Typical differences are:

    +
      +
    1. some wireless security protocols are immature and have known weaknesses;
    2. +
    3. information stored on mobile devices may not be backed-up because of limited network bandwidth or because mobile devices may not be connected at the times when backups are scheduled.
    4. +
    +

    Mobile devices generally share common functions, e.g. networking, internet access, e-mail and file handling, with fixed use devices. Information security controls for the mobile devices generally consist of those adopted in the fixed use devices and those to address threats raised by their usage outside the organization’s premises.

    +
    +
    + + Teleworking + 6.2.2 + +

    A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites.

    +
    + +

    Organizations allowing teleworking activities should issue a policy that defines the conditions and restrictions for using teleworking. Where deemed applicable and allowed by law, the following matters should be considered:

    +
      +
    1. the existing physical security of the teleworking site, taking into account the physical security of the building and the local environment;
    2. +
    3. the proposed physical teleworking environment;
    4. +
    5. the communications security requirements, taking into account the need for remote access to the organization’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link and the sensitivity of the internal system;
    6. +
    7. the provision of virtual desktop access that prevents processing and storage of information on privately owned equipment;
    8. +
    9. the threat of unauthorized access to information or resources from other persons using the accommodation, e.g. family and friends;
    10. +
    11. the use of home networks and requirements or restrictions on the configuration of wireless network services;
    12. +
    13. policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment;
    14. +
    15. access to privately owned equipment (to verify the security of the machine or during an investigation), which may be prevented by legislation;
    16. +
    17. software licensing agreements that are such that organizations may become liable for licensing for client software on workstations owned privately by employees or external party users;
    18. +
    19. malware protection and firewall requirements.
    20. +
    +

    The guidelines and arrangements to be considered should include:

    +
      +
    1. the provision of suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment that is not under the control of the organization is not allowed;
    2. +
    3. a definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is authorized to access;
    4. +
    5. the provision of suitable communication equipment, including methods for securing remote access;
    6. +
    7. physical security;
    8. +
    9. rules and guidance on family and visitor access to equipment and information;
    10. +
    11. the provision of hardware and software support and maintenance;
    12. +
    13. the provision of insurance;
    14. +
    15. the procedures for backup and business continuity;
    16. +
    17. audit and security monitoring;
    18. +
    19. revocation of authority and access rights, and the return of equipment when the teleworking activities are terminated.
    20. +
    +
    + +

    Teleworking refers to all forms of work outside of the office, including non-traditional work environments, such as those referred to as “telecommuting”, “flexible workplace”, “remote work” and “virtual work” environments.

    +
    +
    +
    +
    + + Human resource security + 7 + + Prior to employment + 7.1 + +

    Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

    +
    + + Screening + 7.1.1 + +

    Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

    +
    + +

    Verification should take into account all relevant privacy, protection of personally identifiable information and employment based legislation, and should, where permitted, include the following:

    +
      +
    1. availability of satisfactory character references, e.g. one business and one personal;
    2. +
    3. a verification (for completeness and accuracy) of the applicant’s curriculum vitae;
    4. +
    5. confirmation of claimed academic and professional qualifications;
    6. +
    7. independent identity verification (passport or similar document);
    8. +
    9. more detailed verification, such as credit review or review of criminal records.
    10. +
    +

    When an individual is hired for a specific information security role, organizations should make sure the candidate:

    +
      +
    1. has the necessary competence to perform the security role;
    2. +
    3. can be trusted to take on the role, especially if the role is critical for the organization.
    4. +
    +

    Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities, and, in particular, if these are handling confidential information, e.g. financial information or highly confidential information, the organization should also consider further, more detailed verifications.

    +

    Procedures should define criteria and limitations for verification reviews, e.g. who is eligible to screen people and how, when and why verification reviews are carried out.

    +

    A screening process should also be ensured for contractors. In these cases, the agreement between the organization and the contractor should specify responsibilities for conducting the screening and the notification procedures that need to be followed if screening has not been completed or if the results give cause for doubt or concern.

    +

    Information on all candidates being considered for positions within the organization should be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand about the screening activities.

    +
    +
    + + Terms and conditions of employment + 7.1.2 + +

    The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security.

    +
    + +

    The contractual obligations for employees or contractors should reflect the organization’s policies for information security in addition to clarifying and stating:

    +
      +
    1. that all employees and contractors who are given access to confidential information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities (see 13.2.4);
    2. +
    3. the employee’s or contractor’s legal responsibilities and rights, e.g. regarding copyright laws or data protection legislation (see 18.1.2 and 18.1.4);
    4. +
    5. responsibilities for the classification of information and management of organizational assets associated with information, information processing facilities and information services handled by the employee or contractor (see Clause 8);
    6. +
    7. responsibilities of the employee or contractor for the handling of information received from other companies or external parties;
    8. +
    9. actions to be taken if the employee or contractor disregards the organization’s security requirements (see 7.2.3).
    10. +
    +

    Information security roles and responsibilities should be communicated to job candidates during the pre-employment process.

    +

    The organization should ensure that employees and contractors agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services.

    +

    Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see 7.3).

    +
    + +

    A code of conduct may be used to state the employee’s or contractor’s information security responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization. An external party, with which a contractor is associated, can be required to enter into contractual arrangements on behalf of the contracted individual.

    +
    +
    +
    + + During employment + 7.2 + +

    Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

    +
    + + Management responsibilities + 7.2.1 + +

    Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

    +
    + +

    Management responsibilities should include ensuring that employees and contractors:

    +
      +
    1. are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems;
    2. +
    3. are provided with guidelines to state information security expectations of their role within the organization;
    4. +
    5. are motivated to fulfil the information security policies of the organization;
    6. +
    7. achieve a level of awareness on information security relevant to their roles and responsibilities within the organization (see 7.2.2);
    8. +
    9. conform to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working;
    10. +
    11. continue to have the appropriate skills and qualifications and are educated on a regular basis;
    12. +
    13. are provided with an anonymous reporting channel to report violations of information security policies or procedures (“whistle blowing”).
    14. +
    +

    Management should demonstrate support of information security policies, procedures and controls, and act as a role model.

    +
    + +

    If employees and contractors are not made aware of their information security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause fewer information security incidents.

    +

    Poor management can cause personnel to feel undervalued resulting in a negative information security impact on the organization. For example, poor management can lead to information security being neglected or potential misuse of the organization’s assets.

    +
    +
    + + Information security awareness, education and training + 7.2.2 + +

    All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

    +
    + +

    An information security awareness programme should aim to make employees and, where relevant, contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged.

    +

    An information security awareness programme should be established in line with the organization’s information security policies and relevant procedures, taking into consideration the organization’s information to be protected and the controls that have been implemented to protect the information. The awareness programme should include a number of awareness-raising activities such as campaigns (e.g. an “information security day”) and issuing booklets or newsletters.

    +

    The awareness programme should be planned taking into consideration the employees’ roles in the organization, and, where relevant, the organization’s expectation of the awareness of contractors. The activities in the awareness programme should be scheduled over time, preferably regularly, so that the activities are repeated and cover new employees and contractors. The awareness programme should also be updated regularly so it stays in line with organizational policies and procedures, and should be built on lessons learnt from information security incidents.

    +

    Awareness training should be performed as required by the organization’s information security awareness programme. Awareness training can use different delivery media including classroom-based, distance learning, web-based, self-paced and others.

    +

    Information security education and training should also cover general aspects such as:

    +
      +
    1. stating management’s commitment to information security throughout the organization;
    2. +
    3. the need to become familiar with and comply with applicable information security rules and obligations, as defined in policies, standards, laws, regulations, contracts and agreements;
    4. +
    5. personal accountability for one’s own actions and inactions, and general responsibilities towards securing or protecting information belonging to the organization and external parties;
    6. +
    7. basic information security procedures (such as information security incident reporting) and baseline controls (such as password security, malware controls and clear desks);
    8. +
    9. contact points and resources for additional information and advice on information security matters, including further information security education and training materials.
    10. +
    +

    Information security education and training should take place periodically. Initial education and training applies to those who transfer to new positions or roles with substantially different information security requirements, not just to new starters and should take place before the role becomes active.

    +

    The organization should develop the education and training programme in order to conduct the education and training effectively. The programme should be in line with the organization’s information security policies and relevant procedures, taking into consideration the organization’s information to be protected and the controls that have been implemented to protect the information. The programme should consider different forms of education and training, e.g. lectures or self-studies.

    +
    + +

    When composing an awareness programme, it is important not only to focus on the ‘what’ and ‘how’, but also the ‘why’. It is important that employees understand the aim of information security and the potential impact, positive and negative, on the organization of their own behaviour.

    +

    Awareness, education and training can be part of, or conducted in collaboration with, other training activities, for example general IT or general security training. Awareness, education and training activities should be suitable and relevant to the individual’s roles, responsibilities and skills.

    +

    An assessment of the employees’ understanding could be conducted at the end of an awareness, education and training course to test knowledge transfer.

    +
    +
    + + Disciplinary process + 7.2.3 + +

    There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

    +
    + +

    The disciplinary process should not be commenced without prior verification that an information security breach has occurred (see 16.1.7).

    +

    The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches of information security. The formal disciplinary process should provide for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeat offence, whether or not the violator was properly trained, relevant legislation, business contracts and other factors as required.

    +

    The disciplinary process should also be used as a deterrent to prevent employees from violating the organization’s information security policies and procedures and any other information security breaches. Deliberate breaches may require immediate actions.

    +
    + +

    The disciplinary process can also become a motivation or an incentive if positive sanctions are defined for remarkable behaviour with regards to information security.

    +
    +
    +
    + + Termination and change of employment + 7.3 + +

    Objective: To protect the organization’s interests as part of the process of changing or terminating employment.

    +
    + + Termination or change of employment responsibilities + 7.3.1 + +

    Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced.

    +
    + +

    The communication of termination responsibilities should include on-going information security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement (see 13.2.4) and the terms and conditions of employment (see 7.1.2) continuing for a defined period after the end of the employee’s or contractor’s employment.

    +

    Responsibilities and duties still valid after termination of employment should be contained in the employee’s or contractor’s terms and conditions of employment (see 7.1.2).

    +

    Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment.

    +
    + +

    The human resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving to manage the information security aspects of the relevant procedures. In the case of a contractor provided through an external party, this termination process is undertaken by the external party in accordance with the contract between the organization and the external party.

    +

    It may be necessary to inform employees, customers or contractors of changes to personnel and operating arrangements.

    +
    +
    +
    +
    + + Asset management + 8 + + Responsibility for assets + 8.1 + +

    Objective: To identify organizational assets and define appropriate protection responsibilities.

    +
    + + Inventory of assets + 8.1.1 + +

    Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.

    +
    + +

    An organization should identify assets relevant in the lifecycle of information and document their importance. The lifecycle of information should include creation, processing, storage, transmission, deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate.

    +

    The asset inventory should be accurate, up to date, consistent and aligned with other inventories.

    +

    For each of the identified assets, ownership of the asset should be assigned (see 8.1.2) and the classification should be identified (see 8.2).

    +
    + +

    Inventories of assets help to ensure that effective protection takes place, and may also be required for other purposes, such as health and safety, insurance or financial (asset management) reasons.

    +

    ISO/IEC 27005[11] provides examples of assets that might need to be considered by the organization when identifying assets. The process of compiling an inventory of assets is an important prerequisite of risk management (see also ISO/IEC 27000 and ISO/IEC 27005[11]).

    +
    +
    + + Ownership of assets + 8.1.2 + +

    Assets maintained in the inventory should be owned.

    +
    + +

    Individuals as well as other entities having approved management responsibility for the asset lifecycle qualify to be assigned as asset owners.

    +

    A process to ensure timely assignment of asset ownership is usually implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. The asset owner should be responsible for the proper management of an asset over the whole asset lifecycle.

    +

    The asset owner should:

    +
      +
    1. ensure that assets are inventoried;
    2. +
    3. ensure that assets are appropriately classified and protected;
    4. +
    5. define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies;
    6. +
    7. ensure proper handling when the asset is deleted or destroyed.
    8. +
    +
    + +

    The identified owner can be either an individual or an entity who has approved management responsibility for controlling the whole lifecycle of an asset. The identified owner does not necessarily have any property rights to the asset.

    +

    Routine tasks may be delegated, e.g. to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner.

    +

    In complex information systems, it may be useful to designate groups of assets which act together to provide a particular service. In this case the owner of this service is accountable for the delivery of the service, including the operation of its assets.

    +
    +
    + + Acceptable use of assets + 8.1.3 + +

    Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented.

    +
    + +

    Employees and external party users using or having access to the organization’s assets should be made aware of the information security requirements of the organization’s assets associated with information and information processing facilities and resources. They should be responsible for their use of any information processing resources and of any such use carried out under their responsibility.

    +
    +
    + + Return of assets + 8.1.4 + +

    All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

    +
    + +

    The termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization.

    +

    In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment (see 11.2.7).

    +

    In cases where an employee or external party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the organization.

    +

    During the notice period of termination, the organization should control unauthorized copying of relevant information (e.g. intellectual property) by terminated employees and contractors.

    +
    +
    +
    + + Information classification + 8.2 + +

    Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

    +
    + + Classification of information + 8.2.1 + +

    Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

    +
    + +

    Classifications and associated protective controls for information should take account of business needs for sharing or restricting information, as well as legal requirements. Assets other than information can also be classified in conformance with classification of information which is stored in, processed by or otherwise handled or protected by the asset.

    +

    Owners of information assets should be accountable for their classification.

    +

    The classification scheme should include conventions for classification and criteria for review of the classification over time. The level of protection in the scheme should be assessed by analysing confidentiality, integrity and availability and any other requirements for the information considered. The scheme should be aligned to the access control policy (see 9.1.1).

    +

    Each level should be given a name that makes sense in the context of the classification scheme’s application.

    +

    The scheme should be consistent across the whole organization so that everyone will classify information and related assets in the same way, have a common understanding of protection requirements and apply the appropriate protection.

    +

    Classification should be included in the organization’s processes, and be consistent and coherent across the organization. Results of classification should indicate value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity and availability. Results of classification should be updated in accordance with changes of their value, sensitivity and criticality through their life-cycle.

    +
    + +

    Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.

    +

    Information can cease to be sensitive or critical after a certain period of time, for example, when the information has been made public. These aspects should be taken into account, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense or on the contrary under-classification can endanger the achievement of business objectives.

    +

    An example of an information confidentiality classification scheme could be based on four levels as follows:

    +
      +
    1. disclosure causes no harm;
    2. +
    3. disclosure causes minor embarrassment or minor operational inconvenience;
    4. +
    5. disclosure has a significant short term impact on operations or tactical objectives;
    6. +
    7. disclosure has a serious impact on long term strategic objectives or puts the survival of the organization at risk.
    8. +
    +
    +
    + + Labelling of information + 8.2.2 + +

    An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

    +

    “Implementation guidance”

    +

    Procedures for information labelling need to cover information and its related assets in physical and electronic formats. The labelling should reflect the classification scheme established in 8.2.1. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of media. The procedures can define cases where labelling is omitted, e.g. labelling of non-confidential information to reduce workloads. Employees and contractors should be made aware of labelling procedures.

    +

    Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.

    +
    + +

    Labelling of classified information is a key requirement for information sharing arrangements. Physical labels and metadata are a common form of labelling.

    +

    Labelling of information and its related assets can sometimes have negative effects. Classified assets are easier to identify and accordingly to steal by insiders or external attackers.

    +
    +
    + + Handling of assets + 8.2.3 + +

    Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization.

    +
    + +

    Procedures should be drawn up for handling, processing, storing and communicating information consistent with its classification (see 8.2.1).

    +

    The following items should be considered:

    +
      +
    1. access restrictions supporting the protection requirements for each level of classification;
    2. +
    3. maintenance of a formal record of the authorized recipients of assets;
    4. +
    5. protection of temporary or permanent copies of information to a level consistent with the protection of the original information;
    6. +
    7. storage of IT assets in accordance with manufacturers’ specifications;
    8. +
    9. clear marking of all copies of media for the attention of the authorized recipient.
    10. +
    +

    The classification scheme used within the organization may not be equivalent to the schemes used by other organizations, even if the names for levels are similar; in addition, information moving between organizations can vary in classification depending on its context in each organization, even if their classification schemes are identical.

    +

    Agreements with other organizations that include information sharing should include procedures to identify the classification of that information and to interpret the classification labels from other organizations.

    +
    +
    +
    + + Media handling + 8.3 + +

    Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

    +
    + + Management of removable media + 8.3.1 + +

    Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

    +
    + +

    The following guidelines for the management of removable media should be considered:

    +
      +
    1. if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable;
    2. +
    3. where necessary and practical, authorization should be required for media removed from the organization and a record of such removals should be kept in order to maintain an audit trail;
    4. +
    5. all media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications;
    6. +
    7. if data confidentiality or integrity are important considerations, cryptographic techniques should be used to protect data on removable media;
    8. +
    9. to mitigate the risk of media degrading while stored data are still needed, the data should be transferred to fresh media before becoming unreadable;
    10. +
    11. multiple copies of valuable data should be stored on separate media to further reduce the risk of coincidental data damage or loss;
    12. +
    13. registration of removable media should be considered to limit the opportunity for data loss;
    14. +
    15. removable media drives should only be enabled if there is a business reason for doing so;
    16. +
    17. where there is a need to use removable media the transfer of information to such media should be monitored.
    18. +
    +

    Procedures and authorization levels should be documented.

    +
    +
    + + Disposal of media + 8.3.2 + +

    Media should be disposed of securely when no longer required, using formal procedures.

    +
    + +

    Formal procedures for the secure disposal of media should be established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for secure disposal of media containing confidential information should be proportional to the sensitivity of that information. The following items should be considered:

    +
      +
    1. media containing confidential information should be stored and disposed of securely, e.g. by incineration or shredding, or erasure of data for use by another application within the organization;
    2. +
    3. procedures should be in place to identify the items that might require secure disposal;
    4. +
    5. it may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate out the sensitive items;
    6. +
    7. many organizations offer collection and disposal services for media; care should be taken in selecting a suitable external party with adequate controls and experience;
    8. +
    9. disposal of sensitive items should be logged in order to maintain an audit trail.
    10. +
    +

    When accumulating media for disposal, consideration should be given to the aggregation effect, which can cause a large quantity of non-sensitive information to become sensitive.

    +
    + +

    Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded (see 11.2.7).

    +
    +
    + + Physical media transfer + 8.3.3 + +

    Media containing information should be protected against unauthorized access, misuse or corruption during transportation.

    +
    + +

    The following guidelines should be considered to protect media containing information being transported:

    +
      +
    1. reliable transport or couriers should be used;
    2. +
    3. a list of authorized couriers should be agreed with management;
    4. +
    5. procedures to verify the identification of couriers should be developed;
    6. +
    7. packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with any manufacturers’ specifications, for example protecting against any environmental factors that may reduce the media’s restoration effectiveness such as exposure to heat, moisture or electromagnetic fields;
    8. +
    9. logs should be kept, identifying the content of the media, the protection applied as well as recording the times of transfer to the transit custodians and receipt at the destination.
    10. +
    +
    + +

    Information can be vulnerable to unauthorized access, misuse or corruption during physical transport, for instance when sending media via the postal service or via courier. In this control, media include paper documents.

    +

    When confidential information on media is not encrypted, additional physical protection of the media should be considered.

    +
    +
    +
    +
    + + Access control + 9 + + Business requirements of access control + 9.1 + +

    Objective: To limit access to information and information processing facilities.

    +
    + + Access control policy + 9.1.1 + +

    An access control policy should be established, documented and reviewed based on business and information security requirements.

    +
    + +

    Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks.

    +

    Access controls are both logical and physical (see Clause 11) and these should be considered together. Users and service providers should be given a clear statement of the business requirements to be met by access controls.

    +

    The policy should take account of the following:

    +
      +
    1. security requirements of business applications;
    2. +
    3. policies for information dissemination and authorization, e.g. the need-to-know principle and information security levels and classification of information (see 8.2);
    4. +
    5. consistency between the access rights and information classification policies of systems and networks;
    6. +
    7. relevant legislation and any contractual obligations regarding limitation of access to data or services (see 18.1);
    8. +
    9. management of access rights in a distributed and networked environment which recognizes all types of connections available;
    10. +
    11. segregation of access control roles, e.g. access request, access authorization, access administration;
    12. +
    13. requirements for formal authorization of access requests (see 9.2.1 and 9.2.2);
    14. +
    15. requirements for periodic review of access rights (see 9.2.5);
    16. +
    17. removal of access rights (see 9.2.6);
    18. +
    19. archiving of records of all significant events concerning the use and management of user identities and secret authentication information;
    20. +
    21. roles with privileged access (see 9.2.3).
    22. +
    +
    + +

    Care should be taken when specifying access control rules to consider:

    +
      +
    1. establishing rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;
    2. +
    3. changes in information labels (see 8.2.2) that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
    4. +
    5. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;
    6. +
    7. rules which require specific approval before enactment and those which do not.
    8. +
    +

    Access control rules should be supported by formal procedures (see 9.2, 9.3, 9.4) and defined responsibilities (see 6.1.1, 9.3).

    +

    Role based access control is an approach used successfully by many organisations to link access rights with business roles.

    +

    Two of the frequent principles directing the access control policy are:

    +
      +
    1. Need-to-know: you are only granted access to the information you need to perform your tasks (different tasks/roles mean different need-to-know and hence different access profile);
    2. +
    3. Need-to-use: you are only granted access to the information processing facilities (IT equipment, applications, procedures, rooms) you need to perform your task/job/role.
    4. +
    +
    +
    + + Access to networks and network services + 9.1.2 + +

    Users should only be provided with access to the network and network services that they have been specifically authorized to use.

    +
    + +

    A policy should be formulated concerning the use of networks and network services. This policy should cover:

    +
      +
    1. the networks and network services which are allowed to be accessed;
    2. +
    3. authorization procedures for determining who is allowed to access which networks and networked services;
    4. +
    5. management controls and procedures to protect access to network connections and network services;
    6. +
    7. the means used to access networks and network services (e.g. use of VPN or wireless network);
    8. +
    9. user authentication requirements for accessing various network services;
    10. +
    11. monitoring of the use of network services.
    12. +
    +

    The policy on the use of network services should be consistent with the organization’s access control policy (see 9.1.1).

    +
    + +

    Unauthorized and insecure connections to network services can affect the whole organization. This control is particularly important for network connections to sensitive or critical business applications or to users in high-risk locations, e.g. public or external areas that are outside the organization’s information security management and control.

    +
    +
    +
    + + User access management + 9.2 + +

    Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.

    +
    + + User registration and de-registration + 9.2.1 + +

    A formal user registration and de-registration process should be implemented to enable assignment of access rights.

    +
    + +

    The process for managing user IDs should include:

    +
      +
    1. using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs should only be permitted where they are necessary for business or operational reasons and should be approved and documented;
    2. +
    3. immediately disabling or removing user IDs of users who have left the organization (see 9.2.6);
    4. +
    5. periodically identifying and removing or disabling redundant user IDs;
    6. +
    7. ensuring that redundant user IDs are not issued to other users.
    8. +
    +
    + +

    Providing or revoking access to information or information processing facilities is usually a two-step procedure:

    +
      +
    1. assigning and enabling, or revoking, a user ID;
    2. +
    3. providing, or revoking, access rights to such user ID (see 9.2.2).
    4. +
    +
    +
    + + User access provisioning + 9.2.2 + +

    A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services.

    +
    + +

    The provisioning process for assigning or revoking access rights granted to user IDs should include:

    +
      +
    1. obtaining authorization from the owner of the information system or service for the use of the information system or service (see control 8.1.2); separate approval for access rights from management may also be appropriate;
    2. +
    3. verifying that the level of access granted is appropriate to the access policies (see 9.1) and is consistent with other requirements such as segregation of duties (see 6.1.2);
    4. +
    5. ensuring that access rights are not activated (e.g. by service providers) before authorization procedures are completed;
    6. +
    7. maintaining a central record of access rights granted to a user ID to access information systems and services;
    8. +
    9. adapting access rights of users who have changed roles or jobs and immediately removing or blocking access rights of users who have left the organization;
    10. +
    11. periodically reviewing access rights with owners of the information systems or services (see 9.2.5).
    12. +
    +
    + +

    Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews (see 9.2.4) are easier managed at the level of such roles than at the level of particular rights.

    +

    Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel or contractors (see 7.1.2, 7.2.3, 13.2.4, 15.1.2).

    +
    +
    + + Management of privileged access rights + 9.2.3 + +

    The allocation and use of privileged access rights should be restricted and controlled.

    +
    + +

    The allocation of privileged access rights should be controlled through a formal authorization process in accordance with the relevant access control policy (see control 9.1.1). The following steps should be considered:

    +
      +
    1. the privileged access rights associated with each system or process, e.g. operating system, database management system and each application and the users to whom they need to be allocated should be identified;
    2. +
    3. privileged access rights should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (see 9.1.1), i.e. based on the minimum requirement for their functional roles;
    4. +
    5. an authorization process and a record of all privileges allocated should be maintained. Privileged access rights should not be granted until the authorization process is complete;
    6. +
    7. requirements for expiry of privileged access rights should be defined;
    8. +
    9. privileged access rights should be assigned to a user ID different from those used for regular business activities. Regular business activities should not be performed from privileged ID;
    10. +
    11. the competences of users with privileged access rights should be reviewed regularly in order to verify if they are in line with their duties;
    12. +
    13. specific procedures should be established and maintained in order to avoid the unauthorized use of generic administration user IDs, according to systems’ configuration capabilities;
    14. +
    15. for generic administration user IDs, the confidentiality of secret authentication information should be maintained when shared (e.g. changing passwords frequently and as soon as possible when a privileged user leaves or changes job, communicating them among privileged users with appropriate mechanisms).
    16. +
    +
    + +

    Inappropriate use of system administration privileges (any feature or facility of an information system that enables the user to override system or application controls) is a major contributory factor to failures or breaches of systems.

    +
    +
    + + Management of secret authentication information of users + 9.2.4 + +

    The allocation of secret authentication information should be controlled through a formal management process.

    +
    + +

    The process should include the following requirements:

    +
      +
    1. users should be required to sign a statement to keep personal secret authentication information confidential and to keep group (i.e. shared) secret authentication information solely within the members of the group; this signed statement may be included in the terms and conditions of employment (see 7.1.2);
    2. +
    3. when users are required to maintain their own secret authentication information they should be provided initially with secure temporary secret authentication information`, which they are forced to change on first use;
    4. +
    5. procedures should be established to verify the identity of a user prior to providing new, replacement or temporary secret authentication information;
    6. +
    7. temporary secret authentication information should be given to users in a secure manner; the use of external parties or unprotected (clear text) electronic mail messages should be avoided;
    8. +
    9. temporary secret authentication information should be unique to an individual and should not be guessable;
    10. +
    11. users should acknowledge receipt of secret authentication information;
    12. +
    13. default vendor secret authentication information should be altered following installation of systems or software.
    14. +
    +
    + +

    Passwords are a commonly used type of secret authentication information and are a common means of verifying a user’s identity. Other types of secret authentication information are cryptographic keys and other data stored on hardware tokens (e.g. smart cards) that produce authentication codes.

    +
    +
    + + Review of user access rights + 9.2.5 + +

    Asset owners should review users’ access rights at regular intervals.

    +
    + +

    The review of access rights should consider the following:

    +
      +
    1. users’ access rights should be reviewed at regular intervals and after any changes, such as promotion, demotion or termination of employment (see Clause 7);
    2. +
    3. user access rights should be reviewed and re-allocated when moving from one role to another within the same organization;
    4. +
    5. authorizations for privileged access rights should be reviewed at more frequent intervals;
    6. +
    7. privilege allocations should be checked at regular intervals to ensure that unauthorized privileges have not been obtained;
    8. +
    9. changes to privileged accounts should be logged for periodic review.
    10. +
    +
    + +

    This control compensates for possible weaknesses in the execution of controls 9.2.1, 9.2.2 and 9.2.6.

    +
    +
    + + Removal or adjustment of access rights + 9.2.6 + +

    The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.

    +
    + +

    Upon termination, the access rights of an individual to information and assets associated with information processing facilities and services should be removed or suspended. This will determine whether it is necessary to remove access rights. Changes of employment should be reflected in removal of all access rights that were not approved for the new employment. The access rights that should be removed or adjusted include those of physical and logical access. Removal or adjustment can be done by removal, revocation or replacement of keys, identification cards, information processing facilities or subscriptions. Any documentation that identifies access rights of employees and contractors should reflect the removal or adjustment of access rights. If a departing employee or external party user has known passwords for user IDs remaining active, these should be changed upon termination or change of employment, contract or agreement.

    +

    Access rights for information and assets associated with information processing facilities should be reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as:

    +
      +
    1. whether the termination or change is initiated by the employee, the external party user or by management, and the reason for termination;
    2. +
    3. the current responsibilities of the employee, external party user or any other user;
    4. +
    5. the value of the assets currently accessible.
    6. +
    +
    + +

    In certain circumstances access rights may be allocated on the basis of being available to more people than the departing employee or external party user, e.g. group IDs. In such circumstances, departing individuals should be removed from any group access lists and arrangements should be made to advise all other employees and external party users involved to no longer share this information with the person departing.

    +

    In cases of management-initiated termination, disgruntled employees or external party users can deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning or being dismissed, they may be tempted to collect information for future use.

    +
    +
    +
    + + User responsibilities + 9.3 + +

    Objective: To make users accountable for safeguarding their authentication information.

    +
    + + Use of secret authentication information + 9.3.1 + +

    Users should be required to follow the organization’s practices in the use of secret authentication information.

    +
    + +

    All users should be advised to:

    +
      +
    1. keep secret authentication information confidential, ensuring that it is not divulged to any other parties, including people of authority;
    2. +
    3. avoid keeping a record (e.g. on paper, software file or hand-held device) of secret authentication information, unless this can be stored securely and the method of storing has been approved (e.g. password vault);
    4. +
    5. change secret authentication information whenever there is any indication of its possible compromise;
    6. +
    7. when passwords are used as secret authentication information, select quality passwords with sufficient minimum length which are:
        +
      1. easy to remember;
      2. +
      3. not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.;
      4. +
      5. not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries);
      6. +
      7. free of consecutive identical, all-numeric or all-alphabetic characters;
      8. +
      9. if temporary, changed at the first log-on;
      10. +
      +
    8. +
    9. not share individual user’s secret authentication information;
    10. +
    11. ensure proper protection of passwords when passwords are used as secret authentication information in automated log-on procedures and are stored;
    12. +
    13. not use the same secret authentication information for business and non-business purposes.
    14. +
    +
    + +

    Provision of Single Sign On (SSO) or other secret authentication information management tools reduces the amount of secret authentication information that users are required to protect and thus can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

    +
    +
    +
    + + System and application access control + 9.4 + +

    Objective: To prevent unauthorized access to systems and applications.

    +
    + + Information access restriction + 9.4.1 + +

    Access to information and application system functions should be restricted in accordance with the access control policy.

    +
    + +

    Restrictions to access should be based on individual business application requirements and in accordance with the defined access control policy.

    +

    The following should be considered in order to support access restriction requirements:

    +
      +
    1. providing menus to control access to application system functions;
    2. +
    3. controlling which data can be accessed by a particular user;
    4. +
    5. controlling the access rights of users, e.g. read, write, delete and execute;
    6. +
    7. controlling the access rights of other applications;
    8. +
    9. limiting the information contained in outputs;
    10. +
    11. providing physical or logical access controls for the isolation of sensitive applications, application data, or systems.
    12. +
    +
    +
    + + Secure log-on procedures + 9.4.2 + +

    Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.

    +
    + +

    A suitable authentication technique should be chosen to substantiate the claimed identity of a user.

    +

    Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as cryptographic means, smart cards, tokens or biometric means, should be used.

    +

    The procedure for logging into a system or application should be designed to minimize the opportunity for unauthorized access. The log-on procedure should therefore disclose the minimum of information about the system or application, in order to avoid providing an unauthorized user with any unnecessary assistance. A good log-on procedure should:

    +
      +
    1. not display system or application identifiers until the log-on process has been successfully completed;
    2. +
    3. display a general notice warning that the computer should only be accessed by authorized users;
    4. +
    5. not provide help messages during the log-on procedure that would aid an unauthorized user;
    6. +
    7. validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;
    8. +
    9. protect against brute force log-on attempts;
    10. +
    11. log unsuccessful and successful attempts;
    12. +
    13. raise a security event if a potential attempted or successful breach of log-on controls is detected;
    14. +
    15. display the following information on completion of a successful log-on:
        +
      1. date and time of the previous successful log-on;
      2. +
      3. details of any unsuccessful log-on attempts since the last successful log-on;
      4. +
      +
    16. +
    17. not display a password being entered;
    18. +
    19. not transmit passwords in clear text over a network;
    20. +
    21. terminate inactive sessions after a defined period of inactivity, especially in high risk locations such as public or external areas outside the organization’s security management or on mobile devices;
    22. +
    23. restrict connection times to provide additional security for high-risk applications and reduce the window of opportunity for unauthorized access.
    24. +
    +
    + +

    Passwords are a common way to provide identification and authentication based on a secret that only the user knows. The same can also be achieved with cryptographic means and authentication protocols. The strength of user authentication should be appropriate for the classification of the information to be accessed.

    +

    If passwords are transmitted in clear text during the log-on session over a network, they can be captured by a network ”sniffer” program.

    +
    +
    + + Password management system + 9.4.3 + +

    Password management systems should be interactive and should ensure quality passwords.

    +
    + +

    A password management system should:

    +
      +
    1. enforce the use of individual user IDs and passwords to maintain accountability;
    2. +
    3. allow users to select and change their own passwords and include a confirmation procedure to allow for input errors;
    4. +
    5. enforce a choice of quality passwords;
    6. +
    7. force users to change their passwords at the first log-on;
    8. +
    9. enforce regular password changes and as needed;
    10. +
    11. maintain a record of previously used passwords and prevent re-use;
    12. +
    13. not display passwords on the screen when being entered;
    14. +
    15. store password files separately from application system data;
    16. +
    17. store and transmit passwords in protected form.
    18. +
    +
    + +

    Some applications require user passwords to be assigned by an independent authority; in such cases, points b), d) and e) of the above guidance do not apply. In most cases the passwords are selected and maintained by users.

    +
    +
    + + Use of privileged utility programs + 9.4.4 + +

    The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.

    +
    + +

    The following guidelines for the use of utility programs that might be capable of overriding system and application controls should be considered:

    +
      +
    1. use of identification, authentication and authorization procedures for utility programs;
    2. +
    3. segregation of utility programs from applications software;
    4. +
    5. limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see 9.2.3);
    6. +
    7. authorization for ad hoc use of utility programs;
    8. +
    9. limitation of the availability of utility programs, e.g. for the duration of an authorized change;
    10. +
    11. logging of all use of utility programs;
    12. +
    13. defining and documenting of authorization levels for utility programs;
    14. +
    15. removal or disabling of all unnecessary utility programs;
    16. +
    17. not making utility programs available to users who have access to applications on systems where segregation of duties is required.
    18. +
    +
    + +

    Most computer installations have one or more utility programs that might be capable of overriding system and application controls.

    +
    +
    + + Access control to program source code + 9.4.5 + +

    Access to program source code should be restricted.

    +
    + +

    Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) should be strictly controlled, in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes as well as to maintain the confidentiality of valuable intellectual property. For program source code, this can be achieved by controlled central storage of such code, preferably in program source libraries. The following guidelines should then be considered to control access to such program source libraries in order to reduce the potential for corruption of computer programs:

    +
      +
    1. where possible, program source libraries should not be held in operational systems;
    2. +
    3. the program source code and the program source libraries should be managed according to established procedures;
    4. +
    5. support personnel should not have unrestricted access to program source libraries;
    6. +
    7. the updating of program source libraries and associated items and the issuing of program sources to programmers should only be performed after appropriate authorization has been received;
    8. +
    9. program listings should be held in a secure environment;
    10. +
    11. an audit log should be maintained of all accesses to program source libraries;
    12. +
    13. maintenance and copying of program source libraries should be subject to strict change control procedures (see 14.2.2).
    14. +
    +

    If the program source code is intended to be published, additional controls to help getting assurance on its integrity (e.g. digital signature) should be considered.

    +
    +
    +
    +
    + + Cryptography + 10 + + Cryptographic controls + 10.1 + +

    Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

    +
    + + Policy on the use of cryptographic controls + 10.1.1 + +

    A policy on the use of cryptographic controls for protection of information should be developed and implemented.

    +
    + +

    When developing a cryptographic policy the following should be considered:

    +
      +
    1. the management approach towards the use of cryptographic controls across the organization, including the general principles under which business information should be protected;
    2. +
    3. based on a risk assessment, the required level of protection should be identified taking into account the type, strength and quality of the encryption algorithm required;
    4. +
    5. the use of encryption for protection of information transported by mobile or removable media devices or across communication lines;
    6. +
    7. the approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;
    8. +
    9. roles and responsibilities, e.g. who is responsible for:
        +
      1. the implementation of the policy;
      2. +
      3. the key management, including key generation (see 10.1.2);
      4. +
      +
    10. +
    11. the standards to be adopted for effective implementation throughout the organization (which solution is used for which business processes);
    12. +
    13. the impact of using encrypted information on controls that rely upon content inspection (e.g. malware detection).
    14. +
    +

    When implementing the organization’s cryptographic policy, consideration should be given to the regulations and national restrictions that might apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow of encrypted information (see 18.1.5).

    +

    Cryptographic controls can be used to achieve different information security objectives, e.g.:

    +
      +
    1. confidentiality: using encryption of information to protect sensitive or critical information, either stored or transmitted;
    2. +
    3. : using digital signatures or message authentication codes to verify the authenticity or integrity of stored or transmitted sensitive or critical information;
    4. +
    5. non-repudiation: using cryptographic techniques to provide evidence of the occurrence or non-occurrence of an event or action;
    6. +
    7. authentication: using cryptographic techniques to authenticate users and other system entities requesting access to or transacting with system users, entities and resources.
    8. +
    +
    + +

    Making a decision as to whether a cryptographic solution is appropriate should be seen as part of the wider process of risk assessment and selection of controls. This assessment can then be used to determine whether a cryptographic control is appropriate, what type of control should be applied and for what purpose and business processes.

    +

    A policy on the use of cryptographic controls is necessary to maximize the benefits and minimize the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.

    +

    Specialist advice should be sought in selecting appropriate cryptographic controls to meet the information security policy objectives.

    +
    +
    + + Key management + 10.1.2 + +

    A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.

    +
    + +

    The policy should include requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys.

    +

    Cryptographic algorithms, key lengths and usage practices should be selected according to best practice. Appropriate key management requires secure processes for generating, storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys.

    +

    All cryptographic keys should be protected against modification and loss. In addition, secret and private keys need protection against unauthorized use as well as disclosure. Equipment used to generate, store and archive keys should be physically protected.

    +

    A key management system should be based on an agreed set of standards, procedures and secure methods for:

    +
      +
    1. generating keys for different cryptographic systems and different applications;
    2. +
    3. issuing and obtaining public key certificates;
    4. +
    5. distributing keys to intended entities, including how keys should be activated when received;
    6. +
    7. storing keys, including how authorized users obtain access to keys;
    8. +
    9. changing or updating keys including rules on when keys should be changed and how this will be done;
    10. +
    11. dealing with compromised keys;
    12. +
    13. revoking keys including how keys should be withdrawn or deactivated, e.g. when keys have been compromised or when a user leaves an organization (in which case keys should also be archived);
    14. +
    15. recovering keys that are lost or corrupted;
    16. +
    17. backing up or archiving keys;
    18. +
    19. destroying keys;
    20. +
    21. logging and auditing of key management related activities.
    22. +
    +

    In order to reduce the likelihood of improper use, activation and deactivation dates for keys should be defined so that the keys can only be used for the period of time defined in the associated key management policy.

    +

    In addition to securely managing secret and private keys, the authenticity of public keys should also be considered. This authentication process can be done using public key certificates, which are normally issued by a certification authority, which should be a recognized organization with suitable controls and procedures in place to provide the required degree of trust.

    +

    The contents of service level agreements or contracts with external suppliers of cryptographic services, e.g. with a certification authority, should cover issues of liability, reliability of services and response times for the provision of services (see 15.2).

    +
    + +

    The management of cryptographic keys is essential to the effective use of cryptographic techniques. ISO/IEC 11770[2][3][4] provides further information on key management.

    +

    Cryptographic techniques can also be used to protect cryptographic keys. Procedures may need to be considered for handling legal requests for access to cryptographic keys, e.g. encrypted information can be required to be made available in an unencrypted form as evidence in a court case.

    +
    +
    +
    +
    + + Physical and environmental security + 11 + + Secure areas + 11.1 + +

    Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

    +
    + + Physical security perimeter + 11.1.1 + +

    Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

    +
    + +

    The following guidelines should be considered and implemented where appropriate for physical security perimeters:

    +
      +
    1. security perimeters should be defined, and the siting and strength of each of the perimeters should depend on the security requirements of the assets within the perimeter and the results of a risk assessment;
    2. +
    3. perimeters of a building or site containing information processing facilities should be physically sound (i.e. there should be no gaps in the perimeter or areas where a break-in could easily occur); the exterior roof, walls and flooring of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms, (e.g. bars, alarms, locks); doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level;
    4. +
    5. a manned reception area or other means to control physical access to the site or building should be in place; access to sites and buildings should be restricted to authorized personnel only;
    6. +
    7. physical barriers should, where applicable, be built to prevent unauthorized physical access and environmental contamination;
    8. +
    9. all fire doors on a security perimeter should be alarmed, monitored and tested in conjunction with the walls to establish the required level of resistance in accordance with suitable regional, national and international standards; they should operate in accordance with the local fire code in a failsafe manner;
    10. +
    11. suitable intruder detection systems should be installed to national, regional or international standards and regularly tested to cover all external doors and accessible windows; unoccupied areas should be alarmed at all times; cover should also be provided for other areas, e.g. computer room or communications rooms;
    12. +
    13. information processing facilities managed by the organization should be physically separated from those managed by external parties.
    14. +
    +
    + +

    Physical protection can be achieved by creating one or more physical barriers around the organization’s premises and information processing facilities. The use of multiple barriers gives additional protection, where the failure of a single barrier does not mean that security is immediately compromised.

    +

    A secure area may be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access may be needed between areas with different security requirements inside the security perimeter. Special attention to physical access security should be given in the case of buildings holding assets for multiple organizations.

    +

    The application of physical controls, especially for the secure areas, should be adapted to the technical and economic circumstances of the organization, as set forth in the risk assessment.

    +
    +
    + + Physical entry controls + 11.1.2 + +

    Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

    +
    + +

    The following guidelines should be considered:

    +
      +
    1. the date and time of entry and departure of visitors should be recorded, and all visitors should be supervised unless their access has been previously approved; they should only be granted access for specific, authorized purposes and should be issued with instructions on the security requirements of the area and on emergency procedures. The identity of visitors should be authenticated by an appropriate means;
    2. +
    3. access to areas where confidential information is processed or stored should be restricted to authorized individuals only by implementing appropriate access controls, e.g. by implementing a two-factor authentication mechanism such as an access card and secret PIN;
    4. +
    5. a physical log book or electronic audit trail of all access should be securely maintained and monitored;
    6. +
    7. all employees, contractors and external parties should be required to wear some form of visible identification and should immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification;
    8. +
    9. external party support service personnel should be granted restricted access to secure areas or confidential information processing facilities only when required; this access should be authorized and monitored;
    10. +
    11. access rights to secure areas should be regularly reviewed and updated, and revoked when necessary (see 9.2.5 and 9.2.6).
    12. +
    +
    +
    + + Securing offices, rooms and facilities + 11.1.3 + +

    Physical security for offices, rooms and facilities should be designed and applied.

    +
    + +

    The following guidelines should be considered to secure offices, rooms and facilities:

    +
      +
    1. key facilities should be sited to avoid access by the public;
    2. +
    3. where applicable, buildings should be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities;
    4. +
    5. facilities should be configured to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate;
    6. +
    7. directories and internal telephone books identifying locations of confidential information processing facilities should not be readily accessible to anyone unauthorized.
    8. +
    +
    +
    + + Protecting against external and environmental threats + 11.1.4 + +

    Physical protection against natural disasters, malicious attack or accidents should be designed and applied.

    +
    + +

    Specialist advice should be obtained on how to avoid damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster.

    +
    +
    + + Working in secure areas + 11.1.5 + +

    Procedures for working in secure areas should be designed and applied.

    +
    + +

    The following guidelines should be considered:

    +
      +
    1. personnel should only be aware of the existence of, or activities within, a secure area on a need-to-know basis;
    2. +
    3. unsupervised working in secure areas should be avoided both for safety reasons and to prevent opportunities for malicious activities;
    4. +
    5. vacant secure areas should be physically locked and periodically reviewed;
    6. +
    7. photographic, video, audio or other recording equipment, such as cameras in mobile devices, should not be allowed, unless authorized.
    8. +
    +

    The arrangements for working in secure areas include controls for the employees and external party users working in the secure area and they cover all activities taking place in the secure area.

    +
    +
    + + Delivery and loading areas + 11.1.6 + +

    Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

    +
    + +

    The following guidelines should be considered:

    +
      +
    1. access to a delivery and loading area from outside of the building should be restricted to identified and authorized personnel;
    2. +
    3. the delivery and loading area should be designed so that supplies can be loaded and unloaded without delivery personnel gaining access to other parts of the building;
    4. +
    5. the external doors of a delivery and loading area should be secured when the internal doors are opened;
    6. +
    7. incoming material should be inspected and examined for explosives, chemicals or other hazardous materials, before it is moved from a delivery and loading area;
    8. +
    9. incoming material should be registered in accordance with asset management procedures (see Clause 8) on entry to the site;
    10. +
    11. incoming and outgoing shipments should be physically segregated, where possible;
    12. +
    13. incoming material should be inspected for evidence of tampering en route. If such tampering is discovered it should be immediately reported to security personnel.
    14. +
    +
    +
    +
    + + Equipment + 11.2 + +

    Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.

    +
    + + Equipment siting and protection + 11.2.1 + +

    Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

    +
    + +

    The following guidelines should be considered to protect equipment:

    +
      +
    1. equipment should be sited to minimize unnecessary access into work areas;
    2. +
    3. information processing facilities handling sensitive data should be positioned carefully to reduce the risk of information being viewed by unauthorized persons during their use;
    4. +
    5. storage facilities should be secured to avoid unauthorized access;
    6. +
    7. items requiring special protection should be safeguarded to reduce the general level of protection required;
    8. +
    9. controls should be adopted to minimize the risk of potential physical and environmental threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation and vandalism;
    10. +
    11. guidelines for eating, drinking and smoking in proximity to information processing facilities should be established;
    12. +
    13. environmental conditions, such as temperature and humidity, should be monitored for conditions which could adversely affect the operation of information processing facilities;
    14. +
    15. lightning protection should be applied to all buildings and lightning protection filters should be fitted to all incoming power and communications lines;
    16. +
    17. the use of special protection methods, such as keyboard membranes, should be considered for equipment in industrial environments;
    18. +
    19. equipment processing confidential information should be protected to minimize the risk of information leakage due to electromagnetic emanation.
    20. +
    +
    +
    + + Supporting utilities + 11.2.2 + +

    Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.

    +
    + +

    Supporting utilities (e.g. electricity, telecommunications, water supply, gas, sewage, ventilation and air conditioning) should:

    +
      +
    1. conform to equipment manufacturer’s specifications and local legal requirements;
    2. +
    3. be appraised regularly for their capacity to meet business growth and interactions with other supporting utilities;
    4. +
    5. be inspected and tested regularly to ensure their proper functioning;
    6. +
    7. if necessary, be alarmed to detect malfunctions;
    8. +
    9. if necessary, have multiple feeds with diverse physical routing.
    10. +
    +

    Emergency lighting and communications should be provided. Emergency switches and valves to cut off power, water, gas or other utilities should be located near emergency exits or equipment rooms.

    +
    + +

    Additional redundancy for network connectivity can be obtained by means of multiple routes from more than one utility provider.

    +
    +
    + + Cabling security + 11.2.3 + +

    Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage.

    +
    + +

    The following guidelines for cabling security should be considered:

    +
      +
    1. power and telecommunications lines into information processing facilities should be underground, where possible, or subject to adequate alternative protection;
    2. +
    3. power cables should be segregated from communications cables to prevent interference;
    4. +
    5. for sensitive or critical systems further controls to consider include:
        +
      1. installation of armoured conduit and locked rooms or boxes at inspection and termination points;
      2. +
      3. use of electromagnetic shielding to protect the cables;
      4. +
      5. initiation of technical sweeps and physical inspections for unauthorized devices being attached to the cables;
      6. +
      7. controlled access to patch panels and cable rooms.
      8. +
      +
    6. +
    +
    +
    + + Equipment maintenance + 11.2.4 + +

    Equipment should be correctly maintained to ensure its continued availability and integrity.

    +
    + +

    The following guidelines for equipment maintenance should be considered:

    +
      +
    1. equipment should be maintained in accordance with the supplier’s recommended service intervals and specifications;
    2. +
    3. only authorized maintenance personnel should carry out repairs and service equipment;
    4. +
    5. records should be kept of all suspected or actual faults, and of all preventive and corrective maintenance;
    6. +
    7. appropriate controls should be implemented when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the organization; where necessary, confidential information should be cleared from the equipment or the maintenance personnel should be sufficiently cleared;
    8. +
    9. all maintenance requirements imposed by insurance policies should be complied with;
    10. +
    11. before putting equipment back into operation after its maintenance, it should be inspected to ensure that the equipment has not been tampered with and does not malfunction.
    12. +
    +
    +
    + + Removal of assets + 11.2.5 + +

    Equipment, information or software should not be taken off-site without prior authorization.

    +
    + +

    The following guidelines should be considered:

    +
      +
    1. employees and external party users who have authority to permit off-site removal of assets should be identified;
    2. +
    3. time limits for asset removal should be set and returns verified for compliance;
    4. +
    5. where necessary and appropriate, assets should be recorded as being removed off-site and recorded when returned;
    6. +
    7. the identity, role and affiliation of anyone who handles or uses assets should be documented and this documentation returned with the equipment, information or software.
    8. +
    +
    + +

    Spot checks, undertaken to detect unauthorized removal of assets, can also be performed to detect unauthorized recording devices, weapons, etc., and to prevent their entry into and exit from, the site. Such spot checks should be carried out in accordance with relevant legislation and regulations. Individuals should be made aware that spot checks are carried out, and the verifications should only be performed with authorization appropriate for the legal and regulatory requirements.

    +
    +
    + + Security of equipment and assets off-premises + 11.2.6 + +

    Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

    +
    + +

    The use of any information storing and processing equipment outside the organization’s premises should be authorized by management. This applies to equipment owned by the organization and that equipment owned privately and used on behalf of the organization.

    +

    The following guidelines should be considered for the protection of off-site equipment:

    +
      +
    1. equipment and media taken off premises should not be left unattended in public places;
    2. +
    3. manufacturers’ instructions for protecting equipment should be observed at all times, e.g. protection against exposure to strong electromagnetic fields;
    4. +
    5. controls for off-premises locations, such as home-working, teleworking and temporary sites should be determined by a risk assessment and suitable controls applied as appropriate, e.g. lockable filing cabinets, clear desk policy, access controls for computers and secure communication with the office (see also ISO/IEC 27033[15][16][17][18][19]);
    6. +
    7. when off-premises equipment is transferred among different individuals or external parties, a log should be maintained that defines the chain of custody for the equipment including at least names and organizations of those who are responsible for the equipment.
    8. +
    +

    Risks, e.g. of damage, theft or eavesdropping, may vary considerably between locations and should be taken into account in determining the most appropriate controls.

    +
    + +

    Information storing and processing equipment includes all forms of personal computers, organizers, mobile phones, smart cards, paper or other form, which is held for home working or being transported away from the normal work location.

    +

    More information about other aspects of protecting mobile equipment can be found in 6.2.

    +

    It may be appropriate to avoid the risk by discouraging certain employees from working off-site or by restricting their use of portable IT equipment;

    +
    +
    + + Secure disposal or re-use of equipment + 11.2.7 + +

    All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

    +
    + +

    Equipment should be verified to ensure whether or not storage media is contained prior to disposal or re-use.

    +

    Storage media containing confidential or copyrighted information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.

    +
    + +

    Damaged equipment containing storage media may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded. Information can be compromised through careless disposal or re-use of equipment.

    +

    In addition to secure disk erasure, whole-disk encryption reduces the risk of disclosure of confidential information when equipment is disposed of or redeployed, provided that:

    +
      +
    1. the encryption process is sufficiently strong and covers the entire disk (including slack space, swap files, etc.);
    2. +
    3. the encryption keys are long enough to resist brute force attacks;
    4. +
    5. the encryption keys are themselves kept confidential (e.g. never stored on the same disk).
    6. +
    +

    For further advice on encryption, see Clause 10.

    +

    Techniques for securely overwriting storage media differ according to the storage media technology. Overwriting tools should be reviewed to make sure that they are applicable to the technology of the storage media.

    +
    +
    + + Unattended user equipment + 11.2.8 + +

    Users should ensure that unattended equipment has appropriate protection.

    +
    + +

    All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. Users should be advised to:

    +
      +
    1. terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver;
    2. +
    3. log-off from applications or network services when no longer needed;
    4. +
    5. secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use.
    6. +
    +
    +
    + + Clear desk and clear screen policy + 11.2.9 + +

    A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.

    +
    + +

    The clear desk and clear screen policy should take into account the information classifications (see 8.2), legal and contractual requirements (see 18.1) and the corresponding risks and cultural aspects of the organization. The following guidelines should be considered:

    +
      +
    1. sensitive or critical business information, e.g. on paper or on electronic storage media, should be locked away (ideally in a safe or cabinet or other forms of security furniture) when not required, especially when the office is vacated.
    2. +
    3. computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and should be protected by key locks, passwords or other controls when not in use;
    4. +
    5. unauthorised use of photocopiers and other reproduction technology (e.g. scanners, digital cameras) should be prevented;
    6. +
    7. media containing sensitive or classified information should be removed from printers immediately.
    8. +
    +
    + +

    A clear desk/clear screen policy reduces the risks of unauthorized access, loss of and damage to information during and outside normal working hours. Safes or other forms of secure storage facilities might also protect information stored therein against disasters such as a fire, earthquake, flood or explosion.

    +

    Consider the use of printers with PIN code function, so the originators are the only ones who can get their print-outs and only when standing next to the printer.

    +
    +
    +
    +
    + + Operations security + 12 + + Operational procedures and responsibilities + 12.1 + +

    Objective: To ensure correct and secure operations of information processing facilities.

    +
    + + Documented operating procedures + 12.1.1 + +

    Operating procedures should be documented and made available to all users who need them.

    +
    + +

    Documented procedures should be prepared for operational activities associated with information processing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handling management and safety.

    +

    The operating procedures should specify the operational instructions, including:

    +
      +
    1. the installation and configuration of systems;
    2. +
    3. processing and handling of information both automated and manual;
    4. +
    5. backup (see 12.3);
    6. +
    7. scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion times;
    8. +
    9. instructions for handling errors or other exceptional conditions, which might arise during job execution, including restrictions on the use of system utilities (see 9.4.4);
    10. +
    11. support and escalation contacts including external support contacts in the event of unexpected operational or technical difficulties;
    12. +
    13. special output and media handling instructions, such as the use of special stationery or the management of confidential output including procedures for secure disposal of output from failed jobs (see 8.3 and 11.2.7);
    14. +
    15. system restart and recovery procedures for use in the event of system failure;
    16. +
    17. the management of audit-trail and system log information (see 12.4);
    18. +
    19. monitoring procedures.
    20. +
    +

    Operating procedures and the documented procedures for system activities should be treated as formal documents and changes authorized by management. Where technically feasible, information systems should be managed consistently, using the same procedures, tools and utilities.

    +
    +
    + + Change management + 12.1.2 + +

    Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled.

    +
    + +

    In particular, the following items should be considered:

    +
      +
    1. identification and recording of significant changes;
    2. +
    3. planning and testing of changes;
    4. +
    5. assessment of the potential impacts, including information security impacts, of such changes;
    6. +
    7. formal approval procedure for proposed changes;
    8. +
    9. verification that information security requirements have been met;
    10. +
    11. communication of change details to all relevant persons;
    12. +
    13. fall-back procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events;
    14. +
    15. provision of an emergency change process to enable quick and controlled implementation of changes needed to resolve an incident (see 16.1).
    16. +
    +

    Formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes. When changes are made, an audit log containing all relevant information should be retained.

    +
    + +

    Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Changes to the operational environment, especially when transferring a system from development to operational stage, can impact on the reliability of applications (see 14.2.2).

    +
    +
    + + Capacity management + 12.1.3 + +

    The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

    +
    + +

    Capacity requirements should be identified, taking into account the business criticality of the concerned system. System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems. Detective controls should be put in place to indicate problems in due time. Projections of future capacity requirements should take account of new business and system requirements and current and projected trends in the organization’s information processing capabilities.

    +

    Particular attention needs to be paid to any resources with long procurement lead times or high costs; therefore managers should monitor the utilization of key system resources. They should identify trends in usage, particularly in relation to business applications or information systems management tools.

    +

    Managers should use this information to identify and avoid potential bottlenecks and dependence on key personnel that might present a threat to system security or services, and plan appropriate action.

    +

    Providing sufficient capacity can be achieved by increasing capacity or by reducing demand. Examples of managing capacity demand include:

    +
      +
    1. deletion of obsolete data (disk space);
    2. +
    3. decommissioning of applications, systems, databases or environments;
    4. +
    5. optimising batch processes and schedules;
    6. +
    7. optimising application logic or database queries;
    8. +
    9. denying or restricting bandwidth for resource-hungry services if these are not business critical (e.g. video streaming).
    10. +
    +

    A documented capacity management plan should be considered for mission critical systems.

    +
    + +

    This control also addresses the capacity of the human resources, as well as offices and facilities.

    +
    +
    + + Separation of development, testing and operational environments + 12.1.4 + +

    Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.

    +
    + +

    The level of separation between operational, testing, and development environments that is necessary to prevent operational problems should be identified and implemented.

    +

    The following items should be considered:

    +
      +
    1. rules for the transfer of software from development to operational status should be defined and documented;
    2. +
    3. development and operational software should run on different systems or computer processors and in different domains or directories;
    4. +
    5. changes to operational systems and applications should be tested in a testing or staging environment prior to being applied to operational systems;
    6. +
    7. other than in exceptional circumstances, testing should not be done on operational systems;
    8. +
    9. compilers, editors and other development tools or system utilities should not be accessible from operational systems when not required;
    10. +
    11. users should use different user profiles for operational and testing systems, and menus should display appropriate identification messages to reduce the risk of error;
    12. +
    13. sensitive data should not be copied into the testing system environment unless equivalent controls are provided for the testing system (see 14.3).
    14. +
    +
    + +

    Development and testing activities can cause serious problems, e.g. unwanted modification of files or system environment or system failure. There is a need to maintain a known and stable environment in which to perform meaningful testing and to prevent inappropriate developer access to the operational environment.

    +

    Where development and testing personnel have access to the operational system and its information, they may be able to introduce unauthorized and untested code or alter operational data. On some systems this capability could be misused to commit fraud or introduce untested or malicious code, which can cause serious operational problems.

    +

    Development and testing personnel also pose a threat to the confidentiality of operational information. Development and testing activities may cause unintended changes to software or information if they share the same computing environment. Separating development, testing and operational environments is therefore desirable to reduce the risk of accidental change or unauthorized access to operational software and business data (see 14.3 for the protection of test data).

    +
    +
    +
    + + Protection from malware + 12.2 + +

    Objective: To ensure that information and information processing facilities are protected against malware.

    +
    + + Controls against malware + 12.2.1 + +

    Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness.

    +
    + +

    Protection against malware should be based on malware detection and repair software, information security awareness and appropriate system access and change management controls. The following guidance should be considered:

    +
      +
    1. establishing a formal policy prohibiting the use of unauthorized software (see 12.6.2 and 14.2.);
    2. +
    3. implementing controls that prevent or detect the use of unauthorized software (e.g. application whitelisting);
    4. +
    5. implementing controls that prevent or detect the use of known or suspected malicious websites (e.g. blacklisting);
    6. +
    7. establishing a formal policy to protect against risks associated with obtaining files and software either from or via external networks or on any other medium, indicating what protective measures should be taken;
    8. +
    9. reducing vulnerabilities that could be exploited by malware, e.g. through technical vulnerability management (see 12.6);
    10. +
    11. conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated;
    12. +
    13. installation and regular update of malware detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the scan carried out should include:
        +
      1. scan any files received over networks or via any form of storage medium, for malware before use;
      2. +
      3. scan electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of the organization;
      4. +
      5. scan web pages for malware;
      6. +
      +
    14. +
    15. defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks;
    16. +
    17. preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements (see 12.3);
    18. +
    19. implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware;
    20. +
    21. implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them;
    22. +
    23. isolating environments where catastrophic impacts may result.
    24. +
    +
    + +

    The use of two or more software products protecting against malware across the information processing environment from different vendors and technology can improve the effectiveness of malware protection.

    +

    Care should be taken to protect against the introduction of malware during maintenance and emergency procedures, which may bypass normal malware protection controls.

    +

    Under certain conditions, malware protection might cause disturbance within operations.

    +

    Use of malware detection and repair software alone as a malware control is not usually adequate and commonly needs to be accompanied by operating procedures that prevent introduction of malware.

    +
    +
    +
    + + Backup + 12.3 + +

    Objective: To protect against loss of data.

    +
    + + Information backup + 12.3.1 + +

    Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy.

    +
    + +

    A backup policy should be established to define the organization’s requirements for backup of information, software and systems.

    +

    The backup policy should define the retention and protection requirements.

    +

    Adequate backup facilities should be provided to ensure that all essential information and software can be recovered following a disaster or media failure.

    +

    When designing a backup plan, the following items should be taken into consideration:

    +
      +
    1. accurate and complete records of the backup copies and documented restoration procedures should be produced;
    2. +
    3. the extent (e.g. full or differential backup) and frequency of backups should reflect the business requirements of the organization, the security requirements of the information involved and the criticality of the information to the continued operation of the organization;
    4. +
    5. the backups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site;
    6. +
    7. backup information should be given an appropriate level of physical and environmental protection (see Clause 11) consistent with the standards applied at the main site;
    8. +
    9. backup media should be regularly tested to ensure that they can be relied upon for emergency use when necessary; this should be combined with a test of the restoration procedures and checked against the restoration time required. Testing the ability to restore backed-up data should be performed onto dedicated test media, not by overwriting the original media in case the backup or restoration process fails and causes irreparable data damage or loss;
    10. +
    11. in situations where confidentiality is of importance, backups should be protected by means of encryption.
    12. +
    +

    Operational procedures should monitor the execution of backups and address failures of scheduled backups to ensure completeness of backups according to the backup policy.

    +

    Backup arrangements for individual systems and services should be regularly tested to ensure that they meet the requirements of business continuity plans. In the case of critical systems and services, backup arrangements should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.

    +

    The retention period for essential business information should be determined, taking into account any requirement for archive copies to be permanently retained.

    +
    +
    +
    + + Logging and monitoring + 12.4 + +

    Objective: To record events and generate evidence.

    +
    + + Event logging + 12.4.1 + +

    Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.

    +
    + +

    Event logs should include, when relevant:

    +
      +
    1. user IDs;
    2. +
    3. system activities;
    4. +
    5. dates, times and details of key events, e.g. log-on and log-off;
    6. +
    7. device identity or location if possible and system identifier;
    8. +
    9. records of successful and rejected system access attempts;
    10. +
    11. records of successful and rejected data and other resource access attempts;
    12. +
    13. changes to system configuration;
    14. +
    15. use of privileges;
    16. +
    17. use of system utilities and applications;
    18. +
    19. files accessed and the kind of access;
    20. +
    21. network addresses and protocols;
    22. +
    23. alarms raised by the access control system;
    24. +
    25. activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems;
    26. +
    27. records of transactions executed by users in applications.
    28. +
    +

    Event logging sets the foundation for automated monitoring systems which are capable of generating consolidated reports and alerts on system security.

    +
    + +

    Event logs can contain sensitive data and personally identifiable information. Appropriate privacy protection measures should be taken (see 18.1.4).

    +

    Where possible, system administrators should not have permission to erase or de-activate logs of their own activities (see 12.4.3).

    +
    +
    + + Protection of log information + 12.4.2 + +

    Logging facilities and log information should be protected against tampering and unauthorized access.

    +
    + +

    Controls should aim to protect against unauthorized changes to log information and operational problems with the logging facility including:

    +
      +
    1. alterations to the message types that are recorded;
    2. +
    3. log files being edited or deleted;
    4. +
    5. storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
    6. +
    +

    Some audit logs may be required to be archived as part of the record retention policy or because of requirements to collect and retain evidence (see 16.1.7).

    +
    + +

    System logs often contain a large volume of information, much of which is extraneous to information security monitoring. To help identify significant events for information security monitoring purposes, the copying of appropriate message types automatically to a second log, or the use of suitable system utilities or audit tools to perform file interrogation and rationalization should be considered.

    +

    System logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security. Real-time copying of logs to a system outside the control of a system administrator or operator can be used to safeguard logs.

    +
    +
    + + Administrator and operator logs + 12.4.3 + +

    System administrator and system operator activities should be logged and the logs protected and regularly reviewed.

    +
    + +

    Privileged user account holders may be able to manipulate the logs on information processing facilities under their direct control, therefore it is necessary to protect and review the logs to maintain accountability for the privileged users.

    +
    + +

    An intrusion detection system managed outside of the control of system and network administrators can be used to monitor system and network administration activities for compliance.

    +
    +
    + + Clock synchronisation + 12.4.4 + +

    The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source.

    +
    + +

    External and internal requirements for time representation, synchronisation and accuracy should be documented. Such requirements can be legal, regulatory, contractual requirements, standards compliance or requirements for internal monitoring. A standard reference time for use within the organization should be defined.

    +

    The organization’s approach to obtaining a reference time from external source(s) and how to synchronise internal clocks reliably should be documented and implemented.

    +
    + +

    The correct setting of computer clocks is important to ensure the accuracy of audit logs, which may be required for investigations or as evidence in legal or disciplinary cases. Inaccurate audit logs may hinder such investigations and damage the credibility of such evidence. A clock linked to a radio time broadcast from a national atomic clock can be used as the master clock for logging systems. A network time protocol can be used to keep all of the servers in synchronisation with the master clock.

    +
    +
    +
    + + Control of operational software + 12.5 + +

    Objective: To ensure the integrity of operational systems.

    +
    + + Installation of software on operational systems + 12.5.1 + +

    Procedures should be implemented to control the installation of software on operational systems.

    +
    + +

    The following guidelines should be considered to control changes of software on operational systems:

    +
      +
    1. the updating of the operational software, applications and program libraries should only be performed by trained administrators upon appropriate management authorization (see 9.4.5);
    2. +
    3. operational systems should only hold approved executable code and not development code or compilers;
    4. +
    5. applications and operating system software should only be implemented after extensive and successful testing; the tests should cover usability, security, effects on other systems and user-friendliness and should be carried out on separate systems (see 12.1.4); it should be ensured that all corresponding program source libraries have been updated;
    6. +
    7. a configuration control system should be used to keep control of all implemented software as well as the system documentation;
    8. +
    9. a rollback strategy should be in place before changes are implemented;
    10. +
    11. an audit log should be maintained of all updates to operational program libraries;
    12. +
    13. previous versions of application software should be retained as a contingency measure;
    14. +
    15. old versions of software should be archived, together with all required information and parameters, procedures, configuration details and supporting software for as long as the data are retained in archive.
    16. +
    +

    Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. The organization should consider the risks of relying on unsupported software.

    +

    Any decision to upgrade to a new release should take into account the business requirements for the change and the security of the release, e.g. the introduction of new information security functionality or the number and severity of information security problems affecting this version. Software patches should be applied when they can help to remove or reduce information security weaknesses (see 12.6).

    +

    Physical or logical access should only be given to suppliers for support purposes when necessary and with management approval. The supplier’s activities should be monitored (see 15.2.1).

    +

    Computer software may rely on externally supplied software and modules, which should be monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses.

    +
    +
    +
    + + Technical vulnerability management + 12.6 + +

    Objective: To prevent exploitation of technical vulnerabilities.

    +
    + + Management of technical vulnerabilities + 12.6.1 + +

    Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

    +
    + +

    A current and complete inventory of assets (see Clause 8) is a prerequisite for effective technical vulnerability management. Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within the organization responsible for the software.

    +

    Appropriate and timely action should be taken in response to the identification of potential technical vulnerabilities. The following guidance should be followed to establish an effective management process for technical vulnerabilities:

    +
      +
    1. the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking and any coordination responsibilities required;
    2. +
    3. information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology (based on the asset inventory list, see 8.1.1); these information resources should be updated based on changes in the inventory or when other new or useful resources are found;
    4. +
    5. a timeline should be defined to react to notifications of potentially relevant technical vulnerabilities;
    6. +
    7. once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken; such action could involve patching of vulnerable systems or applying other controls;
    8. +
    9. depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management (see 12.1.2) or by following information security incident response procedures (see 16.1.5);
    10. +
    11. if a patch is available from a legitimate source, the risks associated with installing the patch should be assessed (the risks posed by the vulnerability should be compared with the risk of installing the patch);
    12. +
    13. patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered, such as:
        +
      1. turning off services or capabilities related to the vulnerability;
      2. +
      3. adapting or adding access controls, e.g. firewalls, at network borders (see 13.1);
      4. +
      5. increased monitoring to detect actual attacks;
      6. +
      7. raising awareness of the vulnerability;
      8. +
      +
    14. +
    15. an audit log should be kept for all procedures undertaken;
    16. +
    17. the technical vulnerability management process should be regularly monitored and evaluated in order to ensure its effectiveness and efficiency;
    18. +
    19. systems at high risk should be addressed first;
    20. +
    21. an effective technical vulnerability management process should be aligned with incident management activities, to communicate data on vulnerabilities to the incident response function and provide technical procedures to be carried out should an incident occur;
    22. +
    23. define a procedure to address the situation where a vulnerability has been identified but there is no suitable countermeasure. In this situation, the organization should evaluate risks relating to the known vulnerability and define appropriate detective and corrective actions.
    24. +
    +
    + +

    Technical vulnerability management can be viewed as a sub-function of change management and as such can take advantage of the change management processes and procedures (see 12.1.2 and 14.2.2).

    +

    Vendors are often under significant pressure to release patches as soon as possible. Therefore, there is a possibility that a patch does not address the problem adequately and has negative side effects. Also, in some cases, uninstalling a patch cannot be easily achieved once the patch has been applied.

    +

    If adequate testing of the patches is not possible, e.g. because of costs or lack of resources, a delay in patching can be considered to evaluate the associated risks, based on the experience reported by other users. The use of ISO/IEC 27031[14] can be beneficial.

    +
    +
    + + Restrictions on software installation + 12.6.2 + +

    Rules governing the installation of software by users should be established and implemented.

    +
    + +

    The organization should define and enforce strict policy on which types of software users may install.

    +

    The principle of least privilege should be applied. If granted certain privileges, users may have the ability to install software. The organization should identify what types of software installations are permitted (e.g. updates and security patches to existing software) and what types of installations are prohibited (e.g. software that is only for personal use and software whose pedigree with regard to being potentially malicious is unknown or suspect). These privileges should be granted having regard to the roles of the users concerned.

    +
    + +

    Uncontrolled installation of software on computing devices can lead to introducing vulnerabilities and then to information leakage, loss of integrity or other information security incidents, or to violation of intellectual property rights.

    +
    +
    +
    + + Information systems audit considerations + 12.7 + +

    Objective: To minimise the impact of audit activities on operational systems.

    +
    + + Information systems audit controls + 12.7.1 + +

    Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes.

    +
    + +

    The following guidelines should be observed:

    +
      +
    1. audit requirements for access to systems and data should be agreed with appropriate management;
    2. +
    3. the scope of technical audit tests should be agreed and controlled;
    4. +
    5. audit tests should be limited to read-only access to software and data;
    6. +
    7. access other than read-only should only be allowed for isolated copies of system files, which should be erased when the audit is completed, or given appropriate protection if there is an obligation to keep such files under audit documentation requirements;
    8. +
    9. requirements for special or additional processing should be identified and agreed;
    10. +
    11. audit tests that could affect system availability should be run outside business hours;
    12. +
    13. all access should be monitored and logged to produce a reference trail.
    14. +
    +
    +
    +
    +
    + + Communications security + 13 + + Network security management + 13.1 + +

    Objective: To ensure the protection of information in networks and its supporting information processing facilities.

    +
    + + Network controls + 13.1.1 + +

    Networks should be managed and controlled to protect information in systems and applications.

    +
    + +

    Controls should be implemented to ensure the security of information in networks and the protection of connected services from unauthorized access. In particular, the following items should be considered:

    +
      +
    1. responsibilities and procedures for the management of networking equipment should be established;
    2. +
    3. operational responsibility for networks should be separated from computer operations where appropriate (see 6.1.2);
    4. +
    5. special controls should be established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications (see Clause 10 and 13.2); special controls may also be required to maintain the availability of the network services and computers connected;
    6. +
    7. appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, information security;
    8. +
    9. management activities should be closely coordinated both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
    10. +
    11. systems on the network should be authenticated;
    12. +
    13. systems connection to the network should be restricted.
    14. +
    +
    + +

    Additional information on network security can be found in ISO/IEC 27033.[15][16][17][18][19]

    +
    +
    + + Security of network services + 13.1.2 + +

    Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.

    +
    + +

    The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored, and the right to audit should be agreed.

    +

    The security arrangements necessary for particular services, such as security features, service levels and management requirements, should be identified. The organization should ensure that network service providers implement these measures.

    +
    + +

    Network services include the provision of connections, private network services and value added networks and managed network security solutions such as firewalls and intrusion detection systems. These services can range from simple unmanaged bandwidth to complex value-added offerings.

    +

    Security features of network services could be:

    +
      +
    1. technology applied for security of network services, such as authentication, encryption and network connection controls;
    2. +
    3. technical parameters required for secured connection with the network services in accordance with the security and network connection rules;
    4. +
    5. procedures for the network service usage to restrict access to network services or applications, where necessary.
    6. +
    +
    +
    + + Segregation in networks + 13.1.3 + +

    Groups of information services, users and information systems should be segregated on networks.

    +
    + +

    One method of managing the security of large networks is to divide them into separate network domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g.virtual private networking).

    +

    The perimeter of each domain should be well defined. Access between network domains is allowed, but should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the access control policy (see 9.1.1), access requirements, value and classification of information processed and also take account of the relative cost and performance impact of incorporating suitable gateway technology.

    +

    Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy (see 13.1.1) before granting access to internal systems.

    +

    The authentication, encryption and user level network access control technologies of modern, standards based wireless networks may be sufficient for direct connection to the organization’s internal network when properly implemented.

    +
    + +

    Networks often extend beyond organizational boundaries, as business partnerships are formed that require the interconnection or sharing of information processing and networking facilities. Such extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of which require protection from other network users because of their sensitivity or criticality.

    +
    +
    +
    + + Information transfer + 13.2 + +

    Objective: To maintain the security of information transferred within an organization and with any external entity.

    +
    + + Information transfer policies and procedures + 13.2.1 + +

    Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities.

    +
    + +

    The procedures and controls to be followed when using communication facilities for information transfer should consider the following items:

    +
      +
    1. procedures designed to protect transferred information from interception, copying, modification, mis-routing and destruction;
    2. +
    3. procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications (see 12.2.1);
    4. +
    5. procedures for protecting communicated sensitive electronic information that is in the form of an attachment;
    6. +
    7. policy or guidelines outlining acceptable use of communication facilities (see 8.1.3);
    8. +
    9. personnel, external party and any other user’s responsibilities not to compromise the organization, e.g. through defamation, harassment, impersonation, forwarding of chain letters, unauthorized purchasing, etc.;
    10. +
    11. use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity of information (see Clause 10);
    12. +
    13. retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations;
    14. +
    15. controls and restrictions associated with using communication facilities, e.g. automatic forwarding of electronic mail to external mail addresses;
    16. +
    17. advising personnel to take appropriate precautions not to reveal confidential information;
    18. +
    19. not leaving messages containing confidential information on answering machines since these may be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling;
    20. +
    21. advising personnel about the problems of using facsimile machines or services, namely:
        +
      1. unauthorized access to built-in message stores to retrieve messages;
      2. +
      3. deliberate or accidental programming of machines to send messages to specific numbers;
      4. +
      5. sending documents and messages to the wrong number either by misdialling or using the wrong stored number.
      6. +
      +
    22. +
    +

    In addition, personnel should be reminded that they should not have confidential conversations in public places or over insecure communication channels, open offices and meeting places.

    +

    Information transfer services should comply with any relevant legal requirements (see 18.1).

    +
    + +

    Information transfer may occur through the use of a number of different types of communication facilities, including electronic mail, voice, facsimile and video.

    +

    Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors selling off-the-shelf products.

    +

    The business, legal and security implications associated with electronic data interchange, electronic commerce and electronic communications and the requirements for controls should be considered.

    +
    +
    + + Agreements on information transfer + 13.2.2 + +

    Agreements should address the secure transfer of business information between the organization and external parties.

    +
    + +

    Information transfer agreements should incorporate the following:

    +
      +
    1. management responsibilities for controlling and notifying transmission, dispatch and receipt;
    2. +
    3. procedures to ensure traceability and non-repudiation;
    4. +
    5. minimum technical standards for packaging and transmission;
    6. +
    7. escrow agreements;
    8. +
    9. courier identification standards;
    10. +
    11. responsibilities and liabilities in the event of information security incidents, such as loss of data;
    12. +
    13. use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected (see 8.2);
    14. +
    15. technical standards for recording and reading information and software;
    16. +
    17. any special controls that are required to protect sensitive items, such as cryptography (see Clause 10);
    18. +
    19. maintaining a chain of custody for information while in transit;
    20. +
    21. acceptable levels of access control.
    22. +
    +

    Policies, procedures and standards should be established and maintained to protect information and physical media in transit (see 8.3.3), and should be referenced in such transfer agreements.

    +

    The information security content of any agreement should reflect the sensitivity of the business information involved.

    +
    + +

    Agreements may be electronic or manual, and may take the form of formal contracts. For confidential information, the specific mechanisms used for the transfer of such information should be consistent for all organizations and types of agreements.

    +
    +
    + + Electronic messaging + 13.2.3 + +

    Information involved in electronic messaging should be appropriately protected.

    +
    + +

    Information security considerations for electronic messaging should include the following:

    +
      +
    1. protecting messages from unauthorized access, modification or denial of service commensurate with the classification scheme adopted by the organization;
    2. +
    3. ensuring correct addressing and transportation of the message;
    4. +
    5. reliability and availability of the service;
    6. +
    7. legal considerations, for example requirements for electronic signatures;
    8. +
    9. obtaining approval prior to using external public services such as instant messaging, social networking or file sharing;
    10. +
    11. stronger levels of authentication controlling access from publicly accessible networks.
    12. +
    +
    + +

    There are many types of electronic messaging such as email, electronic data interchange and social networking which play a role in business communications.

    +
    +
    + + Confidentiality or non-disclosure agreements + 13.2.4 + +

    Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented.

    +
    + +

    Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organization. Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information. To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:

    +
      +
    1. a definition of the information to be protected (e.g. confidential information);
    2. +
    3. expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
    4. +
    5. required actions when an agreement is terminated;
    6. +
    7. responsibilities and actions of signatories to avoid unauthorized information disclosure;
    8. +
    9. ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
    10. +
    11. the permitted use of confidential information and rights of the signatory to use information;
    12. +
    13. the right to audit and monitor activities that involve confidential information;
    14. +
    15. process for notification and reporting of unauthorized disclosure or confidential information leakage;
    16. +
    17. terms for information to be returned or destroyed at agreement cessation;
    18. +
    19. expected actions to be taken in case of a breach of the agreement.
    20. +
    +

    Based on an organization’s information security requirements, other elements may be needed in a confidentiality or non-disclosure agreement.

    +

    Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations for the jurisdiction to which they apply (see 18.1).

    +

    Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and when changes occur that influence these requirements.

    +
    + +

    Confidentiality and non-disclosure agreements protect organizational information and inform signatories of their responsibility to protect, use and disclose information in a responsible and authorized manner.

    +

    There may be a need for an organization to use different forms of confidentiality or non-disclosure agreements in different circumstances.

    +
    +
    +
    +
    + + System acquisition, development and maintenance + 14 + + Security requirements of information systems + 14.1 + +

    Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

    +
    + + Information security requirements analysis and specification + 14.1.1 + +

    The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems.

    +
    + +

    Information security requirements should be identified using various methods such as deriving compliance requirements from policies and regulations, threat modelling, incident reviews, or use of vulnerability thresholds. Results of the identification should be documented and reviewed by all stakeholders.

    +

    Information security requirements and controls should reflect the business value of the information involved (see 8.2) and the potential negative business impact which might result from lack of adequate security.

    +

    Identification and management of information security requirements and associated processes should be integrated in early stages of information systems projects. Early consideration of information security requirements, e.g. at the design stage can lead to more effective and cost efficient solutions.

    +

    Information security requirements should also consider:

    +
      +
    1. the level of confidence required towards the claimed identity of users, in order to derive user authentication requirements;
    2. +
    3. access provisioning and authorization processes, for business users as well as for privileged or technical users;
    4. +
    5. informing users and operators of their duties and responsibilities;
    6. +
    7. the required protection needs of the assets involved, in particular regarding availability, confidentiality, integrity;
    8. +
    9. requirements derived from business processes, such as transaction logging and monitoring, non-repudiation requirements;
    10. +
    11. requirements mandated by other security controls, e.g. interfaces to logging and monitoring or data leakage detection systems.
    12. +
    +

    For applications that provide services over public networks or which implement transactions, the dedicated controls 14.1.2 and 14.1.3 should be considered.

    +

    If products are acquired, a formal testing and acquisition process should be followed. Contracts with the supplier should address the identified security requirements. Where the security functionality in a proposed product does not satisfy the specified requirement, the risk introduced and associated controls should be reconsidered prior to purchasing the product.

    +

    Available guidance for security configuration of the product aligned with the final software / service stack of that system should be evaluated and implemented.

    +

    Criteria for accepting products should be defined e.g. in terms of their functionality, which will give assurance that the identified security requirements are met. Products should be evaluated against these criteria before acquisition. Additional functionality should be reviewed to ensure it does not introduce unacceptable additional risks.

    +
    + +

    ISO/IEC 27005[11] and ISO 31000[27] provide guidance on the use of risk management processes to identify controls to meet information security requirements.

    +
    +
    + + Securing application services on public networks + 14.1.2 + +

    Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

    +
    + +

    Information security considerations for application services passing over public networks should include the following:

    +
      +
    1. the level of confidence each party requires in each other’s claimed identity, e.g. through authentication;
    2. +
    3. authorization processes associated with who may approve contents of, issue or sign key transactional documents;
    4. +
    5. ensuring that communicating partners are fully informed of their authorizations for provision or use of the service;
    6. +
    7. determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt of key documents and the non-repudiation of contracts, e.g. associated with tendering and contract processes;
    8. +
    9. the level of trust required in the integrity of key documents;
    10. +
    11. the protection requirements of any confidential information;
    12. +
    13. the confidentiality and integrity of any order transactions, payment information, delivery address details and confirmation of receipts;
    14. +
    15. the degree of verification appropriate to verify payment information supplied by a customer;
    16. +
    17. selecting the most appropriate settlement form of payment to guard against fraud;
    18. +
    19. the level of protection required to maintain the confidentiality and integrity of order information;
    20. +
    21. avoidance of loss or duplication of transaction information;
    22. +
    23. liability associated with any fraudulent transactions;
    24. +
    25. insurance requirements.
    26. +
    +

    Many of the above considerations can be addressed by the application of cryptographic controls (see Clause 10), taking into account compliance with legal requirements (see Clause 18, especially see 18.1.5 for cryptography legislation).

    +

    Application service arrangements between partners should be supported by a documented agreement which commits both parties to the agreed terms of services, including details of authorization (see b) above).

    +

    Resilience requirements against attacks should be considered, which can include requirements for protecting the involved application servers or ensuring the availability of network interconnections required to deliver the service.

    +
    + +

    Applications accessible via public networks are subject to a range of network related threats, such as fraudulent activities, contract disputes or disclosure of information to the public. Therefore, detailed risk assessments and proper selection of controls are indispensable. Controls required often include cryptographic methods for authentication and securing data transfer.

    +

    Application services can make use of secure authentication methods, e.g. using public key cryptography and digital signatures (see Clause 10) to reduce the risks. Also, trusted third parties can be used, where such services are needed.

    +
    +
    + + Protecting application services transactions + 14.1.3 + +

    Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

    +
    + +

    Information security considerations for application service transactions should include the following:

    +
      +
    1. the use of electronic signatures by each of the parties involved in the transaction;
    2. +
    3. all aspects of the transaction, i.e. ensuring that:
        +
      1. user’s secret authentication information of all parties are valid and verified;
      2. +
      3. the transaction remains confidential;
      4. +
      5. privacy associated with all parties involved is retained;
      6. +
      +
    4. +
    5. communications path between all involved parties is encrypted;
    6. +
    7. protocols used to communicate between all involved parties are secured;
    8. +
    9. ensuring that the storage of the transaction details is located outside of any publicly accessible environment, e.g. on a storage platform existing on the organizational intranet, and not retained and exposed on a storage medium directly accessible from the Internet;
    10. +
    11. where a trusted authority is used (e.g. for the purposes of issuing and maintaining digital signatures or digital certificates) security is integrated and embedded throughout the entire end-to-end certificate/signature management process.
    12. +
    +
    + +

    The extent of the controls adopted needs to be commensurate with the level of the risk associated with each form of application service transaction.

    +

    Transactions may need to comply with legal and regulatory requirements in the jurisdiction which the transaction is generated from, processed via, completed at or stored in.

    +
    +
    +
    + + Security in development and support processes + 14.2 + +

    Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

    +
    + + Secure development policy + 14.2.1 + +

    Rules for the development of software and systems should be established and applied to developments within the organization.

    +
    + +

    Secure development is a requirement to build up a secure service, architecture, software and system. Within a secure development policy, the following aspects should be put under consideration:

    +
      +
    1. security of the development environment;
    2. +
    3. guidance on the security in the software development lifecycle:
        +
      1. security in the software development methodology;
      2. +
      3. secure coding guidelines for each programming language used;
      4. +
      +
    4. +
    5. security requirements in the design phase;
    6. +
    7. security checkpoints within the project milestones;
    8. +
    9. secure repositories;
    10. +
    11. security in the version control;
    12. +
    13. required application security knowledge;
    14. +
    15. developers’ capability of avoiding, finding and fixing vulnerabilities.
    16. +
    +

    Secure programming techniques should be used both for new developments and in code re-use scenarios where the standards applied to development may not be known or were not consistent with current best practices. Secure coding standards should be considered and where relevant mandated for use. Developers should be trained in their use and testing and code review should verify their use.

    +

    If development is outsourced, the organization should obtain assurance that the external party complies with these rules for secure development (see 14.2.7).

    +
    + +

    Development may also take place inside applications, such as office applications, scripting, browsers and databases.

    +
    +
    + + System change control procedures + 14.2.2 + +

    Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.

    +
    + +

    Formal change control procedures should be documented and enforced to ensure the integrity of system, applications and products, from the early design stages through all subsequent maintenance efforts. Introduction of new systems and major changes to existing systems should follow a formal process of documentation, specification, testing, quality control and managed implementation.

    +

    This process should include a risk assessment, analysis of the impacts of changes and specification of security controls needed. This process should also ensure that existing security and control procedures are not compromised, that support programmers are given access only to those parts of the system necessary for their work and that formal agreement and approval for any change is obtained.

    +

    Wherever practicable, application and operational change control procedures should be integrated (see 12.1.2). The change control procedures should include but not be limited to:

    +
      +
    1. maintaining a record of agreed authorization levels;
    2. +
    3. ensuring changes are submitted by authorized users;
    4. +
    5. reviewing controls and integrity procedures to ensure that they will not be compromised by the changes;
    6. +
    7. identifying all software, information, database entities and hardware that require amendment;
    8. +
    9. identifying and checking security critical code to minimize the likelihood of known security weaknesses;
    10. +
    11. obtaining formal approval for detailed proposals before work commences;
    12. +
    13. ensuring authorized users accept changes prior to implementation;
    14. +
    15. ensuring that the system documentation set is updated on the completion of each change and that old documentation is archived or disposed of;
    16. +
    17. maintaining a version control for all software updates;
    18. +
    19. maintaining an audit trail of all change requests;
    20. +
    21. ensuring that operating documentation (see 12.1.1) and user procedures are changed as necessary to remain appropriate;
    22. +
    23. ensuring that the implementation of changes takes place at the right time and does not disturb the business processes involved.
    24. +
    +
    + +

    Changing software can impact the operational environment and vice versa.

    +

    Good practice includes the testing of new software in an environment segregated from both the production and development environments (see 12.1.4). This provides a means of having control over new software and allowing additional protection of operational information that is used for testing purposes. This should include patches, service packs and other updates.

    +

    Where automatic updates are considered, the risk to the integrity and availability of the system should be weighed against the benefit of speedy deployment of updates. Automated updates should not be used on critical systems as some updates can cause critical applications to fail.

    +
    +
    + + Technical review of applications after operating platform changes + 14.2.3 + +

    When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

    +
    + +

    This process should cover:

    +
      +
    1. review of application control and integrity procedures to ensure that they have not been compromised by the operating platform changes;
    2. +
    3. ensuring that notification of operating platform changes is provided in time to allow appropriate tests and reviews to take place before implementation;
    4. +
    5. ensuring that appropriate changes are made to the business continuity plans (see Clause 17).
    6. +
    +
    + +

    Operating platforms include operating systems, databases and middleware platforms. The control should also be applied for changes of applications.

    +
    +
    + + Restrictions on changes to software packages + 14.2.4 + +

    Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.

    +
    + +

    As far as possible and practicable, vendor-supplied software packages should be used without modification. Where a software package needs to be modified the following points should be considered:

    +
      +
    1. the risk of built-in controls and integrity processes being compromised;
    2. +
    3. whether the consent of the vendor should be obtained;
    4. +
    5. the possibility of obtaining the required changes from the vendor as standard program updates;
    6. +
    7. the impact if the organization becomes responsible for the future maintenance of the software as a result of changes;
    8. +
    9. compatibility with other software in use.
    10. +
    +

    If changes are necessary the original software should be retained and the changes applied to a designated copy. A software update management process should be implemented to ensure the most up-to-date approved patches and application updates are installed for all authorized software (see 12.6.1). All changes should be fully tested and documented, so that they can be reapplied, if necessary, to future software upgrades. If required, the modifications should be tested and validated by an independent evaluation body.

    +
    +
    + + Secure system engineering principles + 14.2.5 + +

    Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.

    +
    + +

    Secure information system engineering procedures based on security engineering principles should be established, documented and applied to in-house information system engineering activities. Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility. New technology should be analysed for security risks and the design should be reviewed against known attack patterns.

    +

    These principles and the established engineering procedures should be regularly reviewed to ensure that they are effectively contributing to enhanced standards of security within the engineering process. They should also be regularly reviewed to ensure that they remain up-to-date in terms of combating any new potential threats and in remaining applicable to advances in the technologies and solutions being applied.

    +

    The established security engineering principles should be applied, where applicable, to outsourced information systems through the contracts and other binding agreements between the organization and the supplier to whom the organization outsources. The organization should confirm that the rigour of suppliers’ security engineering principles is comparable with its own.

    +
    + +

    Application development procedures should apply secure engineering techniques in the development of applications that have input and output interfaces. Secure engineering techniques provide guidance on user authentication techniques, secure session control and data validation, sanitisation and elimination of debugging codes.

    +
    +
    + + Secure development environment + 14.2.6 + +

    Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

    +
    + +

    A secure development environment includes people, processes and technology associated with system development and integration.

    +

    Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:

    +
      +
    1. sensitivity of data to be processed, stored and transmitted by the system;
    2. +
    3. applicable external and internal requirements, e.g. from regulations or policies;
    4. +
    5. security controls already implemented by the organization that support system development;
    6. +
    7. trustworthiness of personnel working in the environment (see 7.1.1);
    8. +
    9. the degree of outsourcing associated with system development;
    10. +
    11. the need for segregation between different development environments;
    12. +
    13. control of access to the development environment;
    14. +
    15. monitoring of change to the environment and code stored therein;
    16. +
    17. backups are stored at secure offsite locations;
    18. +
    19. control over movement of data from and to the environment.
    20. +
    +

    Once the level of protection is determined for a specific development environment, organizations should document corresponding processes in secure development procedures and provide these to all individuals who need them.

    +
    +
    + + Outsourced development + 14.2.7 + +

    The organization should supervise and monitor the activity of outsourced system development.

    +

    Implementation guidance:

    +

    Where system development is outsourced, the following points should be considered across the organization’s entire external supply chain:

    +
      +
    1. licensing arrangements, code ownership and intellectual property rights related to the outsourced content (see 18.1.2);
    2. +
    3. contractual requirements for secure design, coding and testing practices (see 14.2.1);
    4. +
    5. provision of the approved threat model to the external developer;
    6. +
    7. acceptance testing for the quality and accuracy of the deliverables;
    8. +
    9. provision of evidence that security thresholds were used to establish minimum acceptable levels of security and privacy quality;
    10. +
    11. provision of evidence that sufficient testing has been applied to guard against the absence of both intentional and unintentional malicious content upon delivery;
    12. +
    13. provision of evidence that sufficient testing has been applied to guard against the presence of known vulnerabilities;
    14. +
    15. escrow arrangements, e.g. if source code is no longer available;
    16. +
    17. contractual right to audit development processes and controls;
    18. +
    19. effective documentation of the build environment used to create deliverables;
    20. +
    21. the organization remains responsible for compliance with applicable laws and control efficiency verification.
    22. +
    +
    + +

    Further information on supplier relationships can be found in ISO/IEC 27036.[21][22][23]

    +
    +
    + + System security testing + 14.2.8 + +

    Testing of security functionality should be carried out during development.

    +
    + +

    New and updated systems require thorough testing and verification during the development processes, including the preparation of a detailed schedule of activities and test inputs and expected outputs under a range of conditions. For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken (both for in-house and for outsourced developments) to ensure that the system works as expected and only as expected (see 14.1.1 and 14.1.9). The extent of testing should be in proportion to the importance and nature of the system.

    +
    +
    + + System acceptance testing + 14.2.9 + +

    Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.

    +
    + +

    System acceptance testing should include testing of information security requirements (see 14.1.1 and 14.1.2) and adherence to secure system development practices (see 14.2.1). The testing should also be conducted on received components and integrated systems. Organizations can leverage automated tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of security-related defects.

    +

    Testing should be performed in a realistic test environment to ensure that the system will not introduce vulnerabilities to the organization’s environment and that the tests are reliable.

    +
    +
    +
    + + Test data + 14.3 + +

    Objective: To ensure the protection of data used for testing.

    +
    + + Protection of test data + 14.3.1 + +

    Test data should be selected carefully, protected and controlled.

    +
    + +

    The use of operational data containing personally identifiable information or any other confidential information for testing purposes should be avoided. If personally identifiable information or otherwise confidential information is used for testing purposes, all sensitive details and content should be protected by removal or modification (see ISO/IEC 29101[26]).

    +

    The following guidelines should be applied to protect operational data, when used for testing purposes:

    +
      +
    1. the access control procedures, which apply to operational application systems, should also apply to test application systems;
    2. +
    3. there should be separate authorization each time operational information is copied to a test environment;
    4. +
    5. operational information should be erased from a test environment immediately after the testing is complete;
    6. +
    7. the copying and use of operational information should be logged to provide an audit trail.
    8. +
    +
    + +

    System and acceptance testing usually requires substantial volumes of test data that are as close as possible to operational data.

    +
    +
    +
    +
    + + Supplier relationships + 15 + + Information security in supplier relationships + 15.1 + +

    Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

    +
    + + Information security policy for supplier relationships + 15.1.1 + +

    Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented.

    +
    + +

    The organization should identify and mandate information security controls to specifically address supplier access to the organization’s information in a policy. These controls should address processes and procedures to be implemented by the organization, as well as those processes and procedures that the organization should require the supplier to implement, including:

    +
      +
    1. identifying and documenting the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;
    2. +
    3. a standardised process and lifecycle for managing supplier relationships;
    4. +
    5. defining the types of information access that different types of suppliers will be allowed, and monitoring and controlling the access;
    6. +
    7. minimum information security requirements for each type of information and type of access to serve as the basis for individual supplier agreements based on the organization’s business needs and requirements and its risk profile;
    8. +
    9. processes and procedures for monitoring adherence to established information security requirements for each type of supplier and type of access, including third party review and product validation;
    10. +
    11. accuracy and completeness controls to ensure the integrity of the information or information processing provided by either party;
    12. +
    13. types of obligations applicable to suppliers to protect the organization’s information;
    14. +
    15. handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;
    16. +
    17. resilience and, if necessary, recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;
    18. +
    19. awareness training for the organization’s personnel involved in acquisitions regarding applicable policies, processes and procedures;
    20. +
    21. awareness training for the organization’s personnel interacting with supplier personnel regarding appropriate rules of engagement and behaviour based on the type of supplier and the level of supplier access to the organization’s systems and information;
    22. +
    23. conditions under which information security requirements and controls will be documented in an agreement signed by both parties;
    24. +
    25. managing the necessary transitions of information, information processing facilities and anything else that needs to be moved, and ensuring that information security is maintained throughout the transition period.
    26. +
    +
    + +

    Information can be put at risk by suppliers with inadequate information security management. Controls should be identified and applied to administer supplier access to information processing facilities. For example, if there is a special need for confidentiality of the information, non-disclosure agreements can be used. Another example is data protection risks when the supplier agreement involves transfer of, or access to, information across borders. The organization needs to be aware that the legal or contractual responsibility for protecting information remains with the organization.

    +
    +
    + + Addressing security within supplier agreements + 15.1.2 + +

    All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

    +
    + +

    Supplier agreements should be established and documented to ensure that there is no misunderstanding between the organization and the supplier regarding both parties’ obligations to fulfil relevant information security requirements.

    +

    The following terms should be considered for inclusion in the agreements in order to satisfy the identified information security requirements:

    +
      +
    1. description of the information to be provided or accessed and methods of providing or accessing the information;
    2. +
    3. classification of information according to the organization’s classification scheme (see 8.2); if necessary also mapping between the organization’s own classification scheme and the classification scheme of the supplier;
    4. +
    5. legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured that they are met;
    6. +
    7. obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;
    8. +
    9. rules of acceptable use of information, including unacceptable use if necessary;
    10. +
    11. either explicit list of supplier personnel authorized to access or receive the organization’s information or procedures or conditions for authorization, and removal of the authorization, for access to or receipt of the organization’s information by supplier personnel;
    12. +
    13. information security policies relevant to the specific contract;
    14. +
    15. incident management requirements and procedures (especially notification and collaboration during incident remediation);
    16. +
    17. training and awareness requirements for specific procedures and information security requirements, e.g. for incident response, authorization procedures;
    18. +
    19. relevant regulations for sub-contracting, including the controls that need to be implemented;
    20. +
    21. relevant agreement partners, including a contact person for information security issues;
    22. +
    23. screening requirements, if any, for supplier’s personnel including responsibilities for conducting the screening and notification procedures if screening has not been completed or if the results give cause for doubt or concern;
    24. +
    25. right to audit the supplier processes and controls related to the agreement;
    26. +
    27. defect resolution and conflict resolution processes;
    28. +
    29. supplier’s obligation to periodically deliver an independent report on the effectiveness of controls and agreement on timely correction of relevant issues raised in the report;
    30. +
    31. supplier’s obligations to comply with the organization’s security requirements.
    32. +
    +
    + +

    The agreements can vary considerably for different organizations and among the different types of suppliers. Therefore, care should be taken to include all relevant information security risks and requirements. Supplier agreements may also involve other parties (e.g. sub-suppliers).

    +

    The procedures for continuing processing in the event that the supplier becomes unable to supply its products or services need to be considered in the agreement to avoid any delay in arranging replacement products or services.

    +
    +
    + + Information and communication technology supply chain + 15.1.3 + +

    Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.

    +
    + +

    The following topics should be considered for inclusion in supplier agreements concerning supply chain security:

    +
      +
    1. defining information security requirements to apply to information and communication technology product or service acquisition in addition to the general information security requirements for supplier relationships;
    2. +
    3. for information and communication technology services, requiring that suppliers propagate the organization’s security requirements throughout the supply chain if suppliers subcontract for parts of information and communication technology service provided to the organization;
    4. +
    5. for information and communication technology products, requiring that suppliers propagate appropriate security practices throughout the supply chain if these products include components purchased from other suppliers;
    6. +
    7. implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;
    8. +
    9. implementing a process for identifying product or service components that are critical for maintaining functionality and therefore require increased attention and scrutiny when built outside of the organization especially if the top tier supplier outsources aspects of product or service components to other suppliers;
    10. +
    11. obtaining assurance that critical components and their origin can be traced throughout the supply chain;
    12. +
    13. obtaining assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features;
    14. +
    15. defining rules for sharing of information regarding the supply chain and any potential issues and compromises among the organization and suppliers;
    16. +
    17. implementing specific processes for managing information and communication technology component lifecycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements.
    18. +
    +
    + +

    The specific information and communication technology supply chain risk management practices are built on top of general information security, quality, project management and system engineering practices but do not replace them.

    +

    Organizations are advised to work with suppliers to understand the information and communication technology supply chain and any matters that have an important impact on the products and services being provided. Organizations can influence information and communication technology supply chain information security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the information and communication technology supply chain.

    +

    Information and communication technology supply chain as addressed here includes cloud computing services.

    +
    +
    +
    + + Supplier service delivery management + 15.2 + +

    Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

    +
    + + Monitoring and review of supplier services + 15.2.1 + +

    Organizations should regularly monitor, review and audit supplier service delivery.

    +
    + +

    Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly.

    +

    This should involve a service management relationship process between the organization and the supplier to:

    +
      +
    1. monitor service performance levels to verify adherence to the agreements;
    2. +
    3. review service reports produced by the supplier and arrange regular progress meetings as required by the agreements;
    4. +
    5. conduct audits of suppliers, in conjunction with review of independent auditor’s reports, if available, and follow-up on issues identified;
    6. +
    7. provide information about information security incidents and review this information as required by the agreements and any supporting guidelines and procedures;
    8. +
    9. review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered;
    10. +
    11. resolve and manage any identified problems;
    12. +
    13. review information security aspects of the supplier’s relationships with its own suppliers;
    14. +
    15. ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster (see Clause 17).
    16. +
    +

    The responsibility for managing supplier relationships should be assigned to a designated individual or service management team. In addition, the organization should ensure that suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Sufficient technical skills and resources should be made available to monitor that the requirements of the agreement, in particular the information security requirements, are being met. Appropriate action should be taken when deficiencies in the service delivery are observed.

    +

    The organization should retain sufficient overall control and visibility into all security aspects for sensitive or critical information or information processing facilities accessed, processed or managed by a supplier. The organization should retain visibility into security activities such as change management, identification of vulnerabilities and information security incident reporting and response through a defined reporting process.

    +
    +
    + + Managing changes to supplier services + 15.2.2 + +

    Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

    +
    + +

    The following aspects should be taken into consideration:

    +
      +
    1. changes to supplier agreements;
    2. +
    3. changes made by the organization to implement:
        +
      1. enhancements to the current services offered;
      2. +
      3. development of any new applications and systems;
      4. +
      5. modifications or updates of the organization’s policies and procedures;
      6. +
      7. new or changed controls to resolve information security incidents and to improve security;.
      8. +
      +
    4. +
    5. changes in supplier services to implement:
        +
      1. changes and enhancement to networks;
      2. +
      3. use of new technologies;
      4. +
      5. adoption of new products or newer versions/releases;
      6. +
      7. new development tools and environments;
      8. +
      9. changes to physical location of service facilities;
      10. +
      11. change of suppliers;
      12. +
      13. sub-contracting to another supplier.
      14. +
      +
    6. +
    +
    +
    +
    +
    + + Information security incident management + 16 + + Management of information security incidents and improvements + 16.1 + +

    Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

    +
    + + Responsibilities and procedures + 16.1.1 + +

    Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents.

    +
    + +

    The following guidelines for management responsibilities and procedures with regard to information security incident management should be considered:

    +
      +
    1. management responsibilities should be established to ensure that the following procedures are developed and communicated adequately within the organization:
        +
      1. procedures for incident response planning and preparation;
      2. +
      3. procedures for monitoring, detecting, analysing and reporting of information security events and incidents;
      4. +
      5. procedures for logging incident management activities;
      6. +
      7. procedures for handling of forensic evidence;
      8. +
      9. procedures for assessment of and decision on information security events and assessment of information security weaknesses;
      10. +
      11. procedures for response including those for escalation, controlled recovery from an incident and communication to internal and external people or organizations;
      12. +
      +
    2. +
    3. procedures established should ensure that:
        +
      1. competent personnel handle the issues related to information security incidents within the organization;
      2. +
      3. a point of contact for security incidents’ detection and reporting is implemented;
      4. +
      5. appropriate contacts with authorities, external interest groups or forums that handle the issues related to information security incidents are maintained;
      6. +
      +
    4. +
    5. reporting procedures should include:
        +
      1. preparing information security event reporting forms to support the reporting action and to help the person reporting to remember all necessary actions in case of an information security event;
      2. +
      3. the procedure to be undertaken in case of an information security event, e.g. noting all details immediately, such as type of non-compliance or breach, occurring malfunction, messages on the screen and immediately reporting to the point of contact and taking only coordinated actions;
      4. +
      5. reference to an established formal disciplinary process for dealing with employees who commit security breaches;
      6. +
      7. suitable feedback processes to ensure that those persons reporting information security events are notified of results after the issue has been dealt with and closed.
      8. +
      +
    6. +
    +

    The objectives for information security incident management should be agreed with management, and it should be ensured that those responsible for information security incident management understand the organization’s priorities for handling information security incidents.

    +
    + +

    Information security incidents might transcend organizational and national boundaries. To respond to such incidents there is an increasing need to coordinate response and share information about these incidents with external organizations as appropriate.

    +

    Detailed guidance on information security incident management is provided in ISO/IEC 27035.[20]

    +
    +
    + + Reporting information security events + 16.1.2 + +

    Information security events should be reported through appropriate management channels as quickly as possible.

    +
    + +

    All employees and contractors should be made aware of their responsibility to report information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact to which the events should be reported.

    +

    Situations to be considered for information security event reporting include:

    +
      +
    1. ineffective security control;
    2. +
    3. breach of information integrity, confidentiality or availability expectations;
    4. +
    5. human errors;
    6. +
    7. non-compliances with policies or guidelines;
    8. +
    9. breaches of physical security arrangements;
    10. +
    11. uncontrolled system changes;
    12. +
    13. malfunctions of software or hardware;
    14. +
    15. access violations.
    16. +
    +
    + +

    Malfunctions or other anomalous system behaviour may be an indicator of a security attack or actual security breach and should therefore always be reported as an information security event.

    +
    +
    + + Reporting information security weaknesses + 16.1.3 + +

    Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services.

    +
    + +

    All employees and contractors should report these matters to the point of contact as quickly as possible in order to prevent information security incidents. The reporting mechanism should be as easy, accessible and available as possible.

    +
    + +

    Employees and contractors should be advised not to attempt to prove suspected security weaknesses. Testing weaknesses might be interpreted as a potential misuse of the system and could also cause damage to the information system or service and result in legal liability for the individual performing the testing.

    +
    +
    + + Assessment of and decision on information security events + 16.1.4 + +

    Information security events should be assessed and it should be decided if they are to be classified as information security incidents.

    +
    + +

    The point of contact should assess each information security event using the agreed information security event and incident classification scale and decide whether the event should be classified as an information security incident. Classification and prioritization of incidents can help to identify the impact and extent of an incident.

    +

    In cases where the organization has an information security incident response team (ISIRT), the assessment and decision can be forwarded to the ISIRT for confirmation or reassessment.

    +

    Results of the assessment and decision should be recorded in detail for the purpose of future reference and verification.

    +
    +
    + + Response to information security incidents + 16.1.5 + +

    Information security incidents should be responded to in accordance with the documented procedures.

    +
    + +

    Information security incidents should be responded to by a nominated point of contact and other relevant persons of the organization or external parties (see 16.1.1).

    +

    The response should include the following:

    +
      +
    1. collecting evidence as soon as possible after the occurrence;
    2. +
    3. conducting information security forensics analysis, as required (see 16.1.7);
    4. +
    5. escalation, as required;
    6. +
    7. ensuring that all involved response activities are properly logged for later analysis;
    8. +
    9. communicating the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;
    10. +
    11. dealing with information security weakness(es) found to cause or contribute to the incident;
    12. +
    13. once the incident has been successfully dealt with, formally closing and recording it.
    14. +
    +

    Post-incident analysis should take place, as necessary, to identify the source of the incident.

    +
    + +

    The first goal of incident response is to resume ‘normal security level’ and then initiate the necessary recovery.

    +
    +
    + + Learning from information security incidents + 16.1.6 + +

    Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents.

    +
    + +

    There should be mechanisms in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. The information gained from the evaluation of information security incidents should be used to identify recurring or high impact incidents.

    +
    + +

    The evaluation of information security incidents may indicate the need for enhanced or additional controls to limit the frequency, damage and cost of future occurrences, or to be taken into account in the security policy review process (see 5.1.2).

    +

    With due care of confidentiality aspects, anecdotes from actual information security incidents can be used in user awareness training (see 7.2.2) as examples of what could happen, how to respond to such incidents and how to avoid them in the future.

    +
    +
    + + Collection of evidence + 16.1.7 + +

    The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

    +
    + +

    Internal procedures should be developed and followed when dealing with evidence for the purposes of disciplinary and legal action.

    +

    In general, these procedures for evidence should provide processes of identification, collection, acquisition and preservation of evidence in accordance with different types of media, devices and status of devices, e.g. powered on or off. The procedures should take account of:

    +
      +
    1. chain of custody;
    2. +
    3. safety of evidence;
    4. +
    5. safety of personnel;
    6. +
    7. roles and responsibilities of personnel involved;
    8. +
    9. competency of personnel;
    10. +
    11. documentation;
    12. +
    13. briefing.
    14. +
    +

    Where available, certification or other relevant means of qualification of personnel and tools should be sought, so as to strengthen the value of the preserved evidence.

    +

    Forensic evidence may transcend organizational or jurisdictional boundaries. In such cases, it should be ensured that the organization is entitled to collect the required information as forensic evidence. The requirements of different jurisdictions should also be considered to maximize chances of admission across the relevant jurisdictions.

    +
    + +

    Identification is the process involving the search for, recognition and documentation of potential evidence. Collection is the process of gathering the physical items that can contain potential evidence. Acquisition is the process of creating a copy of data within a defined set. Preservation is the process to maintain and safeguard the integrity and original condition of the potential evidence.

    +

    When an information security event is first detected, it may not be obvious whether or not the event will result in court action. Therefore, the danger exists that necessary evidence is destroyed intentionally or accidentally before the seriousness of the incident is realized. It is advisable to involve a lawyer or the police early in any contemplated legal action and take advice on the evidence required.

    +

    ISO/IEC 27037[24] provides guidelines for identification, collection, acquisition and preservation of digital evidence.

    +
    +
    +
    +
    + + Information security aspects of business continuity management + 17 + + Information security continuity + 17.1 + +

    Objective: Information security continuity should be embedded in the organization’s business continuity management systems.

    +
    + + Planning information security continuity + 17.1.1 + +

    The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

    +
    + +

    An organization should determine whether the continuity of information security is captured within the business continuity management process or within the disaster recovery management process. Information security requirements should be determined when planning for business continuity and disaster recovery.

    +

    In the absence of formal business continuity and disaster recovery planning, information security management should assume that information security requirements remain the same in adverse situations, compared to normal operational conditions. Alternatively, an organization could perform a business impact analysis for information security aspects to determine the information security requirements applicable to adverse situations.

    +
    + +

    In order to reduce the time and effort of an ‘additional’ business impact analysis for information security, it is recommended to capture information security aspects within the normal business continuity management or disaster recovery management business impact analysis. This implies that the information security continuity requirements are explicitly formulated in the business continuity management or disaster recovery management processes.

    +

    Information on business continuity management can be found in ISO/IEC 27031,[14] ISO 22313[9] and ISO 22301.[8]

    +
    +
    + + Implementing information security continuity + 17.1.2 + +

    The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

    +
    + +

    An organization should ensure that:

    +
      +
    1. an adequate management structure is in place to prepare for, mitigate and respond to a disruptive event using personnel with the necessary authority, experience and competence;
    2. +
    3. incident response personnel with the necessary responsibility, authority and competence to manage an incident and maintain information security are nominated;
    4. +
    5. documented plans, response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event and will maintain its information security to a predetermined level, based on management-approved information security continuity objectives (see 17.1.1).
    6. +
    +

    According to the information security continuity requirements, the organization should establish, document, implement and maintain:

    +
      +
    1. information security controls within business continuity or disaster recovery processes, procedures and supporting systems and tools;
    2. +
    3. processes, procedures and implementation changes to maintain existing information security controls during an adverse situation;
    4. +
    5. compensating controls for information security controls that cannot be maintained during an adverse situation.
    6. +
    +
    + +

    Within the context of business continuity or disaster recovery, specific processes and procedures may have been defined. Information that is handled within these processes and procedures or within dedicated information systems to support them should be protected. Therefore an organization should involve information security specialists when establishing, implementing and maintaining business continuity or disaster recovery processes and procedures.

    +

    Information security controls that have been implemented should continue to operate during an adverse situation. If security controls are not able to continue to secure information, other controls should be established, implemented and maintained to maintain an acceptable level of information security.

    +
    +
    + + Verify, review and evaluate information security continuity + 17.1.3 + +

    The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

    +

    “Implementation guidance”

    +

    Organizational, technical, procedural and process changes, whether in an operational or continuity context, can lead to changes in information security continuity requirements. In such cases, the continuity of processes, procedures and controls for information security should be reviewed against these changed requirements.

    +

    Organizations should verify their information security management continuity by:

    +
      +
    1. exercising and testing the functionality of information security continuity processes, procedures and controls to ensure that they are consistent with the information security continuity objectives;
    2. +
    3. exercising and testing the knowledge and routine to operate information security continuity processes, procedures and controls to ensure that their performance is consistent with the information security continuity objectives;
    4. +
    5. reviewing the validity and effectiveness of information security continuity measures when information systems, information security processes, procedures and controls or business continuity management/disaster recovery management processes and solutions change.
    6. +
    +
    + +

    The verification of information security continuity controls is different from general information security testing and verification and should be performed outside the testing of changes. If possible, it is preferable to integrate verification of information security continuity controls with the organization’s business continuity or disaster recovery tests.

    +
    +
    +
    + + Redundancies + 17.2 + +

    Objective: To ensure availability of information processing facilities.

    +
    + + Availability of information processing facilities + 17.2.1 + +

    Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

    +
    + +

    Organizations should identify business requirements for the availability of information systems. Where the availability cannot be guaranteed using the existing systems architecture, redundant components or architectures should be considered.

    +

    Where applicable, redundant information systems should be tested to ensure the failover from one component to another component works as intended.

    +
    + +

    The implementation of redundancies can introduce risks to the integrity or confidentiality of information and information systems, which need to be considered when designing information systems.

    +
    +
    +
    +
    + + Compliance + 18 + + Compliance with legal and contractual requirements + 18.1 + +

    Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

    +
    + + Identification of applicable legislation and contractual requirements + 18.1.1 + +

    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization.

    +
    + +

    The specific controls and individual responsibilities to meet these requirements should also be defined and documented.

    +

    Managers should identify all legislation applicable to their organization in order to meet the requirements for their type of business. If the organization conducts business in other countries, managers should consider compliance in all relevant countries.

    +
    +
    + + Intellectual property rights + 18.1.2 + +

    Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

    +
    + +

    The following guidelines should be considered to protect any material that may be considered intellectual property:

    +
      +
    1. publishing an intellectual property rights compliance policy which defines the legal use of software and information products;
    2. +
    3. acquiring software only through known and reputable sources, to ensure that copyright is not violated;
    4. +
    5. maintaining awareness of policies to protect intellectual property rights and giving notice of the intent to take disciplinary action against personnel breaching them;
    6. +
    7. maintaining appropriate asset registers and identifying all assets with requirements to protect intellectual property rights;
    8. +
    9. maintaining proof and evidence of ownership of licences, master disks, manuals, etc.;
    10. +
    11. implementing controls to ensure that any maximum number of users permitted within the licence is not exceeded;
    12. +
    13. carrying out reviews that only authorized software and licensed products are installed;
    14. +
    15. providing a policy for maintaining appropriate licence conditions;
    16. +
    17. providing a policy for disposing of or transferring software to others;
    18. +
    19. complying with terms and conditions for software and information obtained from public networks;
    20. +
    21. not duplicating, converting to another format or extracting from commercial recordings (film, audio) other than permitted by copyright law;
    22. +
    23. not copying in full or in part, books, articles, reports or other documents, other than permitted by copyright law.
    24. +
    +
    + +

    Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences.

    +

    Proprietary software products are usually supplied under a licence agreement that specifies licence terms and conditions, for example, limiting the use of the products to specified machines or limiting copying to the creation of backup copies only. The importance and awareness of intellectual property rights should be communicated to staff for software developed by the organization.

    +

    Legislative, regulatory and contractual requirements may place restrictions on the copying of proprietary material. In particular, they may require that only material that is developed by the organization or that is licensed or provided by the developer to the organization, can be used. Copyright infringement can lead to legal action, which may involve fines and criminal proceedings.

    +
    +
    + + Protection of records + 18.1.3 + +

    Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

    +
    + +

    When deciding upon protection of specific organizational records, their corresponding classification based on the organization’s classification scheme, should be considered. Records should be categorised into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details of retention periods and type of allowable storage media, e.g. paper, microfiche, magnetic, optical. Any related cryptographic keys and programs associated with encrypted archives or digital signatures (see Clause 10), should also be stored to enable decryption of the records for the length of time the records are retained.

    +

    Consideration should be given to the possibility of deterioration of media used for storage of records. Storage and handling procedures should be implemented in accordance with manufacturer’s recommendations.

    +

    Where electronic storage media are chosen, procedures to ensure the ability to access data (both media and format readability) throughout the retention period should be established to safeguard against loss due to future technology change.

    +

    Data storage systems should be chosen such that required data can be retrieved in an acceptable timeframe and format, depending on the requirements to be fulfilled.

    +

    The system of storage and handling should ensure identification of records and of their retention period as defined by national or regional legislation or regulations, if applicable. This system should permit appropriate destruction of records after that period if they are not needed by the organization.

    +

    To meet these record safeguarding objectives, the following steps should be taken within an organization:

    +
      +
    1. guidelines should be issued on the retention, storage, handling and disposal of records and information;
    2. +
    3. a retention schedule should be drawn up identifying records and the period of time for which they should be retained;
    4. +
    5. an inventory of sources of key information should be maintained.
    6. +
    +
    + +

    Some records may need to be securely retained to meet statutory, regulatory or contractual requirements, as well as to support essential business activities. Examples include records that may be required as evidence that an organization operates within statutory or regulatory rules, to ensure defence against potential civil or criminal action or to confirm the financial status of an organization to shareholders, external parties and auditors. National law or regulation may set the time period and data content for information retention.

    +

    Further information about managing organizational records can be found in ISO 15489-1.[5]

    +
    +
    + + Privacy and protection of personally identifiable information + 18.1.4 + +

    Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.

    +
    + +

    An organization’s data policy for privacy and protection of personally identifiable information should be developed and implemented. This policy should be communicated to all persons involved in the processing of personally identifiable information.

    +

    Compliance with this policy and all relevant legislation and regulations concerning the protection of the privacy of people and the protection of personally identifiable information requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a privacy officer, who should provide guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personally identifiable information and ensuring awareness of the privacy principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personally identifiable information should be implemented.

    +
    + +

    ISO/IEC 29100[25] provides a high-level framework for the protection of personally identifiable information within information and communication technology systems. A number of countries have introduced legislation placing controls on the collection, processing and transmission of personally identifiable information (generally information on living individuals who can be identified from that information). Depending on the respective national legislation, such controls may impose duties on those collecting, processing and disseminating personally identifiable information, and may also restrict the ability to transfer personally identifiable information to other countries.

    +
    +
    + + Regulation of cryptographic controls + 18.1.5 + +

    Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations.

    +
    + +

    The following items should be considered for compliance with the relevant agreements, laws and regulations:

    +
      +
    1. restrictions on import or export of computer hardware and software for performing cryptographic functions;
    2. +
    3. restrictions on import or export of computer hardware and software which is designed to have cryptographic functions added to it;
    4. +
    5. restrictions on the usage of encryption;
    6. +
    7. mandatory or discretionary methods of access by the countries’ authorities to information encrypted by hardware or software to provide confidentiality of content.
    8. +
    +

    Legal advice should be sought to ensure compliance with relevant legislation and regulations. Before encrypted information or cryptographic controls are moved across jurisdictional borders, legal advice should also be taken.

    +
    +
    +
    + + Information security reviews + 18.2 + +

    Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

    +
    + + Independent review of information security + 18.2.1 + +

    The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur.

    +
    + +

    Management should initiate the independent review. Such an independent review is necessary to ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security. The review should include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives.

    +

    Such a review should be carried out by individuals independent of the area under review, e.g. the internal audit function, an independent manager or an external party organization specializing in such reviews. Individuals carrying out these reviews should have the appropriate skills and experience.

    +

    The results of the independent review should be recorded and reported to the management who initiated the review. These records should be maintained.

    +

    If the independent review identifies that the organization’s approach and implementation to managing information security is inadequate, e.g. documented objectives and requirements are not met or not compliant with the direction for information security stated in the information security policies (see 5.1.1), management should consider corrective actions.

    +
    + +

    ISO/IEC 27007[12], “Guidelines for information security management systems auditing” and ISO/IEC TR 27008[13], “Guidelines for auditors on information security controls” also provide guidance for carrying out the independent review.

    +
    +
    + + Compliance with security policies and standards + 18.2.2 + +

    Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

    +
    + +

    Managers should identify how to review that information security requirements defined in policies, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review.

    +

    If any non-compliance is found as a result of the review, managers should:

    +
      +
    1. identify the causes of the non-compliance;
    2. +
    3. evaluate the need for actions to achieve compliance;
    4. +
    5. implement appropriate corrective action;
    6. +
    7. review the corrective action taken to verify its effectiveness and identify any deficiencies or weaknesses.
    8. +
    +

    Results of reviews and corrective actions carried out by managers should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews (see 18.2.1) when an independent review takes place in the area of their responsibility.

    +
    + +

    Operational monitoring of system use is covered in 12.4.

    +
    +
    + + Technical compliance review + 18.2.3 + +

    Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards.

    +
    + +

    Technical compliance should be reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by an experienced system engineer could be performed.

    +

    If penetration tests or vulnerability assessments are used, caution should be exercised as such activities could lead to a compromise of the security of the system. Such tests should be planned, documented and repeatable.

    +

    Any technical compliance review should only be carried out by competent, authorized persons or under the supervision of such persons.

    +
    + +

    Technical compliance reviews involve the examination of operational systems to ensure that hardware and software controls have been correctly implemented. This type of compliance review requires specialist technical expertise.

    +

    Compliance reviews also cover, for example, penetration testing and vulnerability assessments, which might be carried out by independent experts specifically contracted for this purpose. This can be useful in detecting vulnerabilities in the system and for inspecting how effective the controls are in preventing unauthorized access due to these vulnerabilities.

    +

    Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. The snapshot is limited to those portions of the system actually tested during the penetration attempt(s). Penetration testing and vulnerability assessments are not a substitute for risk assessment.

    +

    ISO/IEC TR 27008[13] provides specific guidance regarding technical compliance reviews.

    +
    +
    +
    +
    + + + ISO/IEC Directives, Part 2[1] ISO/IEC Directives, Part 2 + + + ISO/IEC 11770-1, Information technology Security techniques — Key management — Part 1: Framework[2] ISO/IEC 11770-1, Information technology Security techniques — Key management — Part 1: Framework + + + ISO/IEC 11770-2, Information technology — Security techniques — Key management — Part 2: Mechanisms using symmetric techniques[3] ISO/IEC 11770-2, Information technology — Security techniques — Key management — Part 2: Mechanisms using symmetric techniques + + + ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3: Mechanisms using asymmetric techniques[4] ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3: Mechanisms using asymmetric techniques + + + ISO 15489-1, Information and documentation — Records management — Part 1: General[5] ISO 15489-1, Information and documentation — Records management — Part 1: General + + + ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements[6] ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements + + + ISO/IEC 20000-2,1Information technology — Service management — Part 2: Guidance on the application of service management systems[7] ISO/IEC 20000-2,1Information technology — Service management — Part 2: Guidance on the application of service management systems + + + ISO 22301, Societal security — Business continuity management systems — Requirements[8] ISO 22301, Societal security — Business continuity management systems — Requirements + + + ISO 22313, Societal security — Business continuity management systems — Guidance[9] ISO 22313, Societal security — Business continuity management systems — Guidance + + + ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements[10] ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements + + + ISO/IEC 27005, Information technology — Security techniques — Information security risk management[11] ISO/IEC 27005, Information technology — Security techniques — Information security risk management + + + ISO/IEC 27007, Information technology — Security techniques — Guidelines for information security management systems auditing[12] ISO/IEC 27007, Information technology — Security techniques — Guidelines for information security management systems auditing + + + ISO/IEC TR 27008, Information technology — Security techniques — Guidelines for auditors on information security controls[13] ISO/IEC TR 27008, Information technology — Security techniques — Guidelines for auditors on information security controls + + + ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity[14] ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity + + + ISO/IEC 27033-1, Information technology — Security techniques — Network security — Part 1: Overview and concepts[15] ISO/IEC 27033-1, Information technology — Security techniques — Network security — Part 1: Overview and concepts + + + ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security[16] ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security + + + ISO/IEC 27033-3, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues[17] ISO/IEC 27033-3, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues + + + ISO/IEC 27033-4, Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways[18] ISO/IEC 27033-4, Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways + + + ISO/IEC 27033-5, Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Network (VPNs)[19] ISO/IEC 27033-5, Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Network (VPNs) + + + ISO/IEC 27035, Information technology — Security techniques — Information security incident management[20] ISO/IEC 27035, Information technology — Security techniques — Information security incident management + + + ISO/IEC 27036-1, Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts[21] ISO/IEC 27036-1, Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts + + + ISO/IEC 27036-2, Information technology — Security techniques — Information security for supplier relationships — Part 2: Common requirements[22] ISO/IEC 27036-2, Information technology — Security techniques — Information security for supplier relationships — Part 2: Common requirements + + + ISO/IEC 27036-3, Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for ICT supply chain security[23] ISO/IEC 27036-3, Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for ICT supply chain security + + + ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence[24] ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence + + + ISO/IEC 29100, Information technology — Security techniques — Privacy framework[25] ISO/IEC 29100, Information technology — Security techniques — Privacy framework + + + ISO/IEC 29101, Information technology — Security techniques — Privacy architecture framework[26] ISO/IEC 29101, Information technology — Security techniques — Privacy architecture framework + + + ISO 31000, Risk management — Principles and guidelines[27] ISO 31000, Risk management — Principles and guidelines + + + 1) ISO/IEC 20000-2:2005 has been cancelled and replaced by ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems.1) ISO/IEC 20000-2:2005 has been cancelled and replaced by ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems. + + +
    diff --git a/working/ISO-27002/ISO-27002-OSCAL-refined.xml b/working/ISO-27002/ISO-27002-OSCAL-refined.xml index c7f6aa835e..3a0f9033d6 100644 --- a/working/ISO-27002/ISO-27002-OSCAL-refined.xml +++ b/working/ISO-27002/ISO-27002-OSCAL-refined.xml @@ -1,7 +1,6 @@ - - - - + + + ISO/IEC 27002 @@ -13,7 +12,7 @@ - .1 + .1 @@ -21,8 +20,7 @@ - .1 - + .1 @@ -36,69 +34,69 @@ Management direction for information security 5.1 -

    XX XXXXXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXXX XXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXX XXX XXXXXXXXXXX.

    +

    Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

    Policies for information security 5.1.1 -

    X XXX XX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXX, XXXXXXXX XX XXXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXX.

    +

    A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.

    -

    XX XXX XXXXXXX XXXXX, XXXXXXXXXXXXX XXXXXX XXXXXX XX “XXXXXXXXXXX XXXXXXXX XXXXXX” XXXXX XX XXXXXXXX XX XXXXXXXXXX XXX XXXXX XXXX XXX XXX XXXXXXXXXXXX’X XXXXXXXX XX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX.

    -

    XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XXXXXXX XXXXXXXXXXXX XXXXXXX XX:

    +

    At the highest level, organizations should define an “information security policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives.

    +

    Information security policies should address requirements created by:

      -
    1. XXXXXXXX XXXXXXXX;
    2. -
    3. XXXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXX;
    4. -
    5. XXX XXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXXXXX.
    6. +
    7. business strategy;
    8. +
    9. regulations, legislation and contracts;
    10. +
    11. the current and projected information security threat environment.
    -

    XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXX XXXXXXX XXXXXXXXXX XXXXXXXXXX:

    +

    The information security policy should contain statements concerning:

      -
    1. XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXX XX XXXXX XXX XXXXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX;
    2. -
    3. XXXXXXXXXX XX XXXXXXX XXX XXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XX XXXXXXX XXXXX;
    4. -
    5. XXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX.
    6. +
    7. definition of information security, objectives and principles to guide all activities relating to information security;
    8. +
    9. assignment of general and specific responsibilities for information security management to defined roles;
    10. +
    11. processes for handling deviations and exceptions.
    -

    XX X XXXXX XXXXX, XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXX XX XXXXXXXXX XX XXXXX-XXXXXXXX XXXXXXXX, XXXXX XXXXXXX XXXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXX XXXXXXXXX XXXXXXXXXX XX XXXXXXX XXX XXXXX XX XXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXXXXXX XX XX XXXXX XXXXXXX XXXXXX.

    -

    XXXXXXXX XX XXXX XXXXXX XXXXXX XXXXXXX:

    +

    At a lower level, the information security policy should be supported by topic-specific policies, which further mandate the implementation of information security controls and are typically structured to address the needs of certain target groups within an organization or to cover certain topics.

    +

    Examples of such policy topics include:

      -
    1. XXXXXX XXXXXXX (XXX Clause 9);
    2. -
    3. XXXXXXXXXXX XXXXXXXXXXXXXX (XXX XXXXXXXX) (XXX 8.2);
    4. -
    5. XXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXX (XXX Clause 11);
    6. -
    7. XXX XXXX XXXXXXXX XXXXXX XXXX XX:
        -
      1. XXXXXXXXXX XXX XX XXXXXX (XXX 8.1.3);
      2. -
      3. XXXXX XXXX XXX XXXXX XXXXXX (XXX 11.2.9);
      4. -
      5. XXXXXXXXXXX XXXXXXXX (XXX 13.2.1);
      6. -
      7. XXXXXX XXXXXXX XXX XXXXXXXXXXX (XXX 6.2);
      8. -
      9. XXXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXXXX XXX XXX (XXX 12.6.2);
      10. +
      11. access control (see Clause 9);
      12. +
      13. information classification (and handling) (see 8.2);
      14. +
      15. physical and environmental security (see Clause 11);
      16. +
      17. end user oriented topics such as:
          +
        1. acceptable use of assets (see 8.1.3);
        2. +
        3. clear desk and clear screen (see 11.2.9);
        4. +
        5. information transfer (see 13.2.1);
        6. +
        7. mobile devices and teleworking (see 6.2);
        8. +
        9. restrictions on software installations and use (see 12.6.2);
      18. -
      19. XXXXXX (XXX 12.3);
      20. -
      21. XXXXXXXXXXX XXXXXXXX (XXX 13.2);
      22. -
      23. XXXXXXXXXX XXXX XXXXXXX (XXX 12.2);
      24. -
      25. XXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXXXXX (XXX 12.6.1);
      26. -
      27. XXXXXXXXXXXXX XXXXXXXX (XXX Clause 10);
      28. -
      29. XXXXXXXXXXXXXX XXXXXXXX (XXX Clause 13);
      30. -
      31. XXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX (XXX 18.1.4);
      32. -
      33. XXXXXXXX XXXXXXXXXXXXX (XXX Clause 15).
      34. +
      35. backup (see 12.3);
      36. +
      37. information transfer (see 13.2);
      38. +
      39. protection from malware (see 12.2);
      40. +
      41. management of technical vulnerabilities (see 12.6.1);
      42. +
      43. cryptographic controls (see Clause 10);
      44. +
      45. communications security (see Clause 13);
      46. +
      47. privacy and protection of personally identifiable information (see 18.1.4);
      48. +
      49. supplier relationships (see Clause 15).
      -

      XXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXXX XX XXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXX XX X XXXX XXXX XX XXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXXXXXX XX XXX XXXXXXXX XXXXXX, X.X. XX XXX XXXXXXX XX XX “XXXXXXXXXXX XXXXXXXX XXXXXXXXX, XXXXXXXXX XXX XXXXXXXX XXXXXXXXX” (XXX 7.2.2).

      +

      These policies should be communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an “information security awareness, education and training programme” (see 7.2.2).

      -

      XXX XXXX XXX XXXXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXX XXXXXXXXXXXXX. XXXXXXXX XXXXXXXX XXX XXXXXXXXXX XXXXXX XX XXXXXX XXX XXXX XXXXXXX XXXXXXXXXXXXX XXXXX XXXXX XXXXXXXX XXX XXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXXX XXXX XXXXX XXXXXXXXXXXX XXX XXXXXXXX XX XX XXXXXXXXXX XXXXX X XXXXXX XXXXXXX XX XXXX XXXXXXXXX XXXXXX XX XXXXXXXXX XX XXX XXXXXXXXXXXX. XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXX XX XXXXXX XX X XXXXXX “XXXXXXXXXXX XXXXXXXX XXXXXX” XXXXXXXX XX XX X XXX XX XXXXXXXXXX XXX XXXXXXX XXXXXXXXX.

      -

      XX XXX XX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX, XXXX XXXXXX XX XXXXX XXX XX XXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX.

      -

      XXXX XXXXXXXXXXXXX XXX XXXXX XXXXX XXX XXXXX XXXXXX XXXXXXXXX, XXXX XX “XXXXXXXXX”, “XXXXXXXXXX” XX “XXXXX”.

      +

      The need for internal policies for information security varies across organizations. Internal policies are especially useful in larger and more complex organizations where those defining and approving the expected levels of control are segregated from those implementing the controls or in situations where a policy applies to many different people or functions in the organization. Policies for information security can be issued in a single “information security policy” document or as a set of individual but related documents.

      +

      If any of the information security policies are distributed outside the organization, care should be taken not to disclose confidential information.

      +

      Some organizations use other terms for these policy documents, such as “Standards”, “Directives” or “Rules”.

      Review of the policies for information security 5.1.2 -

      XXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXXX XXXXXXXXX XX XX XXXXXXXXXXX XXXXXXX XXXXX XX XXXXXX XXXXX XXXXXXXXXX XXXXXXXXXXX, XXXXXXXX XXX XXXXXXXXXXXXX.

      +

      The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

      -

      XXXX XXXXXX XXXXXX XXXX XX XXXXX XXX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXXXX XXX XXX XXXXXXXXXXX, XXXXXX XXX XXXXXXXXXX XX XXX XXXXXXXX. XXX XXXXXX XXXXXX XXXXXXX XXXXXXXXX XXXXXXXXXXXXX XXX XXXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXX XXX XXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXX XX XXXXXXX XX XXX XXXXXXXXXXXXXX XXXXXXXXXXX, XXXXXXXX XXXXXXXXXXXXX, XXXXX XXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXX.

      -

      XXX XXXXXX XX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXX XXX XXXXXXX XX XXXXXXXXXX XXXXXXX XXXX XXXXXXX.

      -

      XXXXXXXXXX XXXXXXXX XXX X XXXXXXX XXXXXX XXXXXX XX XXXXXXXX.

      +

      Each policy should have an owner who has approved management responsibility for the development, review and evaluation of the policies. The review should include assessing opportunities for improvement of the organization’s policies and approach to managing information security in response to changes to the organizational environment, business circumstances, legal conditions or technical environment.

      +

      The review of policies for information security should take the results of management reviews into account.

      +

      Management approval for a revised policy should be obtained.

      @@ -110,94 +108,94 @@ Internal organization 6.1 -

      XX XXXXXXXXX X XXXXXXXXXX XXXXXXXXX XX XXXXXXXX XXX XXXXXXX XXX XXXXXXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXX.

      +

      Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

      Information security roles and responsibilities 6.1.1 -

      XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXX.

      +

      All information security responsibilities should be defined and allocated.

      -

      XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXX XXXXXX XX XXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX (XXX 5.1.1). XXXXXXXXXXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXX XXX XXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX. XXXXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXX XXXXXXXXXX XXXXXXXXXX XXX XX XXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXXX XXXXX XXXXXX XX XXXXXXX. XXXXX XXXXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXXXX, XXXXX XXXXXXXXX, XXXX XXXX XXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX. XXXXX XXXXXXXXXXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXX XXX XXX XXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXX.

      -

      XXXXXXXXXXX XXXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXX XX XXXXXX. XXXXXXXXXXXX XXXX XXXXXX XXXXXXXXXXX XXX XXXXXX XXXXXXXXX XXXX XXX XXXXXXXXX XXXXX XXXX XXXX XXXXXXXXX XXXXXXXXX.

      -

      XXXXX XXX XXXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXX XX XXXXXX. XX XXXXXXXXXX XXX XXXXXXXXX XXXXXX XXXX XXXXX:

      +

      Allocation of information security responsibilities should be done in accordance with the information security policies (see 5.1.1). Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined.

      +

      Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed.

      +

      Areas for which individuals are responsible should be stated. In particular the following should take place:

        -
      1. XXX XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXX;
      2. -
      3. XXX XXXXXX XXXXXXXXXXX XXX XXXX XXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXX XXXXXX XX XXXXXXXX XXX XXX XXXXXXX XX XXXX XXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX (XXX 8.1.2);
      4. -
      5. XXXXXXXXXXXXX XXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXXX;
      6. -
      7. XX XX XXXX XX XXXXXX XXXXXXXXXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXX XXXX XXX XX XXXXX XXXXXXXXXXXXX XX XXXX XX XX XXXX XXXX XXXXXXXXXXXX;
      8. -
      9. XXXXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXX XX XXXXXXXX XXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXXX.
      10. +
      11. the assets and information security processes should be identified and defined;
      12. +
      13. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented (see 8.1.2);
      14. +
      15. authorization levels should be defined and documented;
      16. +
      17. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;
      18. +
      19. coordination and oversight of information security aspects of supplier relationships should be identified and documented.
      -

      XXXX XXXXXXXXXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXX XX XXXX XXXXXXX XXXXXXXXXXXXXX XXX XXX XXXXXXXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXX XX XXXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXX.

      -

      XXXXXXX, XXXXXXXXXXXXXX XXX XXXXXXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXX XXXX XXXXX XXXXXX XXXX XXXXXXXXXX XXXXXXXX. XXX XXXXXX XXXXXXXX XX XX XXXXXXX XX XXXXX XXX XXXX XXXXX XXX XXXX XXXXXXX XXXXXXXXXXX XXX XXX XXX-XX-XXX XXXXXXXXXX.

      +

      Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.

      +

      However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection.

      Segregation of duties 6.1.2 -

      XXXXXXXXXXX XXXXXX XXX XXXXX XX XXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXX XXXXXXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXXXXX XXXXXXXXXXXX XX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXX.

      +

      Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

      -

      XXXX XXXXXX XX XXXXX XXXX XX XXXXXX XXXXXX XXX XXXXXX, XXXXXX XX XXX XXXXXX XXXXXXX XXXXXXXXXXXXX XX XXXXXXXXX. XXX XXXXXXXXXX XX XX XXXXX XXXXXX XX XXXXXXXXX XXXX XXX XXXXXXXXXXXXX. XXX XXXXXXXXXXX XX XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXX XXX XXXXXXXX.

      -

      XXXXX XXXXXXXXXXXXX XXX XXXX XXXXXXXXXXX XX XXXXXX XXXXXXXXX XX XXXXXXX, XXX XXX XXXXXXXXX XXXXXX XX XXXXXXX XX XXX XX XX XXXXXXXX XXX XXXXXXXXXXX. XXXXXXXX XX XX XXXXXXXXX XX XXXXXXXXX, XXXXX XXXXXXXX XXXX XX XXXXXXXXXX XX XXXXXXXXXX, XXXXX XXXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX.

      +

      Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls.

      +

      Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered.

      -

      XXXXXXXXXXX XX XXXXXX XX X XXXXXX XXX XXXXXXXX XXX XXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXXXX XX XX XXXXXXXXXXXX’X XXXXXX.

      +

      Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets.

      Contact with authorities 6.1.3 -

      XXXXXXXXXXX XXXXXXXX XXXX XXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX.

      +

      Appropriate contacts with relevant authorities should be maintained.

      -

      XXXXXXXXXXXXX XXXXXX XXXX XXXXXXXXXX XX XXXXX XXXX XXXXXXX XXXX XXX XX XXXX XXXXXXXXXXX (X.X. XXX XXXXXXXXXXX, XXXXXXXXXX XXXXXX, XXXXXXXXXXX XXXXXXXXXXX) XXXXXX XX XXXXXXXXX XXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXX XX X XXXXXX XXXXXX (X.X. XX XX XX XXXXXXXXX XXXX XXXX XXX XXXX XXXX XXXXXX).

      +

      Organizations should have procedures in place that specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner (e.g. if it is suspected that laws may have been broken).

      -

      XXXXXXXXXXXXX XXXXX XXXXXX XXXX XXX XXXXXXXX XXX XXXX XXXXXXXXXXX XX XXXX XXXXXX XXXXXXX XXX XXXXXX XXXXXX.

      -

      XXXXXXXXXXX XXXX XXXXXXXX XXX XX X XXXXXXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXX (XXX Clause 16) XX XXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXX (XXX Clause 17). XXXXXXXX XXXX XXXXXXXXXX XXXXXX XXX XXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXX XXX XXXXXXXX XXXXXXX XX XXXX XX XXXXXXXXXXX, XXXXX XXXX XX XX XXXXXXXXXXX XX XXX XXXXXXXXXXXX. XXXXXXXX XXXX XXXXX XXXXXXXXXXX XXXXXXX XXXXXXXXX, XXXXXXXXX XXXXXXXX, XXXXXXXXXXX XXXXXXXXX XXX XXXXXX XXX XXXXXX, X.X. XXXX XXXXXXXXXXX (XX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXXXX), XXXXXXXXXXXXXXXXX XXXXXXXXX (XX XXXXXXXXXX XXXX XXXX XXXXXXX XXX XXXXXXXXXXXX) XXX XXXXX XXXXXXXXX (XX XXXXXXXXXX XXXX XXXXXXX XXXXXXXXXX XXX XXXXXXXXX).

      +

      Organizations under attack from the Internet may need authorities to take action against the attack source.

      +

      Maintaining such contacts may be a requirement to support information security incident management (see Clause 16) or the business continuity and contingency planning process (see Clause 17). Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in laws or regulations, which have to be implemented by the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety, e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment).

      Contact with special interest groups 6.1.4 -

      XXXXXXXXXXX XXXXXXXX XXXX XXXXXXX XXXXXXXX XXXXXX XX XXXXX XXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX.

      +

      Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.

      -

      XXXXXXXXXX XX XXXXXXX XXXXXXXX XXXXXX XX XXXXXX XXXXXX XX XXXXXXXXXX XX X XXXXX XX:

      +

      Membership in special interest groups or forums should be considered as a means to:

        -
      1. XXXXXXX XXXXXXXXX XXXXX XXXX XXXXXXXXX XXX XXXX XX XX XXXX XXXX XXXXXXXX XXXXXXXX XXXXXXXXXXX;
      2. -
      3. XXXXXX XXX XXXXXXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXX XX XXXXXXX XXX XXXXXXXX;
      4. -
      5. XXXXXXX XXXXX XXXXXXXX XX XXXXXX, XXXXXXXXXX XXX XXXXXXX XXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXXXXXX;
      6. -
      7. XXXX XXXXXX XX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX;
      8. -
      9. XXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXX XXX XXXXXXXXXXXX, XXXXXXXX, XXXXXXX XX XXXXXXXXXXXXXXX;
      10. -
      11. XXXXXXX XXXXXXXX XXXXXXX XXXXXX XXXX XXXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX (XXX Clause 16).
      12. +
      13. improve knowledge about best practices and stay up to date with relevant security information;
      14. +
      15. ensure the understanding of the information security environment is current and complete;
      16. +
      17. receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities;
      18. +
      19. gain access to specialist information security advice;
      20. +
      21. share and exchange information about new technologies, products, threats or vulnerabilities;
      22. +
      23. provide suitable liaison points when dealing with information security incidents (see Clause 16).
      -

      XXXXXXXXXXX XXXXXXX XXXXXXXXXX XXX XX XXXXXXXXXXX XX XXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXX XXXXXX. XXXX XXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX.

      +

      Information sharing agreements can be established to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.

      Information security in project management 6.1.5 -

      XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXX XXXXXXXXXX, XXXXXXXXXX XX XXX XXXX XX XXX XXXXXXX.

      +

      Information security should be addressed in project management, regardless of the type of the project.

      -

      XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXXX’X XXXXXXX XXXXXXXXXX XXXXXX(X) XX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXX XXX XXXXXXXXXX XXX XXXXXXXXX XX XXXX XX X XXXXXXX. XXXX XXXXXXX XXXXXXXXX XX XXX XXXXXXX XXXXXXXXXX XX XXX XXXXXXXXX, X.X. X XXXXXXX XXX X XXXX XXXXXXXX XXXXXXX, XX, XXXXXXXX XXXXXXXXXX XXX XXXXX XXXXXXXXXX XXXXXXXXX. XXX XXXXXXX XXXXXXXXXX XXXXXXX XX XXX XXXXXX XXXXXXX XXXX:

      +

      Information security should be integrated into the organization’s project management method(s) to ensure that information security risks are identified and addressed as part of a project. This applies generally to any project regardless of its character, e.g. a project for a core business process, IT, facility management and other supporting processes. The project management methods in use should require that:

        -
      1. XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXX XX XXXXXXX XXXXXXXXXX;
      2. -
      3. XX XXXXXXXXXXX XXXXXXXX XXXX XXXXXXXXXX XX XXXXXXXXX XX XX XXXXX XXXXX XX XXX XXXXXXX XX XXXXXXXX XXXXXXXXX XXXXXXXX;
      4. -
      5. XXXXXXXXXXX XXXXXXXX XX XXXX XX XXX XXXXXX XX XXX XXXXXXX XXXXXXX XXXXXXXXXXX.
      6. +
      7. information security objectives are included in project objectives;
      8. +
      9. an information security risk assessment is conducted at an early stage of the project to identify necessary controls;
      10. +
      11. information security is part of all phases of the applied project methodology.
      -

      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXX XXXXXXXXX XX XXX XXXXXXXX. XXXXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXX XX XXXXXXXXX XXXXX XXXXXXX XX XXX XXXXXXX XXXXXXXXXX XXXXXXX.

      +

      Information security implications should be addressed and reviewed regularly in all projects. Responsibilities for information security should be defined and allocated to specified roles defined in the project management methods.

      @@ -205,84 +203,84 @@ Mobile devices and teleworking 6.2 -

      XX XXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXX XXX XX XXXXXX XXXXXXX.

      +

      Objective: To ensure the security of teleworking and use of mobile devices.

      Mobile device policy 6.2.1 -

      X XXXXXX XXX XXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXX XX XXXXXX XXX XXXXX XXXXXXXXXX XX XXXXX XXXXXX XXXXXXX.

      +

      A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices.

      -

      XXXX XXXXX XXXXXX XXXXXXX, XXXXXXX XXXX XXXXXX XX XXXXX XX XXXXXX XXXX XXXXXXXX XXXXXXXXXXX XX XXX XXXXXXXXXXX. XXX XXXXXX XXXXXX XXXXXX XXXXXX XXXX XXXX XXXXXXX XXX XXXXX XX XXXXXXX XXXX XXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXXXXXX.

      -

      XXX XXXXXX XXXXXX XXXXXX XXXXXX XXXXXXXX:

      +

      When using mobile devices, special care should be taken to ensure that business information is not compromised. The mobile device policy should take into account the risks of working with mobile devices in unprotected environments.

      +

      The mobile device policy should consider:

        -
      1. XXXXXXXXXXXX XX XXXXXX XXXXXXX;
      2. -
      3. XXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX;
      4. -
      5. XXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXXX;
      6. -
      7. XXXXXXXXXXXX XXX XXXXXX XXXXXX XXXXXXXX XXXXXXXX XXX XXX XXXXXXXX XXXXXXX;
      8. -
      9. XXXXXXXXXXX XX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX;
      10. -
      11. XXXXXX XXXXXXXX;
      12. -
      13. XXXXXXXXXXXXX XXXXXXXXXX;
      14. -
      15. XXXXXXX XXXXXXXXXX;
      16. -
      17. XXXXXX XXXXXXXXX, XXXXXXX XX XXXXXXX;
      18. -
      19. XXXXXXX;
      20. -
      21. XXXXX XX XXX XXXXXXXX XXX XXX XXXX.
      22. +
      23. registration of mobile devices;
      24. +
      25. requirements for physical protection;
      26. +
      27. restriction of software installation;
      28. +
      29. requirements for mobile device software versions and for applying patches;
      30. +
      31. restriction of connection to information services;
      32. +
      33. access controls;
      34. +
      35. cryptographic techniques;
      36. +
      37. malware protection;
      38. +
      39. remote disabling, erasure or lockout;
      40. +
      41. backups;
      42. +
      43. usage of web services and web apps.
      -

      XXXX XXXXXX XX XXXXX XXXX XXXXX XXXXXX XXXXXXX XX XXXXXX XXXXXX, XXXXXXX XXXXX XXX XXXXX XXXXXXXXXXX XXXXX. XXXXXXXXXX XXXXXX XX XX XXXXX XX XXXXX XXX XXXXXXXXXXXX XXXXXX XX XX XXXXXXXXXX XX XXX XXXXXXXXXXX XXXXXX XXX XXXXXXXXX XX XXXXX XXXXXXX, X.X. XXXXX XXXXXXXXXXXXX XXXXXXXXXX (XXX Clause 10) XXX XXXXXXXXX XXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX (XXX 9.2.4).

      -

      XXXXXX XXXXXXX XXXXXX XXXX XX XXXXXXXXXX XXXXXXXXX XXXXXXX XXXXX XXXXXXXXXX XXXX XXXX, XXX XXXXXXX, XX XXXX XXX XXXXX XXXXX XX XXXXXXXXX, XXXXX XXXXX, XXXXXXXXXX XXXXXXX XXX XXXXXXX XXXXXX. X XXXXXXXX XXXXXXXXX XXXXXX XXXX XXXXXXX XXXXX, XXXXXXXXX XXX XXXXX XXXXXXXX XXXXXXXXXXXX XX XXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXX XX XXXXX XX XXXX XX XXXXXX XXXXXXX. XXXXXXX XXXXXXXX XXXXXXXXX, XXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXX XXX XX XXXX XXXXXXXXXX XXX, XXXXX XXXXXXXX, XXXXXX XX XXXXXXXXXX XXXXXX XXXX, XX XXXXXXX XXXXX XXXXXX XX XXXX XX XXXXXX XXX XXXXXXX.

      -

      XXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXXXX XXXXX XXXXXX XXXXXXX XX XXXXX XXXXX XXXXXXXXX XX XXX XXXXXXXXXX XXXXX XXXXXXXXX XXXX XXXX XXX XX XXXXXXX XXX XXX XXXXXXXX XXXX XXXXXX XX XXXXXXXXXXX.

      -

      XXXXX XXX XXXXXX XXXXXX XXXXXX XXXXXX XXX XXX XX XXXXXXXXX XXXXX XXXXXX XXXXXXX, XXX XXXXXX XXX XXXXXXX XXXXXXXX XXXXXXXX XXXXXX XXXX XXXXXXXX:

      +

      Care should be taken when using mobile devices in public places, meeting rooms and other unprotected areas. Protection should be in place to avoid the unauthorized access to or disclosure of the information stored and processed by these devices, e.g. using cryptographic techniques (see Clause 10) and enforcing use of secret authentication information (see 9.2.4).

      +

      Mobile devices should also be physically protected against theft especially when left, for example, in cars and other forms of transport, hotel rooms, conference centres and meeting places. A specific procedure taking into account legal, insurance and other security requirements of the organization should be established for cases of theft or loss of mobile devices. Devices carrying important, sensitive or critical business information should not be left unattended and, where possible, should be physically locked away, or special locks should be used to secure the devices.

      +

      Training should be arranged for personnel using mobile devices to raise their awareness of the additional risks resulting from this way of working and the controls that should be implemented.

      +

      Where the mobile device policy allows the use of privately owned mobile devices, the policy and related security measures should also consider:

        -
      1. XXXXXXXXXX XX XXXXXXX XXX XXXXXXXX XXX XX XXX XXXXXXX, XXXXXXXXX XXXXX XXXXXXXX XX XXXXXXX XXXX XXXXXXXXXX XXX XXXXXXX XXXXXXXX XXXX XX X XXXXXXX XXXXXX;
      2. -
      3. XXXXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXXX XXXX XXXXX XXXXX XXXX XXXXXX XX XXX XXXX XXXXXXXXX XXXXXXXXXXXXX XXXXX XXXXXX (XXXXXXXX XXXXXXXXXX, XXXXXXXX XXXXXXXX, XXX.), XXXXXXX XXXXXXXXX XX XXXXXXXX XXXX, XXXXXXXX XXXXXX XXXXXX XX XXXX XX XXX XXXXXXXXXXXX XX XXXX XX XXXXX XX XXXX XX XXX XXXXXX XX XXXX XX XXXXXX XXXXXXXXXX XX XXX XXX XXXXXXX. XXXX XXXXXX XXXXX XX XXXX XXXXXXX XX XXXXXXX XXXXXXXXXXX.
      4. +
      5. separation of private and business use of the devices, including using software to support such separation and protect business data on a private device;
      6. +
      7. providing access to business information only after users have signed an end user agreement acknowledging their duties (physical protection, software updating, etc.), waiving ownership of business data, allowing remote wiping of data by the organization in case of theft or loss of the device or when no longer authorized to use the service. This policy needs to take account of privacy legislation.
      -

      XXXXXX XXXXXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXX XX XXXXX XXXXX XX XXXXXXX XXXXXXXXXX, XXX XXXX XXXXXXXXX XXXXXXXXXXX XXXX XXXXXX XX XXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXXX. XXXXXXX XXXXXXXXXXX XXX:

      +

      Mobile device wireless connections are similar to other types of network connection, but have important differences that should be considered when identifying controls. Typical differences are:

        -
      1. XXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXX XXXX XXXXX XXXXXXXXXX;
      2. -
      3. XXXXXXXXXXX XXXXXX XX XXXXXX XXXXXXX XXX XXX XX XXXXXX-XX XXXXXXX XX XXXXXXX XXXXXXX XXXXXXXXX XX XXXXXXX XXXXXX XXXXXXX XXX XXX XX XXXXXXXXX XX XXX XXXXX XXXX XXXXXXX XXX XXXXXXXXX.
      4. +
      5. some wireless security protocols are immature and have known weaknesses;
      6. +
      7. information stored on mobile devices may not be backed-up because of limited network bandwidth or because mobile devices may not be connected at the times when backups are scheduled.
      -

      XXXXXX XXXXXXX XXXXXXXXX XXXXX XXXXXX XXXXXXXXX, X.X. XXXXXXXXXX, XXXXXXXX XXXXXX, X-XXXX XXX XXXX XXXXXXXX, XXXX XXXXX XXX XXXXXXX. XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXX XXXXXX XXXXXXX XXXXXXXXX XXXXXXX XX XXXXX XXXXXXX XX XXX XXXXX XXX XXXXXXX XXX XXXXX XX XXXXXXX XXXXXXX XXXXXX XX XXXXX XXXXX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX.

      +

      Mobile devices generally share common functions, e.g. networking, internet access, e-mail and file handling, with fixed use devices. Information security controls for the mobile devices generally consist of those adopted in the fixed use devices and those to address threats raised by their usage outside the organization’s premises.

      Teleworking 6.2.2 -

      X XXXXXX XXX XXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX, XXXXXXXXX XX XXXXXX XX XXXXXXXXXXX XXXXX.

      +

      A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites.

      -

      XXXXXXXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX X XXXXXX XXXX XXXXXXX XXX XXXXXXXXXX XXX XXXXXXXXXXXX XXX XXXXX XXXXXXXXXXX. XXXXX XXXXXX XXXXXXXXXX XXX XXXXXXX XX XXX, XXX XXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXX:

      +

      Organizations allowing teleworking activities should issue a policy that defines the conditions and restrictions for using teleworking. Where deemed applicable and allowed by law, the following matters should be considered:

        -
      1. XXX XXXXXXXX XXXXXXXX XXXXXXXX XX XXX XXXXXXXXXXX XXXX, XXXXXX XXXX XXXXXXX XXX XXXXXXXX XXXXXXXX XX XXX XXXXXXXX XXX XXX XXXXX XXXXXXXXXXX;
      2. -
      3. XXX XXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXXXXX;
      4. -
      5. XXX XXXXXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX, XXXXXX XXXX XXXXXXX XXX XXXX XXX XXXXXX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXX, XXX XXXXXXXXXXX XX XXX XXXXXXXXXXX XXXX XXXX XX XXXXXXXX XXX XXXXXX XXXX XXX XXXXXXXXXXXXX XXXX XXX XXX XXXXXXXXXXX XX XXX XXXXXXXX XXXXXX;
      6. -
      7. XXX XXXXXXXXX XX XXXXXXX XXXXXXX XXXXXX XXXX XXXXXXXX XXXXXXXXXX XXX XXXXXXX XX XXXXXXXXXXX XX XXXXXXXXX XXXXX XXXXXXXXX;
      8. -
      9. XXX XXXXXX XX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXXXX XXXX XXXXX XXXXXXX XXXXX XXX XXXXXXXXXXXXX, X.X. XXXXXX XXX XXXXXXX;
      10. -
      11. XXX XXX XX XXXX XXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXXXX XX XXX XXXXXXXXXXXXX XX XXXXXXXX XXXXXXX XXXXXXXX;
      12. -
      13. XXXXXXXX XXX XXXXXXXXXX XX XXXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXXX XXXXXXXX XXXXXXXXX XX XXXXXXXXX XXXXX XXXXXXXXX;
      14. -
      15. XXXXXX XX XXXXXXXXX XXXXX XXXXXXXXX (XX XXXXXX XXX XXXXXXXX XX XXX XXXXXXX XX XXXXXX XX XXXXXXXXXXXXX), XXXXX XXX XX XXXXXXXXX XX XXXXXXXXXXX;
      16. -
      17. XXXXXXXX XXXXXXXXX XXXXXXXXXX XXXX XXX XXXX XXXX XXXXXXXXXXXXX XXX XXXXXX XXXXXX XXX XXXXXXXXX XXX XXXXXX XXXXXXXX XX XXXXXXXXXXXX XXXXX XXXXXXXXX XX XXXXXXXXX XX XXXXXXXX XXXXX XXXXX;
      18. -
      19. XXXXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXXX.
      20. +
      21. the existing physical security of the teleworking site, taking into account the physical security of the building and the local environment;
      22. +
      23. the proposed physical teleworking environment;
      24. +
      25. the communications security requirements, taking into account the need for remote access to the organization’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link and the sensitivity of the internal system;
      26. +
      27. the provision of virtual desktop access that prevents processing and storage of information on privately owned equipment;
      28. +
      29. the threat of unauthorized access to information or resources from other persons using the accommodation, e.g. family and friends;
      30. +
      31. the use of home networks and requirements or restrictions on the configuration of wireless network services;
      32. +
      33. policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment;
      34. +
      35. access to privately owned equipment (to verify the security of the machine or during an investigation), which may be prevented by legislation;
      36. +
      37. software licensing agreements that are such that organizations may become liable for licensing for client software on workstations owned privately by employees or external party users;
      38. +
      39. malware protection and firewall requirements.
      -

      XXX XXXXXXXXXX XXX XXXXXXXXXXXX XX XX XXXXXXXXXX XXXXXX XXXXXXX:

      +

      The guidelines and arrangements to be considered should include:

        -
      1. XXX XXXXXXXXX XX XXXXXXXX XXXXXXXXX XXX XXXXXXX XXXXXXXXX XXX XXX XXXXXXXXXXX XXXXXXXXXX, XXXXX XXX XXX XX XXXXXXXXX XXXXX XXXXXXXXX XXXX XX XXX XXXXX XXX XXXXXXX XX XXX XXXXXXXXXXXX XX XXX XXXXXXX;
      2. -
      3. X XXXXXXXXXX XX XXX XXXX XXXXXXXXX, XXX XXXXX XX XXXX, XXX XXXXXXXXXXXXXX XX XXXXXXXXXXX XXXX XXX XX XXXX XXX XXX XXXXXXXX XXXXXXX XXX XXXXXXXX XXXX XXX XXXXXXXXXX XX XXXXXXXXXX XX XXXXXX;
      4. -
      5. XXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXXXX XXXXXXXXX, XXXXXXXXX XXXXXXX XXX XXXXXXXX XXXXXX XXXXXX;
      6. -
      7. XXXXXXXX XXXXXXXX;
      8. -
      9. XXXXX XXX XXXXXXXX XX XXXXXX XXX XXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX;
      10. -
      11. XXX XXXXXXXXX XX XXXXXXXX XXX XXXXXXXX XXXXXXX XXX XXXXXXXXXXX;
      12. -
      13. XXX XXXXXXXXX XX XXXXXXXXX;
      14. -
      15. XXX XXXXXXXXXX XXX XXXXXX XXX XXXXXXXX XXXXXXXXXX;
      16. -
      17. XXXXX XXX XXXXXXXX XXXXXXXXXX;
      18. -
      19. XXXXXXXXXX XX XXXXXXXXX XXX XXXXXX XXXXXX, XXX XXX XXXXXX XX XXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX.
      20. +
      21. the provision of suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment that is not under the control of the organization is not allowed;
      22. +
      23. a definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is authorized to access;
      24. +
      25. the provision of suitable communication equipment, including methods for securing remote access;
      26. +
      27. physical security;
      28. +
      29. rules and guidance on family and visitor access to equipment and information;
      30. +
      31. the provision of hardware and software support and maintenance;
      32. +
      33. the provision of insurance;
      34. +
      35. the procedures for backup and business continuity;
      36. +
      37. audit and security monitoring;
      38. +
      39. revocation of authority and access rights, and the return of equipment when the teleworking activities are terminated.
      -

      XXXXXXXXXXX XXXXXX XX XXX XXXXX XX XXXX XXXXXXX XX XXX XXXXXX, XXXXXXXXX XXX-XXXXXXXXXXX XXXX XXXXXXXXXXXX, XXXX XX XXXXX XXXXXXXX XX XX “XXXXXXXXXXXXX”, “XXXXXXXX XXXXXXXXX”, “XXXXXX XXXX” XXX “XXXXXXX XXXX” XXXXXXXXXXXX.

      +

      Teleworking refers to all forms of work outside of the office, including non-traditional work environments, such as those referred to as “telecommuting”, “flexible workplace”, “remote work” and “virtual work” environments.

      @@ -294,55 +292,55 @@ Prior to employment 7.1 -

      XX XXXXXX XXXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXX XXXXXXXXXXXXXXXX XXX XXX XXXXXXXX XXX XXX XXXXX XXX XXXXX XXXX XXX XXXXXXXXXX.

      +

      Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

      Screening 7.1.1 -

      XXXXXXXXXX XXXXXXXXXXXX XXXXXX XX XXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXX XX XXXXXXX XXX XX XXXXXXXXXX XXXX XXXXXXXX XXXX, XXXXXXXXXXX XXX XXXXXX XXX XXXXXX XX XXXXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXXX, XXX XXXXXXXXXXXXXX XX XXX XXXXXXXXXXX XX XX XXXXXXXX XXX XXX XXXXXXXXX XXXXX.

      +

      Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

      -

      XXXXXXXXXXXX XXXXXX XXXX XXXX XXXXXXX XXX XXXXXXXX XXXXXXX, XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXX XXXXX XXXXXXXXXXX, XXX XXXXXX, XXXXX XXXXXXXXX, XXXXXXX XXX XXXXXXXXX:

      +

      Verification should take into account all relevant privacy, protection of personally identifiable information and employment based legislation, and should, where permitted, include the following:

        -
      1. XXXXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXX XXXXXXXXXX, X.X. XXX XXXXXXXX XXX XXX XXXXXXXX;
      2. -
      3. X XXXXXXXXXXXX (XXX XXXXXXXXXXXX XXX XXXXXXXX) XX XXX XXXXXXXXX’X XXXXXXXXXX XXXXX;
      4. -
      5. XXXXXXXXXXXX XX XXXXXXX XXXXXXXX XXX XXXXXXXXXXXX XXXXXXXXXXXXXX;
      6. -
      7. XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX (XXXXXXXX XX XXXXXXX XXXXXXXX);
      8. -
      9. XXXX XXXXXXXX XXXXXXXXXXXX, XXXX XX XXXXXX XXXXXX XX XXXXXX XX XXXXXXXX XXXXXXX.
      10. +
      11. availability of satisfactory character references, e.g. one business and one personal;
      12. +
      13. a verification (for completeness and accuracy) of the applicant’s curriculum vitae;
      14. +
      15. confirmation of claimed academic and professional qualifications;
      16. +
      17. independent identity verification (passport or similar document);
      18. +
      19. more detailed verification, such as credit review or review of criminal records.
      -

      XXXX XX XXXXXXXXXX XX XXXXX XXX X XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXX, XXXXXXXXXXXXX XXXXXX XXXX XXXX XXX XXXXXXXXX:

      +

      When an individual is hired for a specific information security role, organizations should make sure the candidate:

        -
      1. XXX XXX XXXXXXXXX XXXXXXXXXX XX XXXXXXX XXX XXXXXXXX XXXX;
      2. -
      3. XXX XX XXXXXXX XX XXXX XX XXX XXXX, XXXXXXXXXX XX XXX XXXX XX XXXXXXXX XXX XXX XXXXXXXXXXXX.
      4. +
      5. has the necessary competence to perform the security role;
      6. +
      7. can be trusted to take on the role, especially if the role is critical for the organization.
      -

      XXXXX X XXX, XXXXXX XX XXXXXXX XXXXXXXXXXX XX XX XXXXXXXXX, XXXXXXXX XXX XXXXXX XXXXXX XXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX, XXX, XX XXXXXXXXXX, XX XXXXX XXX XXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX, X.X. XXXXXXXXX XXXXXXXXXXX XX XXXXXX XXXXXXXXXXXX XXXXXXXXXXX, XXX XXXXXXXXXXXX XXXXXX XXXX XXXXXXXX XXXXXXX, XXXX XXXXXXXX XXXXXXXXXXXXX.

      -

      XXXXXXXXXX XXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXXXX XXX XXXXXXXXXXXX XXXXXXX, X.X. XXX XX XXXXXXXX XX XXXXXX XXXXXX XXX XXX, XXXX XXX XXX XXXXXXXXXXXX XXXXXXX XXX XXXXXXX XXX.

      -

      X XXXXXXXXX XXXXXXX XXXXXX XXXX XX XXXXXXX XXX XXXXXXXXXXX. XX XXXXX XXXXX, XXX XXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXX XXX XXXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXX XXX XXXXXXXXX XXX XXX XXXXXXXXXXXX XXXXXXXXXX XXXX XXXX XX XX XXXXXXXX XX XXXXXXXXX XXX XXX XXXX XXXXXXXXX XX XX XXX XXXXXXX XXXX XXXXX XXX XXXXX XX XXXXXXX.

      -

      XXXXXXXXXXX XX XXX XXXXXXXXXX XXXXX XXXXXXXXXX XXX XXXXXXXXX XXXXXX XXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXXX. XXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXX, XXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXX XXXXX XXX XXXXXXXXX XXXXXXXXXX.

      +

      Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities, and, in particular, if these are handling confidential information, e.g. financial information or highly confidential information, the organization should also consider further, more detailed verifications.

      +

      Procedures should define criteria and limitations for verification reviews, e.g. who is eligible to screen people and how, when and why verification reviews are carried out.

      +

      A screening process should also be ensured for contractors. In these cases, the agreement between the organization and the contractor should specify responsibilities for conducting the screening and the notification procedures that need to be followed if screening has not been completed or if the results give cause for doubt or concern.

      +

      Information on all candidates being considered for positions within the organization should be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand about the screening activities.

      Terms and conditions of employment 7.1.2 -

      XXX XXXXXXXXXXX XXXXXXXXXX XXXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXXX XXXXX XXX XXX XXXXXXXXXXXX’X XXXXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX.

      +

      The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security.

      -

      XXX XXXXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXX XX XXXXXXXXXX XXX XXXXXXX:

      +

      The contractual obligations for employees or contractors should reflect the organization’s policies for information security in addition to clarifying and stating:

        -
      1. XXXX XXX XXXXXXXXX XXX XXXXXXXXXXX XXX XXX XXXXX XXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XXXX X XXXXXXXXXXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXX XXXXX XX XXXXX XXXXX XXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX (XXX 13.2.4);
      2. -
      3. XXX XXXXXXXX’X XX XXXXXXXXXX’X XXXXX XXXXXXXXXXXXXXXX XXX XXXXXX, X.X. XXXXXXXXX XXXXXXXXX XXXX XX XXXX XXXXXXXXXX XXXXXXXXXXX (XXX 18.1.2 XXX 18.1.4);
      4. -
      5. XXXXXXXXXXXXXXXX XXX XXX XXXXXXXXXXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXXXXX XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX, XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXX XX XXX XXXXXXXX XX XXXXXXXXXX (XXX Clause 8);
      6. -
      7. XXXXXXXXXXXXXXXX XX XXX XXXXXXXX XX XXXXXXXXXX XXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXX XXXXX XXXXXXXXX XX XXXXXXXX XXXXXXX;
      8. -
      9. XXXXXXX XX XX XXXXX XX XXX XXXXXXXX XX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXXXXXXX (XXX 7.2.3).
      10. +
      11. that all employees and contractors who are given access to confidential information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities (see 13.2.4);
      12. +
      13. the employee’s or contractor’s legal responsibilities and rights, e.g. regarding copyright laws or data protection legislation (see 18.1.2 and 18.1.4);
      14. +
      15. responsibilities for the classification of information and management of organizational assets associated with information, information processing facilities and information services handled by the employee or contractor (see Clause 8);
      16. +
      17. responsibilities of the employee or contractor for the handling of information received from other companies or external parties;
      18. +
      19. actions to be taken if the employee or contractor disregards the organization’s security requirements (see 7.2.3).
      -

      XXXXXXXXXXX XXXXXXXX XXXXX XXX XXXXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXXXX XX XXX XXXXXXXXXX XXXXXX XXX XXX-XXXXXXXXXX XXXXXXX.

      -

      XXX XXXXXXXXXXXX XXXXXX XXXXXX XXXX XXXXXXXXX XXX XXXXXXXXXXX XXXXX XX XXXXX XXX XXXXXXXXXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXX XX XXX XXXXXX XXX XXXXXX XX XXXXXX XXXX XXXX XXXX XX XXX XXXXXXXXXXXX’X XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXX XXX XXXXXXXX.

      -

      XXXXX XXXXXXXXXXX, XXXXXXXXXXXXXXXX XXXXXXXXX XXXXXX XXX XXXXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXX XXXXXXXX XXX X XXXXXXX XXXXXX XXXXX XXX XXX XX XXX XXXXXXXXXX (XXX 7.3).

      +

      Information security roles and responsibilities should be communicated to job candidates during the pre-employment process.

      +

      The organization should ensure that employees and contractors agree to terms and conditions concerning information security appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services.

      +

      Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see 7.3).

      -

      X XXXX XX XXXXXXX XXX XX XXXX XX XXXXX XXX XXXXXXXX’X XX XXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXX, XXXX XXXXXXXXXX, XXXXXX, XXXXXXXXXXX XXX XX XXX XXXXXXXXXXXX’X XXXXXXXXX XXX XXXXXXXXXX, XX XXXX XX XXXXXXXXX XXXXXXXXX XXXXXXXX XX XXX XXXXXXXXXXXX. XX XXXXXXXX XXXXX, XXXX XXXXX X XXXXXXXXXX XX XXXXXXXXXX, XXX XX XXXXXXXX XX XXXXX XXXX XXXXXXXXXXX XXXXXXXXXXXX XX XXXXXX XX XXX XXXXXXXXXX XXXXXXXXXX.

      +

      A code of conduct may be used to state the employee’s or contractor’s information security responsibilities regarding confidentiality, data protection, ethics, appropriate use of the organization’s equipment and facilities, as well as reputable practices expected by the organization. An external party, with which a contractor is associated, can be required to enter into contractual arrangements on behalf of the contracted individual.

      @@ -350,73 +348,73 @@ During employment 7.2 -

      XX XXXXXX XXXX XXXXXXXXX XXX XXXXXXXXXXX XXX XXXXX XX XXX XXXXXX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXX.

      +

      Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

      Management responsibilities 7.2.1 -

      XXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX XXX XXXXXXXXXXX XX XXXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX XX XXX XXXXXXXXXXXX.

      +

      Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

      -

      XXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXX XXXX XXXXXXXXX XXX XXXXXXXXXXX:

      +

      Management responsibilities should include ensuring that employees and contractors:

        -
      1. XXX XXXXXXXX XXXXXXX XX XXXXX XXXXXXXXXXX XXXXXXXX XXXXX XXX XXXXXXXXXXXXXXXX XXXXX XX XXXXX XXXXXXX XXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXX;
      2. -
      3. XXX XXXXXXXX XXXX XXXXXXXXXX XX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XX XXXXX XXXX XXXXXX XXX XXXXXXXXXXXX;
      4. -
      5. XXX XXXXXXXXX XX XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XX XXX XXXXXXXXXXXX;
      6. -
      7. XXXXXXX X XXXXX XX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XX XXXXX XXXXX XXX XXXXXXXXXXXXXXXX XXXXXX XXX XXXXXXXXXXXX (XXX 7.2.2);
      8. -
      9. XXXXXXX XX XXX XXXXX XXX XXXXXXXXXX XX XXXXXXXXXX, XXXXX XXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXX XX XXXXXXX;
      10. -
      11. XXXXXXXX XX XXXX XXX XXXXXXXXXXX XXXXXX XXX XXXXXXXXXXXXXX XXX XXX XXXXXXXX XX X XXXXXXX XXXXX;
      12. -
      13. XXX XXXXXXXX XXXX XX XXXXXXXXX XXXXXXXXX XXXXXXX XX XXXXXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XX XXXXXXXXXX (“XXXXXXX XXXXXXX”).
      14. +
      15. are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems;
      16. +
      17. are provided with guidelines to state information security expectations of their role within the organization;
      18. +
      19. are motivated to fulfil the information security policies of the organization;
      20. +
      21. achieve a level of awareness on information security relevant to their roles and responsibilities within the organization (see 7.2.2);
      22. +
      23. conform to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working;
      24. +
      25. continue to have the appropriate skills and qualifications and are educated on a regular basis;
      26. +
      27. are provided with an anonymous reporting channel to report violations of information security policies or procedures (“whistle blowing”).
      -

      XXXXXXXXXX XXXXXX XXXXXXXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX, XXXXXXXXXX XXX XXXXXXXX, XXX XXX XX X XXXX XXXXX.

      +

      Management should demonstrate support of information security policies, procedures and controls, and act as a role model.

      -

      XX XXXXXXXXX XXX XXXXXXXXXXX XXX XXX XXXX XXXXX XX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXX, XXXX XXX XXXXX XXXXXXXXXXXX XXXXXX XX XX XXXXXXXXXXXX. XXXXXXXXX XXXXXXXXX XXX XXXXXX XX XX XXXX XXXXXXXX XXX XXXXX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX.

      -

      XXXX XXXXXXXXXX XXX XXXXX XXXXXXXXX XX XXXX XXXXXXXXXXX XXXXXXXXX XX X XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXX XXXXXXXXXXXX. XXX XXXXXXX, XXXX XXXXXXXXXX XXX XXXX XX XXXXXXXXXXX XXXXXXXX XXXXX XXXXXXXXX XX XXXXXXXXX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXX.

      +

      If employees and contractors are not made aware of their information security responsibilities, they can cause considerable damage to an organization. Motivated personnel are likely to be more reliable and cause fewer information security incidents.

      +

      Poor management can cause personnel to feel undervalued resulting in a negative information security impact on the organization. For example, poor management can lead to information security being neglected or potential misuse of the organization’s assets.

      Information security awareness, education and training 7.2.2 -

      XXX XXXXXXXXX XX XXX XXXXXXXXXXXX XXX, XXXXX XXXXXXXX, XXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXXX XXXXXXXXX XXXXXXXXX XXX XXXXXXXX XXX XXXXXXX XXXXXXX XX XXXXXXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX, XX XXXXXXXX XXX XXXXX XXX XXXXXXXX.

      +

      All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

      -

      XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXX XXXXXX XXX XX XXXX XXXXXXXXX XXX, XXXXX XXXXXXXX, XXXXXXXXXXX XXXXX XX XXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXX XXX XXXXX XX XXXXX XXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXX.

      -

      XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXX XXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXX, XXXXXX XXXX XXXXXXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XX XX XXXXXXXXX XXX XXX XXXXXXXX XXXX XXXX XXXX XXXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXX. XXX XXXXXXXXX XXXXXXXXX XXXXXX XXXXXXX X XXXXXX XX XXXXXXXXX-XXXXXXX XXXXXXXXXX XXXX XX XXXXXXXXX (X.X. XX “XXXXXXXXXXX XXXXXXXX XXX”) XXX XXXXXXX XXXXXXXX XX XXXXXXXXXXX.

      -

      XXX XXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXX XXXXXX XXXX XXXXXXXXXXXXX XXX XXXXXXXXX’ XXXXX XX XXX XXXXXXXXXXXX, XXX, XXXXX XXXXXXXX, XXX XXXXXXXXXXXX’X XXXXXXXXXXX XX XXX XXXXXXXXX XX XXXXXXXXXXX. XXX XXXXXXXXXX XX XXX XXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXX XXXX XXXX, XXXXXXXXXX XXXXXXXXX, XX XXXX XXX XXXXXXXXXX XXX XXXXXXXX XXX XXXXX XXX XXXXXXXXX XXX XXXXXXXXXXX. XXX XXXXXXXXX XXXXXXXXX XXXXXX XXXX XX XXXXXXX XXXXXXXXX XX XX XXXXX XX XXXX XXXX XXXXXXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX, XXX XXXXXX XX XXXXX XX XXXXXXX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX.

      -

      XXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXX. XXXXXXXXX XXXXXXXX XXX XXX XXXXXXXXX XXXXXXXX XXXXX XXXXXXXXX XXXXXXXXX-XXXXX, XXXXXXXX XXXXXXXX, XXX-XXXXX, XXXX-XXXXX XXX XXXXXX.

      -

      XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXX XXXX XXXXX XXXXXXX XXXXXXX XXXX XX:

      +

      An information security awareness programme should aim to make employees and, where relevant, contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged.

      +

      An information security awareness programme should be established in line with the organization’s information security policies and relevant procedures, taking into consideration the organization’s information to be protected and the controls that have been implemented to protect the information. The awareness programme should include a number of awareness-raising activities such as campaigns (e.g. an “information security day”) and issuing booklets or newsletters.

      +

      The awareness programme should be planned taking into consideration the employees’ roles in the organization, and, where relevant, the organization’s expectation of the awareness of contractors. The activities in the awareness programme should be scheduled over time, preferably regularly, so that the activities are repeated and cover new employees and contractors. The awareness programme should also be updated regularly so it stays in line with organizational policies and procedures, and should be built on lessons learnt from information security incidents.

      +

      Awareness training should be performed as required by the organization’s information security awareness programme. Awareness training can use different delivery media including classroom-based, distance learning, web-based, self-paced and others.

      +

      Information security education and training should also cover general aspects such as:

        -
      1. XXXXXXX XXXXXXXXXX’X XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXX;
      2. -
      3. XXX XXXX XX XXXXXX XXXXXXXX XXXX XXX XXXXXX XXXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXX XXX XXXXXXXXXXX, XX XXXXXXX XX XXXXXXXX, XXXXXXXXX, XXXX, XXXXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXX;
      4. -
      5. XXXXXXXX XXXXXXXXXXXXXX XXX XXX’X XXX XXXXXXX XXX XXXXXXXXX, XXX XXXXXXX XXXXXXXXXXXXXXXX XXXXXXX XXXXXXXX XX XXXXXXXXXX XXXXXXXXXXX XXXXXXXXX XX XXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXXX;
      6. -
      7. XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX (XXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX) XXX XXXXXXXX XXXXXXXX (XXXX XX XXXXXXXX XXXXXXXX, XXXXXXX XXXXXXXX XXX XXXXX XXXXX);
      8. -
      9. XXXXXXX XXXXXX XXX XXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXX XXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXX, XXXXXXXXX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXX.
      10. +
      11. stating management’s commitment to information security throughout the organization;
      12. +
      13. the need to become familiar with and comply with applicable information security rules and obligations, as defined in policies, standards, laws, regulations, contracts and agreements;
      14. +
      15. personal accountability for one’s own actions and inactions, and general responsibilities towards securing or protecting information belonging to the organization and external parties;
      16. +
      17. basic information security procedures (such as information security incident reporting) and baseline controls (such as password security, malware controls and clear desks);
      18. +
      19. contact points and resources for additional information and advice on information security matters, including further information security education and training materials.
      -

      XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXX XXXX XXXXX XXXXXXXXXXXX. XXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXXX XX XXXXX XXX XXXXXXXX XX XXX XXXXXXXXX XX XXXXX XXXX XXXXXXXXXXXXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX, XXX XXXX XX XXX XXXXXXXX XXX XXXXXX XXXX XXXXX XXXXXX XXX XXXX XXXXXXX XXXXXX.

      -

      XXX XXXXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXX XX XXXXX XX XXXXXXX XXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXXXX. XXX XXXXXXXXX XXXXXX XX XX XXXX XXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXX, XXXXXX XXXX XXXXXXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XX XX XXXXXXXXX XXX XXX XXXXXXXX XXXX XXXX XXXX XXXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXX. XXX XXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXX XXXXX XX XXXXXXXXX XXX XXXXXXXX, X.X. XXXXXXXX XX XXXX-XXXXXXX.

      +

      Information security education and training should take place periodically. Initial education and training applies to those who transfer to new positions or roles with substantially different information security requirements, not just to new starters and should take place before the role becomes active.

      +

      The organization should develop the education and training programme in order to conduct the education and training effectively. The programme should be in line with the organization’s information security policies and relevant procedures, taking into consideration the organization’s information to be protected and the controls that have been implemented to protect the information. The programme should consider different forms of education and training, e.g. lectures or self-studies.

      -

      XXXX XXXXXXXXX XX XXXXXXXXX XXXXXXXXX, XX XX XXXXXXXXX XXX XXXX XX XXXXX XX XXX ‘XXXX’ XXX ‘XXX’, XXX XXXX XXX ‘XXX’. XX XX XXXXXXXXX XXXX XXXXXXXXX XXXXXXXXXX XXX XXX XX XXXXXXXXXXX XXXXXXXX XXX XXX XXXXXXXXX XXXXXX, XXXXXXXX XXX XXXXXXXX, XX XXX XXXXXXXXXXXX XX XXXXX XXX XXXXXXXXX.

      -

      XXXXXXXXX, XXXXXXXXX XXX XXXXXXXX XXX XX XXXX XX, XX XXXXXXXXX XX XXXXXXXXXXXXX XXXX, XXXXX XXXXXXXX XXXXXXXXXX, XXX XXXXXXX XXXXXXX XX XX XXXXXXX XXXXXXXX XXXXXXXX. XXXXXXXXX, XXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXXX XX XXX XXXXXXXXXX’X XXXXX, XXXXXXXXXXXXXXXX XXX XXXXXX.

      -

      XX XXXXXXXXXX XX XXX XXXXXXXXX’ XXXXXXXXXXXXX XXXXX XX XXXXXXXXX XX XXX XXX XX XX XXXXXXXXX, XXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXX XXXXXXXXX XXXXXXXX.

      +

      When composing an awareness programme, it is important not only to focus on the ‘what’ and ‘how’, but also the ‘why’. It is important that employees understand the aim of information security and the potential impact, positive and negative, on the organization of their own behaviour.

      +

      Awareness, education and training can be part of, or conducted in collaboration with, other training activities, for example general IT or general security training. Awareness, education and training activities should be suitable and relevant to the individual’s roles, responsibilities and skills.

      +

      An assessment of the employees’ understanding could be conducted at the end of an awareness, education and training course to test knowledge transfer.

      Disciplinary process 7.2.3 -

      XXXXX XXXXXX XX X XXXXXX XXX XXXXXXXXXXXX XXXXXXXXXXXX XXXXXXX XX XXXXX XX XXXX XXXXXX XXXXXXX XXXXXXXXX XXX XXXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXX.

      +

      There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

      -

      XXX XXXXXXXXXXXX XXXXXXX XXXXXX XXX XX XXXXXXXXX XXXXXXX XXXXX XXXXXXXXXXXX XXXX XX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXX (XXX 16.1.7).

      -

      XXX XXXXXX XXXXXXXXXXXX XXXXXXX XXXXXX XXXXXX XXXXXXX XXX XXXX XXXXXXXXX XXX XXXXXXXXX XXX XXX XXXXXXXXX XX XXXXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX. XXX XXXXXX XXXXXXXXXXXX XXXXXXX XXXXXX XXXXXXX XXX X XXXXXXXXX XXXXXXXX XXXX XXXXX XXXX XXXXXXXXXXXXX XXXXXXX XXXX XX XXX XXXXXX XXX XXXXXXX XX XXX XXXXXX XXX XXX XXXXXX XX XXXXXXXX, XXXXXXX XX XXX XXXX XX X XXXXX XX XXXXXX XXXXXXX, XXXXXXX XX XXX XXX XXXXXXXX XXX XXXXXXXX XXXXXXX, XXXXXXXX XXXXXXXXXXX, XXXXXXXX XXXXXXXXX XXX XXXXX XXXXXXX XX XXXXXXXX.

      -

      XXX XXXXXXXXXXXX XXXXXXX XXXXXX XXXX XX XXXX XX X XXXXXXXXX XX XXXXXXX XXXXXXXXX XXXX XXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXXXXX XXX XXX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXX. XXXXXXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXXX XXXXXXX.

      +

      The disciplinary process should not be commenced without prior verification that an information security breach has occurred (see 16.1.7).

      +

      The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches of information security. The formal disciplinary process should provide for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeat offence, whether or not the violator was properly trained, relevant legislation, business contracts and other factors as required.

      +

      The disciplinary process should also be used as a deterrent to prevent employees from violating the organization’s information security policies and procedures and any other information security breaches. Deliberate breaches may require immediate actions.

      -

      XXX XXXXXXXXXXXX XXXXXXX XXX XXXX XXXXXX X XXXXXXXXXX XX XX XXXXXXXXX XX XXXXXXXX XXXXXXXXX XXX XXXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX.

      +

      The disciplinary process can also become a motivation or an incentive if positive sanctions are defined for remarkable behaviour with regards to information security.

      @@ -424,22 +422,22 @@ Termination and change of employment 7.3 -

      XX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXX XX XXXX XX XXX XXXXXXX XX XXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX.

      +

      Objective: To protect the organization’s interests as part of the process of changing or terminating employment.

      Termination or change of employment responsibilities 7.3.1 -

      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXX XXXX XXXXXX XXXXX XXXXX XXXXXXXXXXX XX XXXXXX XX XXXXXXXXXX XXXXXX XX XXXXXXX, XXXXXXXXXXXX XX XXX XXXXXXXX XX XXXXXXXXXX XXX XXXXXXXX.

      +

      Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced.

      -

      XXX XXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXX XXXXXXX XX-XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXXX XXXXXXXXXXXXXXXX XXX, XXXXX XXXXXXXXXXX, XXXXXXXXXXXXXXXX XXXXXXXXX XXXXXX XXX XXXXXXXXXXXXXXX XXXXXXXXX (XXX 13.2.4) XXX XXX XXXXX XXX XXXXXXXXXX XX XXXXXXXXXX (XXX 7.1.2) XXXXXXXXXX XXX X XXXXXXX XXXXXX XXXXX XXX XXX XX XXX XXXXXXXX’X XX XXXXXXXXXX’X XXXXXXXXXX.

      -

      XXXXXXXXXXXXXXXX XXX XXXXXX XXXXX XXXXX XXXXX XXXXXXXXXXX XX XXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXX XXXXXXXX’X XX XXXXXXXXXX’X XXXXX XXX XXXXXXXXXX XX XXXXXXXXXX (XXX 7.1.2).

      -

      XXXXXXX XX XXXXXXXXXXXXXX XX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXX XXXXXXXXXXX XX XXX XXXXXXX XXXXXXXXXXXXXX XX XXXXXXXXXX XXXXXXXX XXXX XXX XXXXXXXXXX XX XXX XXX XXXXXXXXXXXXXX XX XXXXXXXXXX.

      +

      The communication of termination responsibilities should include on-going information security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement (see 13.2.4) and the terms and conditions of employment (see 7.1.2) continuing for a defined period after the end of the employee’s or contractor’s employment.

      +

      Responsibilities and duties still valid after termination of employment should be contained in the employee’s or contractor’s terms and conditions of employment (see 7.1.2).

      +

      Changes of responsibility or employment should be managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment.

      -

      XXX XXXXX XXXXXXXXX XXXXXXXX XX XXXXXXXXX XXXXXXXXXXX XXX XXX XXXXXXX XXXXXXXXXXX XXXXXXX XXX XXXXX XXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXX XX XXX XXXXXX XXXXXXX XX XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXX XX XXX XXXXXXXX XXXXXXXXXX. XX XXX XXXX XX X XXXXXXXXXX XXXXXXXX XXXXXXX XX XXXXXXXX XXXXX, XXXX XXXXXXXXXXX XXXXXXX XX XXXXXXXXXX XX XXX XXXXXXXX XXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXX XXX XXXXXXXX XXXXX.

      -

      XX XXX XX XXXXXXXXX XX XXXXXX XXXXXXXXX, XXXXXXXXX XX XXXXXXXXXXX XX XXXXXXX XX XXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXXX.

      +

      The human resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving to manage the information security aspects of the relevant procedures. In the case of a contractor provided through an external party, this termination process is undertaken by the external party in accordance with the contract between the organization and the external party.

      +

      It may be necessary to inform employees, customers or contractors of changes to personnel and operating arrangements.

      @@ -451,68 +449,68 @@ Responsibility for assets 8.1 -

      XX XXXXXXXX XXXXXXXXXXXXXX XXXXXX XXX XXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXXXXXXXX.

      +

      Objective: To identify organizational assets and define appropriate protection responsibilities.

      Inventory of assets 8.1.1 -

      XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XX XXXXXXXXX XX XXXXX XXXXXX XXXXXX XX XXXXX XX XXX XXXXXXXXXX.

      +

      Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.

      -

      XX XXXXXXXXXXXX XXXXXX XXXXXXXX XXXXXX XXXXXXXX XX XXX XXXXXXXXX XX XXXXXXXXXXX XXX XXXXXXXX XXXXX XXXXXXXXXX. XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXX, XXXXXXXXXX, XXXXXXX, XXXXXXXXXXXX, XXXXXXXX XXX XXXXXXXXXXX. XXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXX XX XXXXXXXXXXX.

      -

      XXX XXXXX XXXXXXXXX XXXXXX XX XXXXXXXX, XX XX XXXX, XXXXXXXXXX XXX XXXXXXX XXXX XXXXX XXXXXXXXXXX.

      -

      XXX XXXX XX XXX XXXXXXXXXX XXXXXX, XXXXXXXXX XX XXX XXXXX XXXXXX XX XXXXXXXX (XXX 8.1.2) XXX XXX XXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX (XXX 8.2).

      +

      An organization should identify assets relevant in the lifecycle of information and document their importance. The lifecycle of information should include creation, processing, storage, transmission, deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate.

      +

      The asset inventory should be accurate, up to date, consistent and aligned with other inventories.

      +

      For each of the identified assets, ownership of the asset should be assigned (see 8.1.2) and the classification should be identified (see 8.2).

      -

      XXXXXXXXXXX XX XXXXXX XXXX XX XXXXXX XXXX XXXXXXXXX XXXXXXXXXX XXXXX XXXXX, XXX XXX XXXX XX XXXXXXXX XXX XXXXX XXXXXXXX, XXXX XX XXXXXX XXX XXXXXX, XXXXXXXXX XX XXXXXXXXX (XXXXX XXXXXXXXXX) XXXXXXX.

      -

      XXX/XXX XXXXX[11] XXXXXXXX XXXXXXXX XX XXXXXX XXXX XXXXX XXXX XX XX XXXXXXXXXX XX XXX XXXXXXXXXXXX XXXX XXXXXXXXXXX XXXXXX. XXX XXXXXXX XX XXXXXXXXX XX XXXXXXXXX XX XXXXXX XX XX XXXXXXXXX XXXXXXXXXXXX XX XXXX XXXXXXXXXX (XXX XXXX XXX/XXX XXXXX XXX XXX/XXX XXXXX[11]).

      +

      Inventories of assets help to ensure that effective protection takes place, and may also be required for other purposes, such as health and safety, insurance or financial (asset management) reasons.

      +

      ISO/IEC 27005[11] provides examples of assets that might need to be considered by the organization when identifying assets. The process of compiling an inventory of assets is an important prerequisite of risk management (see also ISO/IEC 27000 and ISO/IEC 27005[11]).

      Ownership of assets 8.1.2 -

      XXXXXX XXXXXXXXXX XX XXX XXXXXXXXX XXXXXX XX XXXXX.

      +

      Assets maintained in the inventory should be owned.

      -

      XXXXXXXXXXX XX XXXX XX XXXXX XXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXXXX XXX XXX XXXXX XXXXXXXXX XXXXXXX XX XX XXXXXXXX XX XXXXX XXXXXX.

      -

      X XXXXXXX XX XXXXXX XXXXXX XXXXXXXXXX XX XXXXX XXXXXXXXX XX XXXXXXX XXXXXXXXXXX. XXXXXXXXX XXXXXX XX XXXXXXXX XXXX XXXXXX XXX XXXXXXX XX XXXX XXXXXX XXX XXXXXXXXXXX XX XXX XXXXXXXXXXXX. XXX XXXXX XXXXX XXXXXX XX XXXXXXXXXXX XXX XXX XXXXXX XXXXXXXXXX XX XX XXXXX XXXX XXX XXXXX XXXXX XXXXXXXXX.

      -

      XXX XXXXX XXXXX XXXXXX:

      +

      Individuals as well as other entities having approved management responsibility for the asset lifecycle qualify to be assigned as asset owners.

      +

      A process to ensure timely assignment of asset ownership is usually implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. The asset owner should be responsible for the proper management of an asset over the whole asset lifecycle.

      +

      The asset owner should:

        -
      1. XXXXXX XXXX XXXXXX XXX XXXXXXXXXXX;
      2. -
      3. XXXXXX XXXX XXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXX;
      4. -
      5. XXXXXX XXX XXXXXXXXXXXX XXXXXX XXXXXX XXXXXXXXXXXX XXX XXXXXXXXXXXXXXX XX XXXXXXXXX XXXXXX, XXXXXX XXXX XXXXXXX XXXXXXXXXX XXXXXX XXXXXXX XXXXXXXX;
      6. -
      7. XXXXXX XXXXXX XXXXXXXX XXXX XXX XXXXX XX XXXXXXX XX XXXXXXXXX.
      8. +
      9. ensure that assets are inventoried;
      10. +
      11. ensure that assets are appropriately classified and protected;
      12. +
      13. define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies;
      14. +
      15. ensure proper handling when the asset is deleted or destroyed.
      -

      XXX XXXXXXXXXX XXXXX XXX XX XXXXXX XX XXXXXXXXXX XX XX XXXXXX XXX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXXXXX XXX XXXXX XXXXXXXXX XX XX XXXXX. XXX XXXXXXXXXX XXXXX XXXX XXX XXXXXXXXXXX XXXX XXX XXXXXXXX XXXXXX XX XXX XXXXX.

      -

      XXXXXXX XXXXX XXX XX XXXXXXXXX, X.X. XX X XXXXXXXXX XXXXXXX XXXXX XXX XXXXXX XX X XXXXX XXXXX, XXX XXX XXXXXXXXXXXXXX XXXXXXX XXXX XXX XXXXX.

      -

      XX XXXXXXX XXXXXXXXXXX XXXXXXX, XX XXX XX XXXXXX XX XXXXXXXXX XXXXXX XX XXXXXX XXXXX XXX XXXXXXXX XX XXXXXXX X XXXXXXXXXX XXXXXXX. XX XXXX XXXX XXX XXXXX XX XXXX XXXXXXX XX XXXXXXXXXXX XXX XXX XXXXXXXX XX XXX XXXXXXX, XXXXXXXXX XXX XXXXXXXXX XX XXX XXXXXX.

      +

      The identified owner can be either an individual or an entity who has approved management responsibility for controlling the whole lifecycle of an asset. The identified owner does not necessarily have any property rights to the asset.

      +

      Routine tasks may be delegated, e.g. to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner.

      +

      In complex information systems, it may be useful to designate groups of assets which act together to provide a particular service. In this case the owner of this service is accountable for the delivery of the service, including the operation of its assets.

      Acceptable use of assets 8.1.3 -

      XXXXX XXX XXX XXXXXXXXXX XXX XX XXXXXXXXXXX XXX XX XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXXX.

      +

      Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented.

      -

      XXXXXXXXX XXX XXXXXXXX XXXXX XXXXX XXXXX XX XXXXXX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXX XXXXXX XX XXXX XXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXX. XXXX XXXXXX XX XXXXXXXXXXX XXX XXXXX XXX XX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXX XXX XX XXX XXXX XXX XXXXXXX XXX XXXXX XXXXX XXXXXXXXXXXXXX.

      +

      Employees and external party users using or having access to the organization’s assets should be made aware of the information security requirements of the organization’s assets associated with information and information processing facilities and resources. They should be responsible for their use of any information processing resources and of any such use carried out under their responsibility.

      Return of assets 8.1.4 -

      XXX XXXXXXXXX XXX XXXXXXXX XXXXX XXXXX XXXXXX XXXXXX XXX XX XXX XXXXXXXXXXXXXX XXXXXX XX XXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XX XXXXX XXXXXXXXXX, XXXXXXXX XX XXXXXXXXX.

      +

      All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

      -

      XXX XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXX XXX XXXXXX XX XXX XXXXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXXX XXXXXX XXXXX XX XX XXXXXXXXX XX XXX XXXXXXXXXXXX.

      -

      XX XXXXX XXXXX XX XXXXXXXX XX XXXXXXXX XXXXX XXXX XXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXX XX XXXX XXXXX XXX XXXXXXXX XXXXXXXXX, XXXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXX XXXX XXX XXXXXXXX XXXXXXXXXXX XX XXXXXXXXXXX XX XXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXX XXXX XXX XXXXXXXXX (XXX 11.2.7).

      -

      XX XXXXX XXXXX XX XXXXXXXX XX XXXXXXXX XXXXX XXXX XXX XXXXXXXXX XXXX XX XXXXXXXXX XX XXXXXXX XXXXXXXXXX, XXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXXXX XX XXX XXXXXXXXXXXX.

      -

      XXXXXX XXX XXXXXX XXXXXX XX XXXXXXXXXXX, XXX XXXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXXXX XXXXXXX XX XXXXXXXX XXXXXXXXXXX (X.X. XXXXXXXXXXXX XXXXXXXX) XX XXXXXXXXXX XXXXXXXXX XXX XXXXXXXXXXX.

      +

      The termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization.

      +

      In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment (see 11.2.7).

      +

      In cases where an employee or external party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the organization.

      +

      During the notice period of termination, the organization should control unauthorized copying of relevant information (e.g. intellectual property) by terminated employees and contractors.

      @@ -520,31 +518,31 @@ Information classification 8.2 -

      XX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXX XX XXX XXXXXXXXXXXX.

      +

      Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

      Classification of information 8.2.1 -

      XXXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXX XX XXXXX XXXXXXXXXXXX, XXXXX, XXXXXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXXXXX.

      +

      Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

      -

      XXXXXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXX XXXXXXX XX XXXXXXXX XXXXX XXX XXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX, XX XXXX XX XXXXX XXXXXXXXXXXX. XXXXXX XXXXX XXXX XXXXXXXXXXX XXX XXXX XX XXXXXXXXXX XX XXXXXXXXXXX XXXX XXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXX XX XXXXXX XX, XXXXXXXXX XX XX XXXXXXXXX XXXXXXX XX XXXXXXXXX XX XXX XXXXX.

      -

      XXXXXX XX XXXXXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXX XXXXXXXXXXXXXX.

      -

      XXX XXXXXXXXXXXXXX XXXXXX XXXXXX XXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXXX XXX XXXXXXXX XXX XXXXXX XX XXX XXXXXXXXXXXXXX XXXX XXXX. XXX XXXXX XX XXXXXXXXXX XX XXX XXXXXX XXXXXX XX XXXXXXXX XX XXXXXXXXX XXXXXXXXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXXXX XXX XXX XXXXX XXXXXXXXXXXX XXX XXX XXXXXXXXXXX XXXXXXXXXX. XXX XXXXXX XXXXXX XX XXXXXXX XX XXX XXXXXX XXXXXXX XXXXXX (XXX 9.1.1).

      -

      XXXX XXXXX XXXXXX XX XXXXX X XXXX XXXX XXXXX XXXXX XX XXX XXXXXXX XX XXX XXXXXXXXXXXXXX XXXXXX’X XXXXXXXXXXX.

      -

      XXX XXXXXX XXXXXX XX XXXXXXXXXX XXXXXX XXX XXXXX XXXXXXXXXXXX XX XXXX XXXXXXXX XXXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXX XXXXXX XX XXX XXXX XXX, XXXX X XXXXXX XXXXXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXX XXXXX XXX XXXXXXXXXXX XXXXXXXXXX.

      -

      XXXXXXXXXXXXXX XXXXXX XX XXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXX, XXX XX XXXXXXXXXX XXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXX. XXXXXXX XX XXXXXXXXXXXXXX XXXXXX XXXXXXXX XXXXX XX XXXXXX XXXXXXXXX XX XXXXX XXXXXXXXXXX XXX XXXXXXXXXXX XX XXX XXXXXXXXXXXX, X.X. XX XXXXX XX XXXXXXXXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXXXX. XXXXXXX XX XXXXXXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXXXX XXXX XXXXXXX XX XXXXX XXXXX, XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXXX XXXX-XXXXX.

      +

      Classifications and associated protective controls for information should take account of business needs for sharing or restricting information, as well as legal requirements. Assets other than information can also be classified in conformance with classification of information which is stored in, processed by or otherwise handled or protected by the asset.

      +

      Owners of information assets should be accountable for their classification.

      +

      The classification scheme should include conventions for classification and criteria for review of the classification over time. The level of protection in the scheme should be assessed by analysing confidentiality, integrity and availability and any other requirements for the information considered. The scheme should be aligned to the access control policy (see 9.1.1).

      +

      Each level should be given a name that makes sense in the context of the classification scheme’s application.

      +

      The scheme should be consistent across the whole organization so that everyone will classify information and related assets in the same way, have a common understanding of protection requirements and apply the appropriate protection.

      +

      Classification should be included in the organization’s processes, and be consistent and coherent across the organization. Results of classification should indicate value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity and availability. Results of classification should be updated in accordance with changes of their value, sensitivity and criticality through their life-cycle.

      -

      XXXXXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXX XXXX XXXXXXXXXXX XXXX X XXXXXXX XXXXXXXXXX XX XXX XX XXXXXX XXX XXXXXXX XX. XXXXXXXX XXXXXX XX XXXXXXXXXXX XXXX XXXXXXX XXXXXXXXXX XXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXX XXXXX XX XXX XXX XXXXXXXXXXX XX XXXX XXXXX XXXXXXXXXXX XXXX. XXXX XXXXXXXX XXXXXXX XXX XXXX XXX XXXX-XX-XXXX XXXX XXXXXXXXXX XXX XXXXXX XXXXXX XX XXXXXXXX.

      -

      XXXXXXXXXXX XXX XXXXX XX XX XXXXXXXXX XX XXXXXXXX XXXXX X XXXXXXX XXXXXX XX XXXX, XXX XXXXXXX, XXXX XXX XXXXXXXXXXX XXX XXXX XXXX XXXXXX. XXXXX XXXXXXX XXXXXX XX XXXXX XXXX XXXXXXX, XX XXXX-XXXXXXXXXXXXXX XXX XXXX XX XXX XXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XX XXXXXXXXXX XXXXXXX XX XX XXX XXXXXXXX XXXXX-XXXXXXXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXX XXXXXXXXXX.

      -

      XX XXXXXXX XX XX XXXXXXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXXX XXXXXX XXXXX XX XXXXX XX XXXX XXXXXX XX XXXXXXX:

      +

      Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.

      +

      Information can cease to be sensitive or critical after a certain period of time, for example, when the information has been made public. These aspects should be taken into account, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense or on the contrary under-classification can endanger the achievement of business objectives.

      +

      An example of an information confidentiality classification scheme could be based on four levels as follows:

        -
      1. XXXXXXXXXX XXXXXX XX XXXX;
      2. -
      3. XXXXXXXXXX XXXXXX XXXXX XXXXXXXXXXXXX XX XXXXX XXXXXXXXXXX XXXXXXXXXXXXX;
      4. -
      5. XXXXXXXXXX XXX X XXXXXXXXXXX XXXXX XXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXX XXXXXXXXXX;
      6. -
      7. XXXXXXXXXX XXX X XXXXXXX XXXXXX XX XXXX XXXX XXXXXXXXX XXXXXXXXXX XX XXXX XXX XXXXXXXX XX XXX XXXXXXXXXXXX XX XXXX.
      8. +
      9. disclosure causes no harm;
      10. +
      11. disclosure causes minor embarrassment or minor operational inconvenience;
      12. +
      13. disclosure has a significant short term impact on operations or tactical objectives;
      14. +
      15. disclosure has a serious impact on long term strategic objectives or puts the survival of the organization at risk.
      @@ -552,34 +550,34 @@ Labelling of information 8.2.2 -

      XX XXXXXXXXXXX XXX XX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXXXXXXXX XXXXXX XXXXXXX XX XXX XXXXXXXXXXXX.

      -

      “XXXXXXXXXXXXXX XXXXXXXX”

      -

      XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXX XXXX XX XXXXX XXXXXXXXXXX XXX XXX XXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXXXXX XXXXXXX. XXX XXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXXXXXX XXXXXX XXXXXXXXXXX XX 8.2.1. XXX XXXXXX XXXXXX XX XXXXXX XXXXXXXXXXXX. XXX XXXXXXXXXX XXXXXX XXXX XXXXXXXX XX XXXXX XXX XXX XXXXXX XXX XXXXXXXX XX XXXXXXXXXXXXX XX XXX XXX XXXXXXXXXXX XX XXXXXXXX XX XXX XXXXXX XXX XXXXXXX XXXXXXXXX XX XXX XXXXX XX XXXXX. XXX XXXXXXXXXX XXX XXXXXX XXXXX XXXXX XXXXXXXXX XX XXXXXXX, X.X. XXXXXXXXX XX XXX-XXXXXXXXXXXX XXXXXXXXXXX XX XXXXXX XXXXXXXXX. XXXXXXXXX XXX XXXXXXXXXXX XXXXXX XX XXXX XXXXX XX XXXXXXXXX XXXXXXXXXX.

      -

      XXXXXX XXXX XXXXXXX XXXXXXXXXX XXXXXXXXXXX XXXX XX XXXXXXXXXX XX XXXXX XXXXXXXXX XX XXXXXXXX XXXXXX XXXXX XX XXXXXXXXXXX XXXXXXXXXXXXXX XXXXX.

      +

      An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

      +

      “Implementation guidance”

      +

      Procedures for information labelling need to cover information and its related assets in physical and electronic formats. The labelling should reflect the classification scheme established in 8.2.1. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of media. The procedures can define cases where labelling is omitted, e.g. labelling of non-confidential information to reduce workloads. Employees and contractors should be made aware of labelling procedures.

      +

      Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.

      -

      XXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXX XX X XXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXXXXXXXXXX. XXXXXXXX XXXXXX XXX XXXXXXXX XXX X XXXXXX XXXX XX XXXXXXXXX.

      -

      XXXXXXXXX XX XXXXXXXXXXX XXX XXX XXXXXXX XXXXXX XXX XXXXXXXXX XXXX XXXXXXXX XXXXXXX. XXXXXXXXXX XXXXXX XXX XXXXXX XX XXXXXXXX XXX XXXXXXXXXXX XX XXXXX XX XXXXXXXX XX XXXXXXXX XXXXXXXXX.

      +

      Labelling of classified information is a key requirement for information sharing arrangements. Physical labels and metadata are a common form of labelling.

      +

      Labelling of information and its related assets can sometimes have negative effects. Classified assets are easier to identify and accordingly to steal by insiders or external attackers.

      Handling of assets 8.2.3 -

      XXXXXXXXXX XXX XXXXXXXX XXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXXXXXXXX XXXXXX XXXXXXX XX XXX XXXXXXXXXXXX.

      +

      Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization.

      -

      XXXXXXXXXX XXXXXX XX XXXXX XX XXX XXXXXXXX, XXXXXXXXXX, XXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXX XXX XXXXXXXXXXXXXX (XXX 8.2.1).

      -

      XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX:

      +

      Procedures should be drawn up for handling, processing, storing and communicating information consistent with its classification (see 8.2.1).

      +

      The following items should be considered:

        -
      1. XXXXXX XXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXX XXX XXXX XXXXX XX XXXXXXXXXXXXXX;
      2. -
      3. XXXXXXXXXXX XX X XXXXXX XXXXXX XX XXX XXXXXXXXXX XXXXXXXXXX XX XXXXXX;
      4. -
      5. XXXXXXXXXX XX XXXXXXXXX XX XXXXXXXXX XXXXXX XX XXXXXXXXXXX XX X XXXXX XXXXXXXXXX XXXX XXX XXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXX;
      6. -
      7. XXXXXXX XX XX XXXXXX XX XXXXXXXXXX XXXX XXXXXXXXXXXXX’ XXXXXXXXXXXXXX;
      8. -
      9. XXXXX XXXXXXX XX XXX XXXXXX XX XXXXX XXX XXX XXXXXXXXX XX XXX XXXXXXXXXX XXXXXXXXX.
      10. +
      11. access restrictions supporting the protection requirements for each level of classification;
      12. +
      13. maintenance of a formal record of the authorized recipients of assets;
      14. +
      15. protection of temporary or permanent copies of information to a level consistent with the protection of the original information;
      16. +
      17. storage of IT assets in accordance with manufacturers’ specifications;
      18. +
      19. clear marking of all copies of media for the attention of the authorized recipient.
      -

      XXX XXXXXXXXXXXXXX XXXXXX XXXX XXXXXX XXX XXXXXXXXXXXX XXX XXX XX XXXXXXXXXX XX XXX XXXXXXX XXXX XX XXXXX XXXXXXXXXXXXX, XXXX XX XXX XXXXX XXX XXXXXX XXX XXXXXXX; XX XXXXXXXX, XXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXXXXX XXX XXXX XX XXXXXXXXXXXXXX XXXXXXXXX XX XXX XXXXXXX XX XXXX XXXXXXXXXXXX, XXXX XX XXXXX XXXXXXXXXXXXXX XXXXXXX XXX XXXXXXXXX.

      -

      XXXXXXXXXX XXXX XXXXX XXXXXXXXXXXXX XXXX XXXXXXX XXXXXXXXXXX XXXXXXX XXXXXX XXXXXXX XXXXXXXXXX XX XXXXXXXX XXX XXXXXXXXXXXXXX XX XXXX XXXXXXXXXXX XXX XX XXXXXXXXX XXX XXXXXXXXXXXXXX XXXXXX XXXX XXXXX XXXXXXXXXXXXX.

      +

      The classification scheme used within the organization may not be equivalent to the schemes used by other organizations, even if the names for levels are similar; in addition, information moving between organizations can vary in classification depending on its context in each organization, even if their classification schemes are identical.

      +

      Agreements with other organizations that include information sharing should include procedures to identify the classification of that information and to interpret the classification labels from other organizations.

      @@ -587,70 +585,70 @@ Media handling 8.3 -

      XX XXXXXXX XXXXXXXXXXXX XXXXXXXXXX, XXXXXXXXXXXX, XXXXXXX XX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXX XX XXXXX.

      +

      Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

      Management of removable media 8.3.1 -

      XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXX XXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXXXXX XXXXXX XXXXXXX XX XXX XXXXXXXXXXXX.

      +

      Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

      -

      XXX XXXXXXXXX XXXXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX:

      +

      The following guidelines for the management of removable media should be considered:

        -
      1. XX XX XXXXXX XXXXXXXX, XXX XXXXXXXX XX XXX XX-XXXXXX XXXXX XXXX XXX XX XX XXXXXXX XXXX XXX XXXXXXXXXXXX XXXXXX XX XXXX XXXXXXXXXXXXX;
      2. -
      3. XXXXX XXXXXXXXX XXX XXXXXXXXX, XXXXXXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXX XXXXXXX XXXX XXX XXXXXXXXXXXX XXX X XXXXXX XX XXXX XXXXXXXX XXXXXX XX XXXX XX XXXXX XX XXXXXXXX XX XXXXX XXXXX;
      4. -
      5. XXX XXXXX XXXXXX XX XXXXXX XX X XXXX, XXXXXX XXXXXXXXXXX, XX XXXXXXXXXX XXXX XXXXXXXXXXXXX’ XXXXXXXXXXXXXX;
      6. -
      7. XX XXXX XXXXXXXXXXXXXXX XX XXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXXXXX, XXXXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXX XX XXXXXXX XXXX XX XXXXXXXXX XXXXX;
      8. -
      9. XX XXXXXXXX XXX XXXX XX XXXXX XXXXXXXXX XXXXX XXXXXX XXXX XXX XXXXX XXXXXX, XXX XXXX XXXXXX XX XXXXXXXXXXX XX XXXXX XXXXX XXXXXX XXXXXXXX XXXXXXXXXX;
      10. -
      11. XXXXXXXX XXXXXX XX XXXXXXXX XXXX XXXXXX XX XXXXXX XX XXXXXXXX XXXXX XX XXXXXXX XXXXXX XXX XXXX XX XXXXXXXXXXXX XXXX XXXXXX XX XXXX;
      12. -
      13. XXXXXXXXXXXX XX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX XX XXXXX XXX XXXXXXXXXXX XXX XXXX XXXX;
      14. -
      15. XXXXXXXXX XXXXX XXXXXX XXXXXX XXXX XX XXXXXXX XX XXXXX XX X XXXXXXXX XXXXXX XXX XXXXX XX;
      16. -
      17. XXXXX XXXXX XX X XXXX XX XXX XXXXXXXXX XXXXX XXX XXXXXXXX XX XXXXXXXXXXX XX XXXX XXXXX XXXXXX XX XXXXXXXXX.
      18. +
      19. if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable;
      20. +
      21. where necessary and practical, authorization should be required for media removed from the organization and a record of such removals should be kept in order to maintain an audit trail;
      22. +
      23. all media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications;
      24. +
      25. if data confidentiality or integrity are important considerations, cryptographic techniques should be used to protect data on removable media;
      26. +
      27. to mitigate the risk of media degrading while stored data are still needed, the data should be transferred to fresh media before becoming unreadable;
      28. +
      29. multiple copies of valuable data should be stored on separate media to further reduce the risk of coincidental data damage or loss;
      30. +
      31. registration of removable media should be considered to limit the opportunity for data loss;
      32. +
      33. removable media drives should only be enabled if there is a business reason for doing so;
      34. +
      35. where there is a need to use removable media the transfer of information to such media should be monitored.
      -

      XXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXX.

      +

      Procedures and authorization levels should be documented.

      Disposal of media 8.3.2 -

      XXXXX XXXXXX XX XXXXXXXX XX XXXXXXXX XXXX XX XXXXXX XXXXXXXX, XXXXX XXXXXX XXXXXXXXXX.

      +

      Media should be disposed of securely when no longer required, using formal procedures.

      -

      XXXXXX XXXXXXXXXX XXX XXX XXXXXX XXXXXXXX XX XXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXXX XXX XXXX XX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXX XX XXXXXXXXXXXX XXXXXXX. XXX XXXXXXXXXX XXX XXXXXX XXXXXXXX XX XXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXXXX XX XXX XXXXXXXXXXX XX XXXX XXXXXXXXXXX. XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX:

      +

      Formal procedures for the secure disposal of media should be established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for secure disposal of media containing confidential information should be proportional to the sensitivity of that information. The following items should be considered:

        -
      1. XXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXX XXX XXXXXXXX XX XXXXXXXX, X.X. XX XXXXXXXXXXXX XX XXXXXXXXX, XX XXXXXXX XX XXXX XXX XXX XX XXXXXXX XXXXXXXXXXX XXXXXX XXX XXXXXXXXXXXX;
      2. -
      3. XXXXXXXXXX XXXXXX XX XX XXXXX XX XXXXXXXX XXX XXXXX XXXX XXXXX XXXXXXX XXXXXX XXXXXXXX;
      4. -
      5. XX XXX XX XXXXXX XX XXXXXXX XXX XXX XXXXX XXXXX XX XX XXXXXXXXX XXX XXXXXXXX XX XXXXXXXX, XXXXXX XXXX XXXXXXXXXX XX XXXXXXXX XXX XXX XXXXXXXXX XXXXX;
      6. -
      7. XXXX XXXXXXXXXXXXX XXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXX XXXXX; XXXX XXXXXX XX XXXXX XX XXXXXXXXX X XXXXXXXX XXXXXXXX XXXXX XXXX XXXXXXXX XXXXXXXX XXX XXXXXXXXXX;
      8. -
      9. XXXXXXXX XX XXXXXXXXX XXXXX XXXXXX XX XXXXXX XX XXXXX XX XXXXXXXX XX XXXXX XXXXX.
      10. +
      11. media containing confidential information should be stored and disposed of securely, e.g. by incineration or shredding, or erasure of data for use by another application within the organization;
      12. +
      13. procedures should be in place to identify the items that might require secure disposal;
      14. +
      15. it may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate out the sensitive items;
      16. +
      17. many organizations offer collection and disposal services for media; care should be taken in selecting a suitable external party with adequate controls and experience;
      18. +
      19. disposal of sensitive items should be logged in order to maintain an audit trail.
      -

      XXXX XXXXXXXXXXXX XXXXX XXX XXXXXXXX, XXXXXXXXXXXXX XXXXXX XX XXXXX XX XXX XXXXXXXXXXX XXXXXX, XXXXX XXX XXXXX X XXXXX XXXXXXXX XX XXX-XXXXXXXXX XXXXXXXXXXX XX XXXXXX XXXXXXXXX.

      +

      When accumulating media for disposal, consideration should be given to the aggregation effect, which can cause a large quantity of non-sensitive information to become sensitive.

      -

      XXXXXXX XXXXXXX XXXXXXXXXX XXXXXXXXX XXXX XXX XXXXXXX X XXXX XXXXXXXXXX XX XXXXXXXXX XXXXXXX XXX XXXXX XXXXXX XX XXXXXXXXXX XXXXXXXXX XXXXXX XXXX XXXX XXX XXXXXX XX XXXXXXXXX (XXX 11.2.7).

      +

      Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded (see 11.2.7).

      Physical media transfer 8.3.3 -

      XXXXX XXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXX, XXXXXX XX XXXXXXXXXX XXXXXX XXXXXXXXXXXXXX.

      +

      Media containing information should be protected against unauthorized access, misuse or corruption during transportation.

      -

      XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXX XXXXX XXXXXXXXXX XXXXXXXXXXX XXXXX XXXXXXXXXXX:

      +

      The following guidelines should be considered to protect media containing information being transported:

        -
      1. XXXXXXXX XXXXXXXXX XX XXXXXXXX XXXXXX XX XXXX;
      2. -
      3. X XXXX XX XXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXX XXXX XXXXXXXXXX;
      4. -
      5. XXXXXXXXXX XX XXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXX XXXXXX XX XXXXXXXXX;
      6. -
      7. XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXX XXX XXXXXXXX XXXX XXX XXXXXXXX XXXXXX XXXXXX XX XXXXX XXXXXX XXXXXXX XXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXXXX’ XXXXXXXXXXXXXX, XXX XXXXXXX XXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXXX XXXXXXX XXXX XXX XXXXXX XXX XXXXX’X XXXXXXXXXXX XXXXXXXXXXXXX XXXX XX XXXXXXXX XX XXXX, XXXXXXXX XX XXXXXXXXXXXXXXX XXXXXX;
      8. -
      9. XXXX XXXXXX XX XXXX, XXXXXXXXXXX XXX XXXXXXX XX XXX XXXXX, XXX XXXXXXXXXX XXXXXXX XX XXXX XX XXXXXXXXX XXX XXXXX XX XXXXXXXX XX XXX XXXXXXX XXXXXXXXXX XXX XXXXXXX XX XXX XXXXXXXXXXX.
      10. +
      11. reliable transport or couriers should be used;
      12. +
      13. a list of authorized couriers should be agreed with management;
      14. +
      15. procedures to verify the identification of couriers should be developed;
      16. +
      17. packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with any manufacturers’ specifications, for example protecting against any environmental factors that may reduce the media’s restoration effectiveness such as exposure to heat, moisture or electromagnetic fields;
      18. +
      19. logs should be kept, identifying the content of the media, the protection applied as well as recording the times of transfer to the transit custodians and receipt at the destination.
      -

      XXXXXXXXXXX XXX XX XXXXXXXXXX XX XXXXXXXXXXXX XXXXXX, XXXXXX XX XXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXX, XXX XXXXXXXX XXXX XXXXXXX XXXXX XXX XXX XXXXXX XXXXXXX XX XXX XXXXXXX. XX XXXX XXXXXXX, XXXXX XXXXXXX XXXXX XXXXXXXXX.

      -

      XXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXX XX XXX XXXXXXXXX, XXXXXXXXXX XXXXXXXX XXXXXXXXXX XX XXX XXXXX XXXXXX XX XXXXXXXXXX.

      +

      Information can be vulnerable to unauthorized access, misuse or corruption during physical transport, for instance when sending media via the postal service or via courier. In this control, media include paper documents.

      +

      When confidential information on media is not encrypted, additional physical protection of the media should be considered.

      @@ -662,46 +660,46 @@ Business requirements of access control 9.1 -

      XX XXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX.

      +

      Objective: To limit access to information and information processing facilities.

      Access control policy 9.1.1 -

      XX XXXXXX XXXXXXX XXXXXX XXXXXX XX XXXXXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XXXXX XX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX.

      +

      An access control policy should be established, documented and reviewed based on business and information security requirements.

      -

      XXXXX XXXXXX XXXXXX XXXXXXXXX XXXXXXXXXXX XXXXXX XXXXXXX XXXXX, XXXXXX XXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXX XXXX XXXXX XXXXXXX XXXXX XXXXXX, XXXX XXX XXXXXX XX XXXXXX XXX XXX XXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXX.

      -

      XXXXXX XXXXXXXX XXX XXXX XXXXXXX XXX XXXXXXXX (XXX Clause 11) XXX XXXXX XXXXXX XX XXXXXXXXXX XXXXXXXX. XXXXX XXX XXXXXXX XXXXXXXXX XXXXXX XX XXXXX X XXXXX XXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXXX XX XX XXX XX XXXXXX XXXXXXXX.

      -

      XXX XXXXXX XXXXXX XXXX XXXXXXX XX XXX XXXXXXXXX:

      +

      Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks.

      +

      Access controls are both logical and physical (see Clause 11) and these should be considered together. Users and service providers should be given a clear statement of the business requirements to be met by access controls.

      +

      The policy should take account of the following:

        -
      1. XXXXXXXX XXXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXXX;
      2. -
      3. XXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXXX XXX XXXXXXXXXXXXX, X.X. XXX XXXX-XX-XXXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXXXXX (XXX 8.2);
      4. -
      5. XXXXXXXXXXX XXXXXXX XXX XXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXXXX XXXXXXXX XX XXXXXXX XXX XXXXXXXX;
      6. -
      7. XXXXXXXX XXXXXXXXXXX XXX XXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXX XXXXXXXXXX XX XXXXXX XX XXXX XX XXXXXXXX (XXX 18.1);
      8. -
      9. XXXXXXXXXX XX XXXXXX XXXXXX XX X XXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XXXXX XXXXXXXXXX XXX XXXXX XX XXXXXXXXXXX XXXXXXXXX;
      10. -
      11. XXXXXXXXXXX XX XXXXXX XXXXXXX XXXXX, X.X. XXXXXX XXXXXXX, XXXXXX XXXXXXXXXXXXX, XXXXXX XXXXXXXXXXXXXX;
      12. -
      13. XXXXXXXXXXXX XXX XXXXXX XXXXXXXXXXXXX XX XXXXXX XXXXXXXX (XXX 9.2.1 XXX 9.2.2);
      14. -
      15. XXXXXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXX XXXXXX (XXX 9.2.5);
      16. -
      17. XXXXXXX XX XXXXXX XXXXXX (XXX 9.2.6);
      18. -
      19. XXXXXXXXX XX XXXXXXX XX XXX XXXXXXXXXXX XXXXXX XXXXXXXXXX XXX XXX XXX XXXXXXXXXX XX XXXX XXXXXXXXXX XXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX;
      20. -
      21. XXXXX XXXX XXXXXXXXXX XXXXXX (XXX 9.2.3).
      22. +
      23. security requirements of business applications;
      24. +
      25. policies for information dissemination and authorization, e.g. the need-to-know principle and information security levels and classification of information (see 8.2);
      26. +
      27. consistency between the access rights and information classification policies of systems and networks;
      28. +
      29. relevant legislation and any contractual obligations regarding limitation of access to data or services (see 18.1);
      30. +
      31. management of access rights in a distributed and networked environment which recognizes all types of connections available;
      32. +
      33. segregation of access control roles, e.g. access request, access authorization, access administration;
      34. +
      35. requirements for formal authorization of access requests (see 9.2.1 and 9.2.2);
      36. +
      37. requirements for periodic review of access rights (see 9.2.5);
      38. +
      39. removal of access rights (see 9.2.6);
      40. +
      41. archiving of records of all significant events concerning the use and management of user identities and secret authentication information;
      42. +
      43. roles with privileged access (see 9.2.3).
      -

      XXXX XXXXXX XX XXXXX XXXX XXXXXXXXXX XXXXXX XXXXXXX XXXXX XX XXXXXXXX:

      +

      Care should be taken when specifying access control rules to consider:

        -
      1. XXXXXXXXXXXX XXXXX XXXXX XX XXX XXXXXXX “XXXXXXXXXX XX XXXXXXXXX XXXXXXXXX XXXXXX XXXXXXXXX XXXXXXXXX” XXXXXX XXXX XXX XXXXXX XXXX “XXXXXXXXXX XX XXXXXXXXX XXXXXXXXX XXXXXX XXXXXXXXX XXXXXXXXX”;
      2. -
      3. XXXXXXX XX XXXXXXXXXXX XXXXXX (XXX 8.2.2) XXXX XXX XXXXXXXXX XXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXX XXXXXXXXX XX XXX XXXXXXXXXX XX X XXXX;
      4. -
      5. XXXXXXX XX XXXX XXXXXXXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXXXXX XX XXX XXXXXXXXXXX XXXXXX XXX XXXXX XXXXXXXXX XX XX XXXXXXXXXXXXX;
      6. -
      7. XXXXX XXXXX XXXXXXX XXXXXXXX XXXXXXXX XXXXXX XXXXXXXXX XXX XXXXX XXXXX XX XXX.
      8. +
      9. establishing rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;
      10. +
      11. changes in information labels (see 8.2.2) that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
      12. +
      13. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;
      14. +
      15. rules which require specific approval before enactment and those which do not.
      -

      XXXXXX XXXXXXX XXXXX XXXXXX XX XXXXXXXXX XX XXXXXX XXXXXXXXXX (XXX 9.2, 9.3, 9.4) XXX XXXXXXX XXXXXXXXXXXXXXXX (XXX 6.1.1, 9.3).

      -

      XXXX XXXXX XXXXXX XXXXXXX XX XX XXXXXXXX XXXX XXXXXXXXXXXX XX XXXX XXXXXXXXXXXXX XX XXXX XXXXXX XXXXXX XXXX XXXXXXXX XXXXX.

      -

      XXX XX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXX XXXXXXX XXXXXX XXX:

      +

      Access control rules should be supported by formal procedures (see 9.2, 9.3, 9.4) and defined responsibilities (see 6.1.1, 9.3).

      +

      Role based access control is an approach used successfully by many organisations to link access rights with business roles.

      +

      Two of the frequent principles directing the access control policy are:

        -
      1. XXXX-XX-XXXX: XXX XXX XXXX XXXXXXX XXXXXX XX XXX XXXXXXXXXXX XXX XXXX XX XXXXXXX XXXX XXXXX (XXXXXXXXX XXXXX/XXXXX XXXX XXXXXXXXX XXXX-XX-XXXX XXX XXXXX XXXXXXXXX XXXXXX XXXXXXX);
      2. -
      3. XXXX-XX-XXX: XXX XXX XXXX XXXXXXX XXXXXX XX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX (XX XXXXXXXXX, XXXXXXXXXXXX, XXXXXXXXXX, XXXXX) XXX XXXX XX XXXXXXX XXXX XXXX/XXX/XXXX.
      4. +
      5. Need-to-know: you are only granted access to the information you need to perform your tasks (different tasks/roles mean different need-to-know and hence different access profile);
      6. +
      7. Need-to-use: you are only granted access to the information processing facilities (IT equipment, applications, procedures, rooms) you need to perform your task/job/role.
      @@ -709,22 +707,22 @@ Access to networks and network services 9.1.2 -

      XXXXX XXXXXX XXXX XX XXXXXXXX XXXX XXXXXX XX XXX XXXXXXX XXX XXXXXXX XXXXXXXX XXXX XXXX XXXX XXXX XXXXXXXXXXXX XXXXXXXXXX XX XXX.

      +

      Users should only be provided with access to the network and network services that they have been specifically authorized to use.

      -

      X XXXXXX XXXXXX XX XXXXXXXXXX XXXXXXXXXX XXX XXX XX XXXXXXXX XXX XXXXXXX XXXXXXXX. XXXX XXXXXX XXXXXX XXXXX:

      +

      A policy should be formulated concerning the use of networks and network services. This policy should cover:

        -
      1. XXX XXXXXXXX XXX XXXXXXX XXXXXXXX XXXXX XXX XXXXXXX XX XX XXXXXXXX;
      2. -
      3. XXXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXX XXX XX XXXXXXX XX XXXXXX XXXXX XXXXXXXX XXX XXXXXXXXX XXXXXXXX;
      4. -
      5. XXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX XX XXXXXXX XXXXXX XX XXXXXXX XXXXXXXXXXX XXX XXXXXXX XXXXXXXX;
      6. -
      7. XXX XXXXX XXXX XX XXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXX (X.X. XXX XX XXX XX XXXXXXXX XXXXXXX);
      8. -
      9. XXXX XXXXXXXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXX XXXXXXX XXXXXXX XXXXXXXX;
      10. -
      11. XXXXXXXXXX XX XXX XXX XX XXXXXXX XXXXXXXX.
      12. +
      13. the networks and network services which are allowed to be accessed;
      14. +
      15. authorization procedures for determining who is allowed to access which networks and networked services;
      16. +
      17. management controls and procedures to protect access to network connections and network services;
      18. +
      19. the means used to access networks and network services (e.g. use of VPN or wireless network);
      20. +
      21. user authentication requirements for accessing various network services;
      22. +
      23. monitoring of the use of network services.
      -

      XXX XXXXXX XX XXX XXX XX XXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXXX’X XXXXXX XXXXXXX XXXXXX (XXX 9.1.1).

      +

      The policy on the use of network services should be consistent with the organization’s access control policy (see 9.1.1).

      -

      XXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XX XXXXXXX XXXXXXXX XXX XXXXXX XXX XXXXX XXXXXXXXXXXX. XXXX XXXXXXX XX XXXXXXXXXXXX XXXXXXXXX XXX XXXXXXX XXXXXXXXXXX XX XXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXXXXX XX XX XXXXX XX XXXX-XXXX XXXXXXXXX, X.X. XXXXXX XX XXXXXXXX XXXXX XXXX XXX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXX XXXXXXX.

      +

      Unauthorized and insecure connections to network services can affect the whole organization. This control is particularly important for network connections to sensitive or critical business applications or to users in high-risk locations, e.g. public or external areas that are outside the organization’s information security management and control.

      @@ -732,28 +730,28 @@ User access management 9.2 -

      XX XXXXXX XXXXXXXXXX XXXX XXXXXX XXX XX XXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXX.

      +

      Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.

      User registration and de-registration 9.2.1 -

      X XXXXXX XXXX XXXXXXXXXXXX XXX XX-XXXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXXXXXXXXX XX XXXXXX XXXXXX.

      +

      A formal user registration and de-registration process should be implemented to enable assignment of access rights.

      -

      XXX XXXXXXX XXX XXXXXXXX XXXX XXX XXXXXX XXXXXXX:

      +

      The process for managing user IDs should include:

        -
      1. XXXXX XXXXXX XXXX XXX XX XXXXXX XXXXX XX XX XXXXXX XX XXX XXXX XXXXXXXXXXX XXX XXXXX XXXXXXX; XXX XXX XX XXXXXX XXX XXXXXX XXXX XX XXXXXXXXX XXXXX XXXX XXX XXXXXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXX XXX XXXXXX XX XXXXXXXX XXX XXXXXXXXXX;
      2. -
      3. XXXXXXXXXXX XXXXXXXXX XX XXXXXXXX XXXX XXX XX XXXXX XXX XXXX XXXX XXX XXXXXXXXXXXX (XXX 9.2.6);
      4. -
      5. XXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXXXX XX XXXXXXXXX XXXXXXXXX XXXX XXX;
      6. -
      7. XXXXXXXX XXXX XXXXXXXXX XXXX XXX XXX XXX XXXXXX XX XXXXX XXXXX.
      8. +
      9. using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs should only be permitted where they are necessary for business or operational reasons and should be approved and documented;
      10. +
      11. immediately disabling or removing user IDs of users who have left the organization (see 9.2.6);
      12. +
      13. periodically identifying and removing or disabling redundant user IDs;
      14. +
      15. ensuring that redundant user IDs are not issued to other users.
      -

      XXXXXXXXX XX XXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XX XXXXXXX X XXX-XXXX XXXXXXXXX:

      +

      Providing or revoking access to information or information processing facilities is usually a two-step procedure:

        -
      1. XXXXXXXXX XXX XXXXXXXX, XX XXXXXXXX, X XXXX XX;
      2. -
      3. XXXXXXXXX, XX XXXXXXXX, XXXXXX XXXXXX XX XXXX XXXX XX (XXX 9.2.2).
      4. +
      5. assigning and enabling, or revoking, a user ID;
      6. +
      7. providing, or revoking, access rights to such user ID (see 9.2.2).
      @@ -761,107 +759,107 @@ User access provisioning 9.2.2 -

      X XXXXXX XXXX XXXXXX XXXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XX XXXXXX XXXXXX XXXXXX XXX XXX XXXX XXXXX XX XXX XXXXXXX XXX XXXXXXXX.

      +

      A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services.

      -

      XXX XXXXXXXXXXXX XXXXXXX XXX XXXXXXXXX XX XXXXXXXX XXXXXX XXXXXX XXXXXXX XX XXXX XXX XXXXXX XXXXXXX:

      +

      The provisioning process for assigning or revoking access rights granted to user IDs should include:

        -
      1. XXXXXXXXX XXXXXXXXXXXXX XXXX XXX XXXXX XX XXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXX XXX XXX XX XXX XXXXXXXXXXX XXXXXX XX XXXXXXX (XXX XXXXXXX 8.1.2); XXXXXXXX XXXXXXXX XXX XXXXXX XXXXXX XXXX XXXXXXXXXX XXX XXXX XX XXXXXXXXXXX;
      2. -
      3. XXXXXXXXX XXXX XXX XXXXX XX XXXXXX XXXXXXX XX XXXXXXXXXXX XX XXX XXXXXX XXXXXXXX (XXX 9.1) XXX XX XXXXXXXXXX XXXX XXXXX XXXXXXXXXXXX XXXX XX XXXXXXXXXXX XX XXXXXX (XXX 6.1.2);
      4. -
      5. XXXXXXXX XXXX XXXXXX XXXXXX XXX XXX XXXXXXXXX (X.X. XX XXXXXXX XXXXXXXXX) XXXXXX XXXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXX;
      6. -
      7. XXXXXXXXXXX X XXXXXXX XXXXXX XX XXXXXX XXXXXX XXXXXXX XX X XXXX XX XX XXXXXX XXXXXXXXXXX XXXXXXX XXX XXXXXXXX;
      8. -
      9. XXXXXXXX XXXXXX XXXXXX XX XXXXX XXX XXXX XXXXXXX XXXXX XX XXXX XXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXX XXXXXX XXXXXX XX XXXXX XXX XXXX XXXX XXX XXXXXXXXXXXX;
      10. -
      11. XXXXXXXXXXXX XXXXXXXXX XXXXXX XXXXXX XXXX XXXXXX XX XXX XXXXXXXXXXX XXXXXXX XX XXXXXXXX (XXX 9.2.5).
      12. +
      13. obtaining authorization from the owner of the information system or service for the use of the information system or service (see control 8.1.2); separate approval for access rights from management may also be appropriate;
      14. +
      15. verifying that the level of access granted is appropriate to the access policies (see 9.1) and is consistent with other requirements such as segregation of duties (see 6.1.2);
      16. +
      17. ensuring that access rights are not activated (e.g. by service providers) before authorization procedures are completed;
      18. +
      19. maintaining a central record of access rights granted to a user ID to access information systems and services;
      20. +
      21. adapting access rights of users who have changed roles or jobs and immediately removing or blocking access rights of users who have left the organization;
      22. +
      23. periodically reviewing access rights with owners of the information systems or services (see 9.2.5).
      -

      XXXXXXXXXXXXX XXXXXX XX XXXXX XX XXXXXXXXXXXX XXXX XXXXXX XXXXX XXXXX XX XXXXXXXX XXXXXXXXXXXX XXXX XXXXXXXXX X XXXXXX XX XXXXXX XXXXXX XXXX XXXXXXX XXXX XXXXXX XXXXXXXX. XXXXXX XXXXXXXX XXX XXXXXXX (XXX 9.2.4) XXX XXXXXX XXXXXXX XX XXX XXXXX XX XXXX XXXXX XXXX XX XXX XXXXX XX XXXXXXXXXX XXXXXX.

      -

      XXXXXXXXXXXXX XXXXXX XX XXXXX XX XXXXXXXXX XXXXXXX XX XXXXXXXXX XXXXXXXXX XXX XXXXXXX XXXXXXXXX XXXX XXXXXXX XXXXXXXXX XX XXXXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXXXX XX XXXXXXXXXXX (XXX 7.1.2, 7.2.3, 13.2.4, 15.1.2).

      +

      Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews (see 9.2.4) are easier managed at the level of such roles than at the level of particular rights.

      +

      Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel or contractors (see 7.1.2, 7.2.3, 13.2.4, 15.1.2).

      Management of privileged access rights 9.2.3 -

      XXX XXXXXXXXXX XXX XXX XX XXXXXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXXX.

      +

      The allocation and use of privileged access rights should be restricted and controlled.

      -

      XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXXXX XXXXXXX X XXXXXX XXXXXXXXXXXXX XXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXX XXXXXX XXXXXXX XXXXXX (XXX XXXXXXX 9.1.1). XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX:

      +

      The allocation of privileged access rights should be controlled through a formal authorization process in accordance with the relevant access control policy (see control 9.1.1). The following steps should be considered:

        -
      1. XXX XXXXXXXXXX XXXXXX XXXXXX XXXXXXXXXX XXXX XXXX XXXXXX XX XXXXXXX, X.X. XXXXXXXXX XXXXXX, XXXXXXXX XXXXXXXXXX XXXXXX XXX XXXX XXXXXXXXXXX XXX XXX XXXXX XX XXXX XXXX XXXX XX XX XXXXXXXXX XXXXXX XX XXXXXXXXXX;
      2. -
      3. XXXXXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXXX XX XXXXX XX X XXXX-XX-XXX XXXXX XXX XX XX XXXXX-XX-XXXXX XXXXX XX XXXX XXXX XXX XXXXXX XXXXXXX XXXXXX (XXX 9.1.1), X.X. XXXXX XX XXX XXXXXXX XXXXXXXXXXX XXX XXXXX XXXXXXXXXX XXXXX;
      4. -
      5. XX XXXXXXXXXXXXX XXXXXXX XXX X XXXXXX XX XXX XXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX. XXXXXXXXXX XXXXXX XXXXXX XXXXXX XXX XX XXXXXXX XXXXX XXX XXXXXXXXXXXXX XXXXXXX XX XXXXXXXX;
      6. -
      7. XXXXXXXXXXXX XXX XXXXXX XX XXXXXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXX;
      8. -
      9. XXXXXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXX XX X XXXX XX XXXXXXXXX XXXX XXXXX XXXX XXX XXXXXXX XXXXXXXX XXXXXXXXXX. XXXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XXX XX XXXXXXXXX XXXX XXXXXXXXXX XX;
      10. -
      11. XXX XXXXXXXXXXX XX XXXXX XXXX XXXXXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXX XXXXXXXXX XX XXXXX XX XXXXXX XX XXXX XXX XX XXXX XXXX XXXXX XXXXXX;
      12. -
      13. XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXX XX XXXXX XX XXXXX XXX XXXXXXXXXXXX XXX XX XXXXXXX XXXXXXXXXXXXXX XXXX XXX, XXXXXXXXX XX XXXXXXX’ XXXXXXXXXXXXX XXXXXXXXXXXX;
      14. -
      15. XXX XXXXXXX XXXXXXXXXXXXXX XXXX XXX, XXX XXXXXXXXXXXXXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXX XXXXXX (X.X. XXXXXXXX XXXXXXXXX XXXXXXXXXX XXX XX XXXX XX XXXXXXXX XXXX X XXXXXXXXXX XXXX XXXXXX XX XXXXXXX XXX, XXXXXXXXXXXXX XXXX XXXXX XXXXXXXXXX XXXXX XXXX XXXXXXXXXXX XXXXXXXXXX).
      16. +
      17. the privileged access rights associated with each system or process, e.g. operating system, database management system and each application and the users to whom they need to be allocated should be identified;
      18. +
      19. privileged access rights should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (see 9.1.1), i.e. based on the minimum requirement for their functional roles;
      20. +
      21. an authorization process and a record of all privileges allocated should be maintained. Privileged access rights should not be granted until the authorization process is complete;
      22. +
      23. requirements for expiry of privileged access rights should be defined;
      24. +
      25. privileged access rights should be assigned to a user ID different from those used for regular business activities. Regular business activities should not be performed from privileged ID;
      26. +
      27. the competences of users with privileged access rights should be reviewed regularly in order to verify if they are in line with their duties;
      28. +
      29. specific procedures should be established and maintained in order to avoid the unauthorized use of generic administration user IDs, according to systems’ configuration capabilities;
      30. +
      31. for generic administration user IDs, the confidentiality of secret authentication information should be maintained when shared (e.g. changing passwords frequently and as soon as possible when a privileged user leaves or changes job, communicating them among privileged users with appropriate mechanisms).
      -

      XXXXXXXXXXXXX XXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXX (XXX XXXXXXX XX XXXXXXXX XX XX XXXXXXXXXXX XXXXXX XXXX XXXXXXX XXX XXXX XX XXXXXXXX XXXXXX XX XXXXXXXXXXX XXXXXXXX) XX X XXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXXXX XX XXXXXXX.

      +

      Inappropriate use of system administration privileges (any feature or facility of an information system that enables the user to override system or application controls) is a major contributory factor to failures or breaches of systems.

      Management of secret authentication information of users 9.2.4 -

      XXX XXXXXXXXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXXXX X XXXXXX XXXXXXXXXX XXXXXXX.

      +

      The allocation of secret authentication information should be controlled through a formal management process.

      -

      XXX XXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX XXXXXXXXXXXX:

      +

      The process should include the following requirements:

        -
      1. XXXXX XXXXXX XX XXXXXXXX XX XXXX X XXXXXXXXX XX XXXX XXXXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXXX XXX XX XXXX XXXXX (X.X. XXXXXX) XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXX XXXXXX XXX XXXXXXX XX XXX XXXXX; XXXX XXXXXX XXXXXXXXX XXX XX XXXXXXXX XX XXX XXXXX XXX XXXXXXXXXX XX XXXXXXXXXX (XXX 7.1.2);
      2. -
      3. XXXX XXXXX XXX XXXXXXXX XX XXXXXXXX XXXXX XXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXX XXXXXX XX XXXXXXXX XXXXXXXXX XXXX XXXXXX XXXXXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXXX, XXXXX XXXX XXX XXXXXX XX XXXXXX XX XXXXX XXX;
      4. -
      5. XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXX XXXXXXXX XX X XXXX XXXXX XX XXXXXXXXX XXX, XXXXXXXXXXX XX XXXXXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX;
      6. -
      7. XXXXXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXX XX XXXXX XX X XXXXXX XXXXXX; XXX XXX XX XXXXXXXX XXXXXXX XX XXXXXXXXXXX (XXXXX XXXX) XXXXXXXXXX XXXX XXXXXXXX XXXXXX XX XXXXXXX;
      8. -
      9. XXXXXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXX XX XX XXXXXXXXXX XXX XXXXXX XXX XX XXXXXXXXX;
      10. -
      11. XXXXX XXXXXX XXXXXXXXXXX XXXXXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX;
      12. -
      13. XXXXXXX XXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX XXXXXXXXXXXX XX XXXXXXX XX XXXXXXXX.
      14. +
      15. users should be required to sign a statement to keep personal secret authentication information confidential and to keep group (i.e. shared) secret authentication information solely within the members of the group; this signed statement may be included in the terms and conditions of employment (see 7.1.2);
      16. +
      17. when users are required to maintain their own secret authentication information they should be provided initially with secure temporary secret authentication information`, which they are forced to change on first use;
      18. +
      19. procedures should be established to verify the identity of a user prior to providing new, replacement or temporary secret authentication information;
      20. +
      21. temporary secret authentication information should be given to users in a secure manner; the use of external parties or unprotected (clear text) electronic mail messages should be avoided;
      22. +
      23. temporary secret authentication information should be unique to an individual and should not be guessable;
      24. +
      25. users should acknowledge receipt of secret authentication information;
      26. +
      27. default vendor secret authentication information should be altered following installation of systems or software.
      -

      XXXXXXXXX XXX X XXXXXXXX XXXX XXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXX XXX X XXXXXX XXXXX XX XXXXXXXXX X XXXX’X XXXXXXXX. XXXXX XXXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXX XXX XXXXX XXXX XXXXXX XX XXXXXXXX XXXXXX (X.X. XXXXX XXXXX) XXXX XXXXXXX XXXXXXXXXXXXXX XXXXX.

      +

      Passwords are a commonly used type of secret authentication information and are a common means of verifying a user’s identity. Other types of secret authentication information are cryptographic keys and other data stored on hardware tokens (e.g. smart cards) that produce authentication codes.

      Review of user access rights 9.2.5 -

      XXXXX XXXXXX XXXXXX XXXXXX XXXXX’ XXXXXX XXXXXX XX XXXXXXX XXXXXXXXX.

      +

      Asset owners should review users’ access rights at regular intervals.

      -

      XXX XXXXXX XX XXXXXX XXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXX:

      +

      The review of access rights should consider the following:

        -
      1. XXXXX’ XXXXXX XXXXXX XXXXXX XX XXXXXXXX XX XXXXXXX XXXXXXXXX XXX XXXXX XXX XXXXXXX, XXXX XX XXXXXXXXX, XXXXXXXX XX XXXXXXXXXXX XX XXXXXXXXXX (XXX Clause 7);
      2. -
      3. XXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXX XXX XX-XXXXXXXXX XXXX XXXXXX XXXX XXX XXXX XX XXXXXXX XXXXXX XXX XXXX XXXXXXXXXXXX;
      4. -
      5. XXXXXXXXXXXXXX XXX XXXXXXXXXX XXXXXX XXXXXX XXXXXX XX XXXXXXXX XX XXXX XXXXXXXX XXXXXXXXX;
      6. -
      7. XXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXX XXXXXXXXX XX XXXXXX XXXX XXXXXXXXXXXX XXXXXXXXXX XXXX XXX XXXX XXXXXXXX;
      8. -
      9. XXXXXXX XX XXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXX XXX XXXXXXXX XXXXXX.
      10. +
      11. users’ access rights should be reviewed at regular intervals and after any changes, such as promotion, demotion or termination of employment (see Clause 7);
      12. +
      13. user access rights should be reviewed and re-allocated when moving from one role to another within the same organization;
      14. +
      15. authorizations for privileged access rights should be reviewed at more frequent intervals;
      16. +
      17. privilege allocations should be checked at regular intervals to ensure that unauthorized privileges have not been obtained;
      18. +
      19. changes to privileged accounts should be logged for periodic review.
      -

      XXXX XXXXXXX XXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XX XXX XXXXXXXXX XX XXXXXXXX 9.2.1, 9.2.2 XXX 9.2.6.

      +

      This control compensates for possible weaknesses in the execution of controls 9.2.1, 9.2.2 and 9.2.6.

      Removal or adjustment of access rights 9.2.6 -

      XXX XXXXXX XXXXXX XX XXX XXXXXXXXX XXX XXXXXXXX XXXXX XXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XXXX XXXXXXXXXXX XX XXXXX XXXXXXXXXX, XXXXXXXX XX XXXXXXXXX, XX XXXXXXXX XXXX XXXXXX.

      +

      The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.

      -

      XXXX XXXXXXXXXXX, XXX XXXXXX XXXXXX XX XX XXXXXXXXXX XX XXXXXXXXXXX XXX XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXXX. XXXX XXXX XXXXXXXXX XXXXXXX XX XX XXXXXXXXX XX XXXXXX XXXXXX XXXXXX. XXXXXXX XX XXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXX XX XXX XXXXXX XXXXXX XXXX XXXX XXX XXXXXXXX XXX XXX XXX XXXXXXXXXX. XXX XXXXXX XXXXXX XXXX XXXXXX XX XXXXXXX XX XXXXXXXX XXXXXXX XXXXX XX XXXXXXXX XXX XXXXXXX XXXXXX. XXXXXXX XX XXXXXXXXXX XXX XX XXXX XX XXXXXXX, XXXXXXXXXX XX XXXXXXXXXXX XX XXXX, XXXXXXXXXXXXXX XXXXX, XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XX XXXXXXXXXXXXX. XXX XXXXXXXXXXXXX XXXX XXXXXXXXXX XXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXX XX XXXXXXXXXX XX XXXXXX XXXXXX. XX X XXXXXXXXX XXXXXXXX XX XXXXXXXX XXXXX XXXX XXX XXXXX XXXXXXXXX XXX XXXX XXX XXXXXXXXX XXXXXX, XXXXX XXXXXX XX XXXXXXX XXXX XXXXXXXXXXX XX XXXXXX XX XXXXXXXXXX, XXXXXXXX XX XXXXXXXXX.

      -

      XXXXXX XXXXXX XXX XXXXXXXXXXX XXX XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXX XXXXXX XXX XXXXXXXXXX XXXXXXXXXX XX XXXXXXX, XXXXXXXXX XX XXX XXXXXXXXXX XX XXXX XXXXXXX XXXX XX:

      +

      Upon termination, the access rights of an individual to information and assets associated with information processing facilities and services should be removed or suspended. This will determine whether it is necessary to remove access rights. Changes of employment should be reflected in removal of all access rights that were not approved for the new employment. The access rights that should be removed or adjusted include those of physical and logical access. Removal or adjustment can be done by removal, revocation or replacement of keys, identification cards, information processing facilities or subscriptions. Any documentation that identifies access rights of employees and contractors should reflect the removal or adjustment of access rights. If a departing employee or external party user has known passwords for user IDs remaining active, these should be changed upon termination or change of employment, contract or agreement.

      +

      Access rights for information and assets associated with information processing facilities should be reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as:

        -
      1. XXXXXXX XXX XXXXXXXXXXX XX XXXXXX XX XXXXXXXXX XX XXX XXXXXXXX, XXX XXXXXXXX XXXXX XXXX XX XX XXXXXXXXXX, XXX XXX XXXXXX XXX XXXXXXXXXXX;
      2. -
      3. XXX XXXXXXX XXXXXXXXXXXXXXXX XX XXX XXXXXXXX, XXXXXXXX XXXXX XXXX XX XXX XXXXX XXXX;
      4. -
      5. XXX XXXXX XX XXX XXXXXX XXXXXXXXX XXXXXXXXXX.
      6. +
      7. whether the termination or change is initiated by the employee, the external party user or by management, and the reason for termination;
      8. +
      9. the current responsibilities of the employee, external party user or any other user;
      10. +
      11. the value of the assets currently accessible.
      -

      XX XXXXXXX XXXXXXXXXXXXX XXXXXX XXXXXX XXX XX XXXXXXXXX XX XXX XXXXX XX XXXXX XXXXXXXXX XX XXXX XXXXXX XXXX XXX XXXXXXXXX XXXXXXXX XX XXXXXXXX XXXXX XXXX, X.X. XXXXX XXX. XX XXXX XXXXXXXXXXXXX, XXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXXX XXX XXXXX XXXXXX XXXXX XXX XXXXXXXXXXXX XXXXXX XX XXXX XX XXXXXX XXX XXXXX XXXXXXXXX XXX XXXXXXXX XXXXX XXXXX XXXXXXXX XX XX XXXXXX XXXXX XXXX XXXXXXXXXXX XXXX XXX XXXXXX XXXXXXXXX.

      -

      XX XXXXX XX XXXXXXXXXX-XXXXXXXXX XXXXXXXXXXX, XXXXXXXXXXX XXXXXXXXX XX XXXXXXXX XXXXX XXXXX XXX XXXXXXXXXXXX XXXXXXX XXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX. XX XXXXX XX XXXXXXX XXXXXXXXX XX XXXXX XXXXXXXXX, XXXX XXX XX XXXXXXX XX XXXXXXX XXXXXXXXXXX XXX XXXXXX XXX.

      +

      In certain circumstances access rights may be allocated on the basis of being available to more people than the departing employee or external party user, e.g. group IDs. In such circumstances, departing individuals should be removed from any group access lists and arrangements should be made to advise all other employees and external party users involved to no longer share this information with the person departing.

      +

      In cases of management-initiated termination, disgruntled employees or external party users can deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning or being dismissed, they may be tempted to collect information for future use.

      @@ -869,35 +867,35 @@ User responsibilities 9.3 -

      XX XXXX XXXXX XXXXXXXXXXX XXX XXXXXXXXXXXX XXXXX XXXXXXXXXXXXXX XXXXXXXXXXX.

      +

      Objective: To make users accountable for safeguarding their authentication information.

      Use of secret authentication information 9.3.1 -

      XXXXX XXXXXX XX XXXXXXXX XX XXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXX XX XXX XXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX.

      +

      Users should be required to follow the organization’s practices in the use of secret authentication information.

      -

      XXX XXXXX XXXXXX XX XXXXXXX XX:

      +

      All users should be advised to:

        -
      1. XXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXXX, XXXXXXXX XXXX XX XX XXX XXXXXXXX XX XXX XXXXX XXXXXXX, XXXXXXXXX XXXXXX XX XXXXXXXXX;
      2. -
      3. XXXXX XXXXXXX X XXXXXX (X.X. XX XXXXX, XXXXXXXX XXXX XX XXXX-XXXX XXXXXX) XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX, XXXXXX XXXX XXX XX XXXXXX XXXXXXXX XXX XXX XXXXXX XX XXXXXXX XXX XXXX XXXXXXXX (X.X. XXXXXXXX XXXXX);
      4. -
      5. XXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXX XX XXX XXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXX;
      6. -
      7. XXXX XXXXXXXXX XXX XXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX, XXXXXX XXXXXXX XXXXXXXXX XXXX XXXXXXXXXX XXXXXXX XXXXXX XXXXX XXX:
          -
        1. XXXX XX XXXXXXXX;
        2. -
        3. XXX XXXXX XX XXXXXXXX XXXXXXXX XXXX XXXXX XXXXXX XXXXX XX XXXXXX XXXXX XXXXXX XXXXXXX XXXXXXXXXXX, X.X. XXXXX, XXXXXXXXX XXXXXXX XXX XXXXX XX XXXXX XXX.;
        4. -
        5. XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXX (X.X. XX XXX XXXXXXX XX XXXXX XXXXXXXX XX XXXXXXXXXXXX);
        6. -
        7. XXXX XX XXXXXXXXXXX XXXXXXXXX, XXX-XXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXXX;
        8. -
        9. XX XXXXXXXXX, XXXXXXX XX XXX XXXXX XXX-XX;
        10. +
        11. keep secret authentication information confidential, ensuring that it is not divulged to any other parties, including people of authority;
        12. +
        13. avoid keeping a record (e.g. on paper, software file or hand-held device) of secret authentication information, unless this can be stored securely and the method of storing has been approved (e.g. password vault);
        14. +
        15. change secret authentication information whenever there is any indication of its possible compromise;
        16. +
        17. when passwords are used as secret authentication information, select quality passwords with sufficient minimum length which are:
            +
          1. easy to remember;
          2. +
          3. not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.;
          4. +
          5. not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries);
          6. +
          7. free of consecutive identical, all-numeric or all-alphabetic characters;
          8. +
          9. if temporary, changed at the first log-on;
        18. -
        19. XXX XXXXX XXXXXXXXXX XXXX’X XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX;
        20. -
        21. XXXXXX XXXXXX XXXXXXXXXX XX XXXXXXXXX XXXX XXXXXXXXX XXX XXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XX XXXXXXXXX XXX-XX XXXXXXXXXX XXX XXX XXXXXX;
        22. -
        23. XXX XXX XXX XXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXXXX XXX XXX-XXXXXXXX XXXXXXXX.
        24. +
        25. not share individual user’s secret authentication information;
        26. +
        27. ensure proper protection of passwords when passwords are used as secret authentication information in automated log-on procedures and are stored;
        28. +
        29. not use the same secret authentication information for business and non-business purposes.
        -

        XXXXXXXXX XX XXXXXX XXXX XX (XXX) XX XXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXX XXXXXXX XXX XXXXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXXX XXXXX XXX XXXXXXXX XX XXXXXXX XXX XXXX XXX XXXXXXXX XXX XXXXXXXXXXXXX XX XXXX XXXXXXX. XXXXXXX, XXXXX XXXXX XXX XXXX XXXXXXXX XXX XXXXXX XX XXXXXXXXXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX.

        +

        Provision of Single Sign On (SSO) or other secret authentication information management tools reduces the amount of secret authentication information that users are required to protect and thus can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

        @@ -905,24 +903,24 @@ System and application access control 9.4 -

        XX XXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXXXXX.

        +

        Objective: To prevent unauthorized access to systems and applications.

        Information access restriction 9.4.1 -

        XXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXX XXXXXXX XXXXXX.

        +

        Access to information and application system functions should be restricted in accordance with the access control policy.

        -

        XXXXXXXXXXXX XX XXXXXX XXXXXX XX XXXXX XX XXXXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXXXXXX XXX XX XXXXXXXXXX XXXX XXX XXXXXXX XXXXXX XXXXXXX XXXXXX.

        -

        XXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXX XX XXXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXXXXX:

        +

        Restrictions to access should be based on individual business application requirements and in accordance with the defined access control policy.

        +

        The following should be considered in order to support access restriction requirements:

          -
        1. XXXXXXXXX XXXXX XX XXXXXXX XXXXXX XX XXXXXXXXXXX XXXXXX XXXXXXXXX;
        2. -
        3. XXXXXXXXXXX XXXXX XXXX XXX XX XXXXXXXX XX X XXXXXXXXXX XXXX;
        4. -
        5. XXXXXXXXXXX XXX XXXXXX XXXXXX XX XXXXX, X.X. XXXX, XXXXX, XXXXXX XXX XXXXXXX;
        6. -
        7. XXXXXXXXXXX XXX XXXXXX XXXXXX XX XXXXX XXXXXXXXXXXX;
        8. -
        9. XXXXXXXX XXX XXXXXXXXXXX XXXXXXXXX XX XXXXXXX;
        10. -
        11. XXXXXXXXX XXXXXXXX XX XXXXXXX XXXXXX XXXXXXXX XXX XXX XXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXX, XXXXXXXXXXX XXXX, XX XXXXXXX.
        12. +
        13. providing menus to control access to application system functions;
        14. +
        15. controlling which data can be accessed by a particular user;
        16. +
        17. controlling the access rights of users, e.g. read, write, delete and execute;
        18. +
        19. controlling the access rights of other applications;
        20. +
        21. limiting the information contained in outputs;
        22. +
        23. providing physical or logical access controls for the isolation of sensitive applications, application data, or systems.
        @@ -930,102 +928,102 @@ Secure log-on procedures 9.4.2 -

        XXXXX XXXXXXXX XX XXX XXXXXX XXXXXXX XXXXXX, XXXXXX XX XXXXXXX XXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XX X XXXXXX XXX-XX XXXXXXXXX.

        +

        Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.

        -

        X XXXXXXXX XXXXXXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXX XX XXXXXXXXXXXX XXX XXXXXXX XXXXXXXX XX X XXXX.

        -

        XXXXX XXXXXX XXXXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXXX XX XXXXXXXX, XXXXXXXXXXXXXX XXXXXXX XXXXXXXXXXX XX XXXXXXXXX, XXXX XX XXXXXXXXXXXXX XXXXX, XXXXX XXXXX, XXXXXX XX XXXXXXXXX XXXXX, XXXXXX XX XXXX.

        -

        XXX XXXXXXXXX XXX XXXXXXX XXXX X XXXXXX XX XXXXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXXXX XXX XXXXXXXXXXX XXX XXXXXXXXXXXX XXXXXX. XXX XXX-XX XXXXXXXXX XXXXXX XXXXXXXXX XXXXXXXX XXX XXXXXXX XX XXXXXXXXXXX XXXXX XXX XXXXXX XX XXXXXXXXXXX, XX XXXXX XX XXXXX XXXXXXXXX XX XXXXXXXXXXXX XXXX XXXX XXX XXXXXXXXXXX XXXXXXXXXX. X XXXX XXX-XX XXXXXXXXX XXXXXX:

        +

        A suitable authentication technique should be chosen to substantiate the claimed identity of a user.

        +

        Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as cryptographic means, smart cards, tokens or biometric means, should be used.

        +

        The procedure for logging into a system or application should be designed to minimize the opportunity for unauthorized access. The log-on procedure should therefore disclose the minimum of information about the system or application, in order to avoid providing an unauthorized user with any unnecessary assistance. A good log-on procedure should:

          -
        1. XXX XXXXXXX XXXXXX XX XXXXXXXXXXX XXXXXXXXXXX XXXXX XXX XXX-XX XXXXXXX XXX XXXX XXXXXXXXXXXX XXXXXXXXX;
        2. -
        3. XXXXXXX X XXXXXXX XXXXXX XXXXXXX XXXX XXX XXXXXXXX XXXXXX XXXX XX XXXXXXXX XX XXXXXXXXXX XXXXX;
        4. -
        5. XXX XXXXXXX XXXX XXXXXXXX XXXXXX XXX XXX-XX XXXXXXXXX XXXX XXXXX XXX XX XXXXXXXXXXXX XXXX;
        6. -
        7. XXXXXXXX XXX XXX-XX XXXXXXXXXXX XXXX XX XXXXXXXXXX XX XXX XXXXX XXXX. XX XX XXXXX XXXXXXXXX XXXXXX, XXX XXXXXX XXXXXX XXX XXXXXXXX XXXXX XXXX XX XXX XXXX XX XXXXXXX XX XXXXXXXXX;
        8. -
        9. XXXXXXX XXXXXXX XXXXX XXXXX XXX-XX XXXXXXXX;
        10. -
        11. XXX XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXX;
        12. -
        13. XXXXX X XXXXXXXX XXXXX XX X XXXXXXXXX XXXXXXXXX XX XXXXXXXXXX XXXXXX XX XXX-XX XXXXXXXX XX XXXXXXXX;
        14. -
        15. XXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XX XXXXXXXXXX XX X XXXXXXXXXX XXX-XX:
            -
          1. XXXX XXX XXXX XX XXX XXXXXXXX XXXXXXXXXX XXX-XX;
          2. -
          3. XXXXXXX XX XXX XXXXXXXXXXXX XXX-XX XXXXXXXX XXXXX XXX XXXX XXXXXXXXXX XXX-XX;
          4. +
          5. not display system or application identifiers until the log-on process has been successfully completed;
          6. +
          7. display a general notice warning that the computer should only be accessed by authorized users;
          8. +
          9. not provide help messages during the log-on procedure that would aid an unauthorized user;
          10. +
          11. validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;
          12. +
          13. protect against brute force log-on attempts;
          14. +
          15. log unsuccessful and successful attempts;
          16. +
          17. raise a security event if a potential attempted or successful breach of log-on controls is detected;
          18. +
          19. display the following information on completion of a successful log-on:
              +
            1. date and time of the previous successful log-on;
            2. +
            3. details of any unsuccessful log-on attempts since the last successful log-on;
          20. -
          21. XXX XXXXXXX X XXXXXXXX XXXXX XXXXXXX;
          22. -
          23. XXX XXXXXXXX XXXXXXXXX XX XXXXX XXXX XXXX X XXXXXXX;
          24. -
          25. XXXXXXXXX XXXXXXXX XXXXXXXX XXXXX X XXXXXXX XXXXXX XX XXXXXXXXXX, XXXXXXXXXX XX XXXX XXXX XXXXXXXXX XXXX XX XXXXXX XX XXXXXXXX XXXXX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXXXXX XX XX XXXXXX XXXXXXX;
          26. -
          27. XXXXXXXX XXXXXXXXXX XXXXX XX XXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXX-XXXX XXXXXXXXXXXX XXX XXXXXX XXX XXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXXX XXXXXX.
          28. +
          29. not display a password being entered;
          30. +
          31. not transmit passwords in clear text over a network;
          32. +
          33. terminate inactive sessions after a defined period of inactivity, especially in high risk locations such as public or external areas outside the organization’s security management or on mobile devices;
          34. +
          35. restrict connection times to provide additional security for high-risk applications and reduce the window of opportunity for unauthorized access.
          -

          XXXXXXXXX XXX X XXXXXX XXX XX XXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXXXXXXXX XXXXX XX X XXXXXX XXXX XXXX XXX XXXX XXXXX. XXX XXXX XXX XXXX XX XXXXXXXX XXXX XXXXXXXXXXXXX XXXXX XXX XXXXXXXXXXXXXX XXXXXXXXX. XXX XXXXXXXX XX XXXX XXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXX XXXXXXXXXXXXXX XX XXX XXXXXXXXXXX XX XX XXXXXXXX.

          -

          XX XXXXXXXXX XXX XXXXXXXXXXX XX XXXXX XXXX XXXXXX XXX XXX-XX XXXXXXX XXXX X XXXXXXX, XXXX XXX XX XXXXXXXX XX X XXXXXXX ”XXXXXXX” XXXXXXX.

          +

          Passwords are a common way to provide identification and authentication based on a secret that only the user knows. The same can also be achieved with cryptographic means and authentication protocols. The strength of user authentication should be appropriate for the classification of the information to be accessed.

          +

          If passwords are transmitted in clear text during the log-on session over a network, they can be captured by a network ”sniffer” program.

          Password management system 9.4.3 -

          XXXXXXXX XXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXX XXXXXX XXXXXXX XXXXXXXXX.

          +

          Password management systems should be interactive and should ensure quality passwords.

          -

          X XXXXXXXX XXXXXXXXXX XXXXXX XXXXXX:

          +

          A password management system should:

            -
          1. XXXXXXX XXX XXX XX XXXXXXXXXX XXXX XXX XXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXXXXX;
          2. -
          3. XXXXX XXXXX XX XXXXXX XXX XXXXXX XXXXX XXX XXXXXXXXX XXX XXXXXXX X XXXXXXXXXXXX XXXXXXXXX XX XXXXX XXX XXXXX XXXXXX;
          4. -
          5. XXXXXXX X XXXXXX XX XXXXXXX XXXXXXXXX;
          6. -
          7. XXXXX XXXXX XX XXXXXX XXXXX XXXXXXXXX XX XXX XXXXX XXX-XX;
          8. -
          9. XXXXXXX XXXXXXX XXXXXXXX XXXXXXX XXX XX XXXXXX;
          10. -
          11. XXXXXXXX X XXXXXX XX XXXXXXXXXX XXXX XXXXXXXXX XXX XXXXXXX XX-XXX;
          12. -
          13. XXX XXXXXXX XXXXXXXXX XX XXX XXXXXX XXXX XXXXX XXXXXXX;
          14. -
          15. XXXXX XXXXXXXX XXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXXXXX XXXX;
          16. -
          17. XXXXX XXX XXXXXXXX XXXXXXXXX XX XXXXXXXXX XXXX.
          18. +
          19. enforce the use of individual user IDs and passwords to maintain accountability;
          20. +
          21. allow users to select and change their own passwords and include a confirmation procedure to allow for input errors;
          22. +
          23. enforce a choice of quality passwords;
          24. +
          25. force users to change their passwords at the first log-on;
          26. +
          27. enforce regular password changes and as needed;
          28. +
          29. maintain a record of previously used passwords and prevent re-use;
          30. +
          31. not display passwords on the screen when being entered;
          32. +
          33. store password files separately from application system data;
          34. +
          35. store and transmit passwords in protected form.
          -

          XXXX XXXXXXXXXXXX XXXXXXX XXXX XXXXXXXXX XX XX XXXXXXXX XX XX XXXXXXXXXXX XXXXXXXXX; XX XXXX XXXXX, XXXXXX X), X) XXX X) XX XXX XXXXX XXXXXXXX XX XXX XXXXX. XX XXXX XXXXX XXX XXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXX XX XXXXX.

          +

          Some applications require user passwords to be assigned by an independent authority; in such cases, points b), d) and e) of the above guidance do not apply. In most cases the passwords are selected and maintained by users.

          Use of privileged utility programs 9.4.4 -

          XXX XXX XX XXXXXXX XXXXXXXX XXXX XXXXX XX XXXXXXX XX XXXXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXX XXXXXXXXXX.

          +

          The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.

          -

          XXX XXXXXXXXX XXXXXXXXXX XXX XXX XXX XX XXXXXXX XXXXXXXX XXXX XXXXX XX XXXXXXX XX XXXXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX:

          +

          The following guidelines for the use of utility programs that might be capable of overriding system and application controls should be considered:

            -
          1. XXX XX XXXXXXXXXXXXXX, XXXXXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXX XXXXXXXX;
          2. -
          3. XXXXXXXXXXX XX XXXXXXX XXXXXXXX XXXX XXXXXXXXXXXX XXXXXXXX;
          4. -
          5. XXXXXXXXXX XX XXX XXX XX XXXXXXX XXXXXXXX XX XXX XXXXXXX XXXXXXXXX XXXXXX XX XXXXXXX, XXXXXXXXXX XXXXX (XXX 9.2.3);
          6. -
          7. XXXXXXXXXXXXX XXX XX XXX XXX XX XXXXXXX XXXXXXXX;
          8. -
          9. XXXXXXXXXX XX XXX XXXXXXXXXXXX XX XXXXXXX XXXXXXXX, X.X. XXX XXX XXXXXXXX XX XX XXXXXXXXXX XXXXXX;
          10. -
          11. XXXXXXX XX XXX XXX XX XXXXXXX XXXXXXXX;
          12. -
          13. XXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXXXXXXX XXXXXX XXX XXXXXXX XXXXXXXX;
          14. -
          15. XXXXXXX XX XXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXX XXXXXXXX;
          16. -
          17. XXX XXXXXX XXXXXXX XXXXXXXX XXXXXXXXX XX XXXXX XXX XXXX XXXXXX XX XXXXXXXXXXXX XX XXXXXXX XXXXX XXXXXXXXXXX XX XXXXXX XX XXXXXXXX.
          18. +
          19. use of identification, authentication and authorization procedures for utility programs;
          20. +
          21. segregation of utility programs from applications software;
          22. +
          23. limitation of the use of utility programs to the minimum practical number of trusted, authorized users (see 9.2.3);
          24. +
          25. authorization for ad hoc use of utility programs;
          26. +
          27. limitation of the availability of utility programs, e.g. for the duration of an authorized change;
          28. +
          29. logging of all use of utility programs;
          30. +
          31. defining and documenting of authorization levels for utility programs;
          32. +
          33. removal or disabling of all unnecessary utility programs;
          34. +
          35. not making utility programs available to users who have access to applications on systems where segregation of duties is required.
          -

          XXXX XXXXXXXX XXXXXXXXXXXXX XXXX XXX XX XXXX XXXXXXX XXXXXXXX XXXX XXXXX XX XXXXXXX XX XXXXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXX.

          +

          Most computer installations have one or more utility programs that might be capable of overriding system and application controls.

          Access control to program source code 9.4.5 -

          XXXXXX XX XXXXXXX XXXXXX XXXX XXXXXX XX XXXXXXXXXX.

          +

          Access to program source code should be restricted.

          -

          XXXXXX XX XXXXXXX XXXXXX XXXX XXX XXXXXXXXXX XXXXX (XXXX XX XXXXXXX, XXXXXXXXXXXXXX, XXXXXXXXXXXX XXXXX XXX XXXXXXXXXX XXXXX) XXXXXX XX XXXXXXXX XXXXXXXXXX, XX XXXXX XX XXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXXXX XXX XX XXXXX XXXXXXXXXXXXX XXXXXXX XX XXXX XX XX XXXXXXXX XXX XXXXXXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXXX XXXXXXXX. XXX XXXXXXX XXXXXX XXXX, XXXX XXX XX XXXXXXXX XX XXXXXXXXXX XXXXXXX XXXXXXX XX XXXX XXXX, XXXXXXXXXX XX XXXXXXX XXXXXX XXXXXXXXX. XXX XXXXXXXXX XXXXXXXXXX XXXXXX XXXX XX XXXXXXXXXX XX XXXXXXX XXXXXX XX XXXX XXXXXXX XXXXXX XXXXXXXXX XX XXXXX XX XXXXXX XXX XXXXXXXXX XXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX:

          +

          Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) should be strictly controlled, in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes as well as to maintain the confidentiality of valuable intellectual property. For program source code, this can be achieved by controlled central storage of such code, preferably in program source libraries. The following guidelines should then be considered to control access to such program source libraries in order to reduce the potential for corruption of computer programs:

            -
          1. XXXXX XXXXXXXX, XXXXXXX XXXXXX XXXXXXXXX XXXXXX XXX XX XXXX XX XXXXXXXXXXX XXXXXXX;
          2. -
          3. XXX XXXXXXX XXXXXX XXXX XXX XXX XXXXXXX XXXXXX XXXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX;
          4. -
          5. XXXXXXX XXXXXXXXX XXXXXX XXX XXXX XXXXXXXXXXXX XXXXXX XX XXXXXXX XXXXXX XXXXXXXXX;
          6. -
          7. XXX XXXXXXXX XX XXXXXXX XXXXXX XXXXXXXXX XXX XXXXXXXXXX XXXXX XXX XXX XXXXXXX XX XXXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXX XXXX XX XXXXXXXXX XXXXX XXXXXXXXXXX XXXXXXXXXXXXX XXX XXXX XXXXXXXX;
          8. -
          9. XXXXXXX XXXXXXXX XXXXXX XX XXXX XX X XXXXXX XXXXXXXXXXX;
          10. -
          11. XX XXXXX XXX XXXXXX XX XXXXXXXXXX XX XXX XXXXXXXX XX XXXXXXX XXXXXX XXXXXXXXX;
          12. -
          13. XXXXXXXXXXX XXX XXXXXXX XX XXXXXXX XXXXXX XXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXX XXXXXX XXXXXXX XXXXXXXXXX (XXX 14.2.2).
          14. +
          15. where possible, program source libraries should not be held in operational systems;
          16. +
          17. the program source code and the program source libraries should be managed according to established procedures;
          18. +
          19. support personnel should not have unrestricted access to program source libraries;
          20. +
          21. the updating of program source libraries and associated items and the issuing of program sources to programmers should only be performed after appropriate authorization has been received;
          22. +
          23. program listings should be held in a secure environment;
          24. +
          25. an audit log should be maintained of all accesses to program source libraries;
          26. +
          27. maintenance and copying of program source libraries should be subject to strict change control procedures (see 14.2.2).
          -

          XX XXX XXXXXXX XXXXXX XXXX XX XXXXXXXX XX XX XXXXXXXXX, XXXXXXXXXX XXXXXXXX XX XXXX XXXXXXX XXXXXXXXX XX XXX XXXXXXXXX (X.X. XXXXXXX XXXXXXXXX) XXXXXX XX XXXXXXXXXX.

          +

          If the program source code is intended to be published, additional controls to help getting assurance on its integrity (e.g. digital signature) should be considered.

          @@ -1037,75 +1035,75 @@ Cryptographic controls 10.1 -

          XX XXXXXX XXXXXX XXX XXXXXXXXX XXX XX XXXXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXXXXXX, XXXXXXXXXXXX XXX/XX XXXXXXXXX XX XXXXXXXXXXX.

          +

          Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

          Policy on the use of cryptographic controls 10.1.1 -

          X XXXXXX XX XXX XXX XX XXXXXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX.

          +

          A policy on the use of cryptographic controls for protection of information should be developed and implemented.

          -

          XXXX XXXXXXXXXX X XXXXXXXXXXXXX XXXXXX XXX XXXXXXXXX XXXXXX XX XXXXXXXXXX:

          +

          When developing a cryptographic policy the following should be considered:

            -
          1. XXX XXXXXXXXXX XXXXXXXX XXXXXXX XXX XXX XX XXXXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXX, XXXXXXXXX XXX XXXXXXX XXXXXXXXXX XXXXX XXXXX XXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXX;
          2. -
          3. XXXXX XX X XXXX XXXXXXXXXX, XXX XXXXXXXX XXXXX XX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXXX XXXX XXXXXXX XXX XXXX, XXXXXXXX XXX XXXXXXX XX XXX XXXXXXXXXX XXXXXXXXX XXXXXXXX;
          4. -
          5. XXX XXX XX XXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX XX XXXXXX XX XXXXXXXXX XXXXX XXXXXXX XX XXXXXX XXXXXXXXXXXXX XXXXX;
          6. -
          7. XXX XXXXXXXX XX XXX XXXXXXXXXX, XXXXXXXXX XXXXXXX XX XXXX XXXX XXX XXXXXXXXXX XX XXXXXXXXXXXXX XXXX XXX XXX XXXXXXXX XX XXXXXXXXX XXXXXXXXXXX XX XXX XXXX XX XXXX, XXXXXXXXXXX XX XXXXXXX XXXX;
          8. -
          9. XXXXX XXX XXXXXXXXXXXXXXXX, X.X. XXX XX XXXXXXXXXXX XXX:
              -
            1. XXX XXXXXXXXXXXXXX XX XXX XXXXXX;
            2. -
            3. XXX XXX XXXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXX (XXX 10.1.2);
            4. +
            5. the management approach towards the use of cryptographic controls across the organization, including the general principles under which business information should be protected;
            6. +
            7. based on a risk assessment, the required level of protection should be identified taking into account the type, strength and quality of the encryption algorithm required;
            8. +
            9. the use of encryption for protection of information transported by mobile or removable media devices or across communication lines;
            10. +
            11. the approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys;
            12. +
            13. roles and responsibilities, e.g. who is responsible for:
                +
              1. the implementation of the policy;
              2. +
              3. the key management, including key generation (see 10.1.2);
            14. -
            15. XXX XXXXXXXXX XX XX XXXXXXX XXX XXXXXXXXX XXXXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXX (XXXXX XXXXXXXX XX XXXX XXX XXXXX XXXXXXXX XXXXXXXXX);
            16. -
            17. XXX XXXXXX XX XXXXX XXXXXXXXX XXXXXXXXXXX XX XXXXXXXX XXXX XXXX XXXX XXXXXXX XXXXXXXXXX (X.X. XXXXXXX XXXXXXXXX).
            18. +
            19. the standards to be adopted for effective implementation throughout the organization (which solution is used for which business processes);
            20. +
            21. the impact of using encrypted information on controls that rely upon content inspection (e.g. malware detection).
            -

            XXXX XXXXXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXXXX XXXXXX, XXXXXXXXXXXXX XXXXXX XX XXXXX XX XXX XXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXXX XXXX XXXXX XXXXX XX XXX XXX XX XXXXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXX XXXXX XX XXX XXXXX XXX XX XXX XXXXXX XX XXXXX-XXXXXX XXXX XX XXXXXXXXX XXXXXXXXXXX (XXX 18.1.5).

            -

            XXXXXXXXXXXXX XXXXXXXX XXX XX XXXX XX XXXXXXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX, X.X.:

            +

            When implementing the organization’s cryptographic policy, consideration should be given to the regulations and national restrictions that might apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow of encrypted information (see 18.1.5).

            +

            Cryptographic controls can be used to achieve different information security objectives, e.g.:

              -
            1. XXXXXXXXXXXXXXX: XXXXX XXXXXXXXXX XX XXXXXXXXXXX XX XXXXXXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXX, XXXXXX XXXXXX XX XXXXXXXXXXX;
            2. -
            3. : XXXXX XXXXXXX XXXXXXXXXX XX XXXXXXX XXXXXXXXXXXXXX XXXXX XX XXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXX XX XXXXXX XX XXXXXXXXXXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXX;
            4. -
            5. XXX-XXXXXXXXXXX: XXXXX XXXXXXXXXXXXX XXXXXXXXXX XX XXXXXXX XXXXXXXX XX XXX XXXXXXXXXX XX XXX-XXXXXXXXXX XX XX XXXXX XX XXXXXX;
            6. -
            7. XXXXXXXXXXXXXX: XXXXX XXXXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXXXXX XXXXX XXX XXXXX XXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XX XX XXXXXXXXXXX XXXX XXXXXX XXXXX, XXXXXXXX XXX XXXXXXXXX.
            8. +
            9. confidentiality: using encryption of information to protect sensitive or critical information, either stored or transmitted;
            10. +
            11. : using digital signatures or message authentication codes to verify the authenticity or integrity of stored or transmitted sensitive or critical information;
            12. +
            13. non-repudiation: using cryptographic techniques to provide evidence of the occurrence or non-occurrence of an event or action;
            14. +
            15. authentication: using cryptographic techniques to authenticate users and other system entities requesting access to or transacting with system users, entities and resources.
            -

            XXXXXX X XXXXXXXX XX XX XXXXXXX X XXXXXXXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXX XX XXXX XX XXXX XX XXX XXXXX XXXXXXX XX XXXX XXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXX. XXXX XXXXXXXXXX XXX XXXX XX XXXX XX XXXXXXXXX XXXXXXX X XXXXXXXXXXXXX XXXXXXX XX XXXXXXXXXXX, XXXX XXXX XX XXXXXXX XXXXXX XX XXXXXXX XXX XXX XXXX XXXXXXX XXX XXXXXXXX XXXXXXXXX.

            -

            X XXXXXX XX XXX XXX XX XXXXXXXXXXXXX XXXXXXXX XX XXXXXXXXX XX XXXXXXXX XXX XXXXXXXX XXX XXXXXXXX XXX XXXXX XX XXXXX XXXXXXXXXXXXX XXXXXXXXXX XXX XX XXXXX XXXXXXXXXXXXX XX XXXXXXXXX XXX.

            -

            XXXXXXXXXX XXXXXX XXXXXX XX XXXXXX XX XXXXXXXXX XXXXXXXXXXX XXXXXXXXXXXXX XXXXXXXX XX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXXXX.

            +

            Making a decision as to whether a cryptographic solution is appropriate should be seen as part of the wider process of risk assessment and selection of controls. This assessment can then be used to determine whether a cryptographic control is appropriate, what type of control should be applied and for what purpose and business processes.

            +

            A policy on the use of cryptographic controls is necessary to maximize the benefits and minimize the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.

            +

            Specialist advice should be sought in selecting appropriate cryptographic controls to meet the information security policy objectives.

            Key management 10.1.2 -

            X XXXXXX XX XXX XXX, XXXXXXXXXX XXX XXXXXXXX XX XXXXXXXXXXXXX XXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXXX XXXXX XXXXXXXXX.

            +

            A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.

            -

            XXX XXXXXX XXXXXX XXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXXXX XXXX XXXXXX XXXXX XXXXX XXXXXXXXX XXXXXXXXX XXXXXXXXXX, XXXXXXX, XXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXXX, XXXXXXXX XXX XXXXXXXXXX XXXX.

            -

            XXXXXXXXXXXXX XXXXXXXXXX, XXX XXXXXXX XXX XXXXX XXXXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXX XX XXXX XXXXXXXX. XXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXXX XXX XXXXXXXXXX, XXXXXXX, XXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXXX, XXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXXX XXXX.

            -

            XXX XXXXXXXXXXXXX XXXX XXXXXX XX XXXXXXXXX XXXXXXX XXXXXXXXXXXX XXX XXXX. XX XXXXXXXX, XXXXXX XXX XXXXXXX XXXX XXXX XXXXXXXXXX XXXXXXX XXXXXXXXXXXX XXX XX XXXX XX XXXXXXXXXX. XXXXXXXXX XXXX XX XXXXXXXX, XXXXX XXX XXXXXXX XXXX XXXXXX XX XXXXXXXXXX XXXXXXXXX.

            -

            X XXX XXXXXXXXXX XXXXXX XXXXXX XX XXXXX XX XX XXXXXX XXX XX XXXXXXXXX, XXXXXXXXXX XXX XXXXXX XXXXXXX XXX:

            +

            The policy should include requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys.

            +

            Cryptographic algorithms, key lengths and usage practices should be selected according to best practice. Appropriate key management requires secure processes for generating, storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys.

            +

            All cryptographic keys should be protected against modification and loss. In addition, secret and private keys need protection against unauthorized use as well as disclosure. Equipment used to generate, store and archive keys should be physically protected.

            +

            A key management system should be based on an agreed set of standards, procedures and secure methods for:

              -
            1. XXXXXXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXXXXX XXXXXXX XXX XXXXXXXXX XXXXXXXXXXXX;
            2. -
            3. XXXXXXX XXX XXXXXXXXX XXXXXX XXX XXXXXXXXXXXX;
            4. -
            5. XXXXXXXXXXXX XXXX XX XXXXXXXX XXXXXXXX, XXXXXXXXX XXX XXXX XXXXXX XX XXXXXXXXX XXXX XXXXXXXX;
            6. -
            7. XXXXXXX XXXX, XXXXXXXXX XXX XXXXXXXXXX XXXXX XXXXXX XXXXXX XX XXXX;
            8. -
            9. XXXXXXXX XX XXXXXXXX XXXX XXXXXXXXX XXXXX XX XXXX XXXX XXXXXX XX XXXXXXX XXX XXX XXXX XXXX XX XXXX;
            10. -
            11. XXXXXXX XXXX XXXXXXXXXXX XXXX;
            12. -
            13. XXXXXXXX XXXX XXXXXXXXX XXX XXXX XXXXXX XX XXXXXXXXX XX XXXXXXXXXXX, X.X. XXXX XXXX XXXX XXXX XXXXXXXXXXX XX XXXX X XXXX XXXXXX XX XXXXXXXXXXXX (XX XXXXX XXXX XXXX XXXXXX XXXX XX XXXXXXXX);
            14. -
            15. XXXXXXXXXX XXXX XXXX XXX XXXX XX XXXXXXXXX;
            16. -
            17. XXXXXXX XX XX XXXXXXXXX XXXX;
            18. -
            19. XXXXXXXXXX XXXX;
            20. -
            21. XXXXXXX XXX XXXXXXXX XX XXX XXXXXXXXXX XXXXXXX XXXXXXXXXX.
            22. +
            23. generating keys for different cryptographic systems and different applications;
            24. +
            25. issuing and obtaining public key certificates;
            26. +
            27. distributing keys to intended entities, including how keys should be activated when received;
            28. +
            29. storing keys, including how authorized users obtain access to keys;
            30. +
            31. changing or updating keys including rules on when keys should be changed and how this will be done;
            32. +
            33. dealing with compromised keys;
            34. +
            35. revoking keys including how keys should be withdrawn or deactivated, e.g. when keys have been compromised or when a user leaves an organization (in which case keys should also be archived);
            36. +
            37. recovering keys that are lost or corrupted;
            38. +
            39. backing up or archiving keys;
            40. +
            41. destroying keys;
            42. +
            43. logging and auditing of key management related activities.
            -

            XX XXXXX XX XXXXXX XXX XXXXXXXXXX XX XXXXXXXX XXX, XXXXXXXXXX XXX XXXXXXXXXXXX XXXXX XXX XXXX XXXXXX XX XXXXXXX XX XXXX XXX XXXX XXX XXXX XX XXXX XXX XXX XXXXXX XX XXXX XXXXXXX XX XXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXX.

            -

            XX XXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXX XXXX, XXX XXXXXXXXXXXX XX XXXXXX XXXX XXXXXX XXXX XX XXXXXXXXXX. XXXX XXXXXXXXXXXXXX XXXXXXX XXX XX XXXX XXXXX XXXXXX XXX XXXXXXXXXXXX, XXXXX XXX XXXXXXXX XXXXXX XX X XXXXXXXXXXXXX XXXXXXXXX, XXXXX XXXXXX XX X XXXXXXXXXX XXXXXXXXXXXX XXXX XXXXXXXX XXXXXXXX XXX XXXXXXXXXX XX XXXXX XX XXXXXXX XXX XXXXXXXX XXXXXX XX XXXXX.

            -

            XXX XXXXXXXX XX XXXXXXX XXXXX XXXXXXXXXX XX XXXXXXXXX XXXX XXXXXXXX XXXXXXXXX XX XXXXXXXXXXXXX XXXXXXXX, X.X. XXXX X XXXXXXXXXXXXX XXXXXXXXX, XXXXXX XXXXX XXXXXX XX XXXXXXXXX, XXXXXXXXXXX XX XXXXXXXX XXX XXXXXXXX XXXXX XXX XXX XXXXXXXXX XX XXXXXXXX (XXX 15.2).

            +

            In order to reduce the likelihood of improper use, activation and deactivation dates for keys should be defined so that the keys can only be used for the period of time defined in the associated key management policy.

            +

            In addition to securely managing secret and private keys, the authenticity of public keys should also be considered. This authentication process can be done using public key certificates, which are normally issued by a certification authority, which should be a recognized organization with suitable controls and procedures in place to provide the required degree of trust.

            +

            The contents of service level agreements or contracts with external suppliers of cryptographic services, e.g. with a certification authority, should cover issues of liability, reliability of services and response times for the provision of services (see 15.2).

            -

            XXX XXXXXXXXXX XX XXXXXXXXXXXXX XXXX XX XXXXXXXXX XX XXX XXXXXXXXX XXX XX XXXXXXXXXXXXX XXXXXXXXXX. XXX/XXX XXXXX[2][3][4] XXXXXXXX XXXXXXX XXXXXXXXXXX XX XXX XXXXXXXXXX.

            -

            XXXXXXXXXXXXX XXXXXXXXXX XXX XXXX XX XXXX XX XXXXXXX XXXXXXXXXXXXX XXXX. XXXXXXXXXX XXX XXXX XX XX XXXXXXXXXX XXX XXXXXXXX XXXXX XXXXXXXX XXX XXXXXX XX XXXXXXXXXXXXX XXXX, X.X. XXXXXXXXX XXXXXXXXXXX XXX XX XXXXXXXX XX XX XXXX XXXXXXXXX XX XX XXXXXXXXXXX XXXX XX XXXXXXXX XX X XXXXX XXXX.

            +

            The management of cryptographic keys is essential to the effective use of cryptographic techniques. ISO/IEC 11770[2][3][4] provides further information on key management.

            +

            Cryptographic techniques can also be used to protect cryptographic keys. Procedures may need to be considered for handling legal requests for access to cryptographic keys, e.g. encrypted information can be required to be made available in an unencrypted form as evidence in a court case.

            @@ -1117,47 +1115,47 @@ Secure areas 11.1 -

            XX XXXXXXX XXXXXXXXXXXX XXXXXXXX XXXXXX, XXXXXX XXX XXXXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX.

            +

            Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

            Physical security perimeter 11.1.1 -

            XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XXX XXXX XX XXXXXXX XXXXX XXXX XXXXXXX XXXXXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX.

            +

            Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

            -

            XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXXXX XXXXX XXXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXXXX:

            +

            The following guidelines should be considered and implemented where appropriate for physical security perimeters:

              -
            1. XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX, XXX XXX XXXXXX XXX XXXXXXXX XX XXXX XX XXX XXXXXXXXXX XXXXXX XXXXXX XX XXX XXXXXXXX XXXXXXXXXXXX XX XXX XXXXXX XXXXXX XXX XXXXXXXXX XXX XXX XXXXXXX XX X XXXX XXXXXXXXXX;
            2. -
            3. XXXXXXXXXX XX X XXXXXXXX XX XXXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXX (X.X. XXXXX XXXXXX XX XX XXXX XX XXX XXXXXXXXX XX XXXXX XXXXX X XXXXX-XX XXXXX XXXXXX XXXXX); XXX XXXXXXXX XXXX, XXXXX XXX XXXXXXXX XX XXX XXXX XXXXXX XX XX XXXXX XXXXXXXXXXXX XXX XXX XXXXXXXX XXXXX XXXXXX XX XXXXXXXX XXXXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXX XXXX XXXXXXX XXXXXXXXXX, (X.X. XXXX, XXXXXX, XXXXX); XXXXX XXX XXXXXXX XXXXXX XX XXXXXX XXXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXX, XXXXXXXXXXXX XX XXXXXX XXXXX;
            4. -
            5. X XXXXXX XXXXXXXXX XXXX XX XXXXX XXXXX XX XXXXXXX XXXXXXXX XXXXXX XX XXX XXXX XX XXXXXXXX XXXXXX XX XX XXXXX; XXXXXX XX XXXXX XXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXX XXXX;
            6. -
            7. XXXXXXXX XXXXXXXX XXXXXX, XXXXX XXXXXXXXXX, XX XXXXX XX XXXXXXX XXXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXXXXX;
            8. -
            9. XXX XXXX XXXXX XX X XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXX, XXXXXXXXX XXX XXXXXX XX XXXXXXXXXXX XXXX XXX XXXXX XX XXXXXXXXX XXX XXXXXXXX XXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXX, XXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXX; XXXX XXXXXX XXXXXXX XX XXXXXXXXXX XXXX XXX XXXXX XXXX XXXX XX X XXXXXXXX XXXXXX;
            10. -
            11. XXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXXX, XXXXXXXX XX XXXXXXXXXXXXX XXXXXXXXX XXX XXXXXXXXX XXXXXX XX XXXXX XXX XXXXXXXX XXXXX XXX XXXXXXXXXX XXXXXXX; XXXXXXXXXX XXXXX XXXXXX XX XXXXXXX XX XXX XXXXX; XXXXX XXXXXX XXXX XX XXXXXXXX XXX XXXXX XXXXX, X.X. XXXXXXXX XXXX XX XXXXXXXXXXXXXX XXXXX;
            12. -
            13. XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXX XX XXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXXXXXX XXXX XXXXX XXXXXXX XX XXXXXXXX XXXXXXX.
            14. +
            15. security perimeters should be defined, and the siting and strength of each of the perimeters should depend on the security requirements of the assets within the perimeter and the results of a risk assessment;
            16. +
            17. perimeters of a building or site containing information processing facilities should be physically sound (i.e. there should be no gaps in the perimeter or areas where a break-in could easily occur); the exterior roof, walls and flooring of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms, (e.g. bars, alarms, locks); doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level;
            18. +
            19. a manned reception area or other means to control physical access to the site or building should be in place; access to sites and buildings should be restricted to authorized personnel only;
            20. +
            21. physical barriers should, where applicable, be built to prevent unauthorized physical access and environmental contamination;
            22. +
            23. all fire doors on a security perimeter should be alarmed, monitored and tested in conjunction with the walls to establish the required level of resistance in accordance with suitable regional, national and international standards; they should operate in accordance with the local fire code in a failsafe manner;
            24. +
            25. suitable intruder detection systems should be installed to national, regional or international standards and regularly tested to cover all external doors and accessible windows; unoccupied areas should be alarmed at all times; cover should also be provided for other areas, e.g. computer room or communications rooms;
            26. +
            27. information processing facilities managed by the organization should be physically separated from those managed by external parties.
            -

            XXXXXXXX XXXXXXXXXX XXX XX XXXXXXXX XX XXXXXXXX XXX XX XXXX XXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX. XXX XXX XX XXXXXXXX XXXXXXXX XXXXX XXXXXXXXXX XXXXXXXXXX, XXXXX XXX XXXXXXX XX X XXXXXX XXXXXXX XXXX XXX XXXX XXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX.

            -

            X XXXXXX XXXX XXX XX X XXXXXXXX XXXXXX XX XXXXXXX XXXXX XXXXXXXXXX XX X XXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXX. XXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX XX XXXXXXX XXXXXXXX XXXXXX XXX XX XXXXXX XXXXXXX XXXXX XXXX XXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XXX XXXXXXXX XXXXXXXXX. XXXXXXX XXXXXXXXX XX XXXXXXXX XXXXXX XXXXXXXX XXXXXX XX XXXXX XX XXX XXXX XX XXXXXXXXX XXXXXXX XXXXXX XXX XXXXXXXX XXXXXXXXXXXXX.

            -

            XXX XXXXXXXXXXX XX XXXXXXXX XXXXXXXX, XXXXXXXXXX XXX XXX XXXXXX XXXXX, XXXXXX XX XXXXXXX XX XXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXXXXXX XX XXX XXXXXXXXXXXX, XX XXX XXXXX XX XXX XXXX XXXXXXXXXX.

            +

            Physical protection can be achieved by creating one or more physical barriers around the organization’s premises and information processing facilities. The use of multiple barriers gives additional protection, where the failure of a single barrier does not mean that security is immediately compromised.

            +

            A secure area may be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access may be needed between areas with different security requirements inside the security perimeter. Special attention to physical access security should be given in the case of buildings holding assets for multiple organizations.

            +

            The application of physical controls, especially for the secure areas, should be adapted to the technical and economic circumstances of the organization, as set forth in the risk assessment.

            Physical entry controls 11.1.2 -

            XXXXXX XXXXX XXXXXX XX XXXXXXXXX XX XXXXXXXXXXX XXXXX XXXXXXXX XX XXXXXX XXXX XXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXXX XXXXXX.

            +

            Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

            -

            XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX:

            +

            The following guidelines should be considered:

              -
            1. XXX XXXX XXX XXXX XX XXXXX XXX XXXXXXXXX XX XXXXXXXX XXXXXX XX XXXXXXXX, XXX XXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXXXXX XXXXX XXXXXX XXX XXXX XXXXXXXXXX XXXXXXXX; XXXX XXXXXX XXXX XX XXXXXXX XXXXXX XXX XXXXXXXX, XXXXXXXXXX XXXXXXXX XXX XXXXXX XX XXXXXX XXXX XXXXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXXX XX XXX XXXX XXX XX XXXXXXXXX XXXXXXXXXX. XXX XXXXXXXX XX XXXXXXXX XXXXXX XX XXXXXXXXXXXXX XX XX XXXXXXXXXXX XXXXX;
            2. -
            3. XXXXXX XX XXXXX XXXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXXXXXX XX XXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXX XXXX XX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XXXXXXXX, X.X. XX XXXXXXXXXXXX X XXX-XXXXXX XXXXXXXXXXXXXX XXXXXXXXX XXXX XX XX XXXXXX XXXX XXX XXXXXX XXX;
            4. -
            5. X XXXXXXXX XXX XXXX XX XXXXXXXXXX XXXXX XXXXX XX XXX XXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXX;
            6. -
            7. XXX XXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXX XXXXXXX XXXXXX XX XXXXXXXX XX XXXX XXXX XXXX XX XXXXXXX XXXXXXXXXXXXXX XXX XXXXXX XXXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXX XX XXXX XXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXX XXX XXXXXXX XXXXXXX XXXXXXXXXXXXXX;
            8. -
            9. XXXXXXXX XXXXX XXXXXXX XXXXXXX XXXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXXX XXXXXX XX XXXXXX XXXXX XX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXX XXXX XXXXXXXX; XXXX XXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXX;
            10. -
            11. XXXXXX XXXXXX XX XXXXXX XXXXX XXXXXX XX XXXXXXXXX XXXXXXXX XXX XXXXXXX, XXX XXXXXXX XXXX XXXXXXXXX (XXX 9.2.5 XXX 9.2.6).
            12. +
            13. the date and time of entry and departure of visitors should be recorded, and all visitors should be supervised unless their access has been previously approved; they should only be granted access for specific, authorized purposes and should be issued with instructions on the security requirements of the area and on emergency procedures. The identity of visitors should be authenticated by an appropriate means;
            14. +
            15. access to areas where confidential information is processed or stored should be restricted to authorized individuals only by implementing appropriate access controls, e.g. by implementing a two-factor authentication mechanism such as an access card and secret PIN;
            16. +
            17. a physical log book or electronic audit trail of all access should be securely maintained and monitored;
            18. +
            19. all employees, contractors and external parties should be required to wear some form of visible identification and should immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification;
            20. +
            21. external party support service personnel should be granted restricted access to secure areas or confidential information processing facilities only when required; this access should be authorized and monitored;
            22. +
            23. access rights to secure areas should be regularly reviewed and updated, and revoked when necessary (see 9.2.5 and 9.2.6).
            @@ -1165,15 +1163,15 @@ Securing offices, rooms and facilities 11.1.3 -

            XXXXXXXX XXXXXXXX XXX XXXXXXX, XXXXX XXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXX.

            +

            Physical security for offices, rooms and facilities should be designed and applied.

            -

            XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXX XXXXXXX, XXXXX XXX XXXXXXXXXX:

            +

            The following guidelines should be considered to secure offices, rooms and facilities:

              -
            1. XXX XXXXXXXXXX XXXXXX XX XXXXX XX XXXXX XXXXXX XX XXX XXXXXX;
            2. -
            3. XXXXX XXXXXXXXXX, XXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXX XXXXXXX XXXXXXXXXX XX XXXXX XXXXXXX, XXXX XX XXXXXXX XXXXX, XXXXXXX XX XXXXXX XXX XXXXXXXX, XXXXXXXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX;
            4. -
            5. XXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXXXXXXX XXXX XXXXX XXXXXXX XXX XXXXXXX XXXX XXX XXXXXXX. XXXXXXXXXXXXXXX XXXXXXXXX XXXXXX XXXX XX XXXXXXXXXX XX XXXXXXXXXXX;
            6. -
            7. XXXXXXXXXXX XXX XXXXXXXX XXXXXXXXX XXXXX XXXXXXXXXXX XXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XXX XX XXXXXXX XXXXXXXXXX XX XXXXXX XXXXXXXXXXXX.
            8. +
            9. key facilities should be sited to avoid access by the public;
            10. +
            11. where applicable, buildings should be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities;
            12. +
            13. facilities should be configured to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate;
            14. +
            15. directories and internal telephone books identifying locations of confidential information processing facilities should not be readily accessible to anyone unauthorized.
            @@ -1181,45 +1179,45 @@ Protecting against external and environmental threats 11.1.4 -

            XXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXX XXXXXXXXX, XXXXXXXXX XXXXXX XX XXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXX.

            +

            Physical protection against natural disasters, malicious attack or accidents should be designed and applied.

            -

            XXXXXXXXXX XXXXXX XXXXXX XX XXXXXXXX XX XXX XX XXXXX XXXXXX XXXX XXXX, XXXXX, XXXXXXXXXX, XXXXXXXXX, XXXXX XXXXXX XXX XXXXX XXXXX XX XXXXXXX XX XXX-XXXX XXXXXXXX.

            +

            Specialist advice should be obtained on how to avoid damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster.

            Working in secure areas 11.1.5 -

            XXXXXXXXXX XXX XXXXXXX XX XXXXXX XXXXX XXXXXX XX XXXXXXXX XXX XXXXXXX.

            +

            Procedures for working in secure areas should be designed and applied.

            -

            XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX:

            +

            The following guidelines should be considered:

              -
            1. XXXXXXXXX XXXXXX XXXX XX XXXXX XX XXX XXXXXXXXX XX, XX XXXXXXXXXX XXXXXX, X XXXXXX XXXX XX X XXXX-XX-XXXX XXXXX;
            2. -
            3. XXXXXXXXXXXX XXXXXXX XX XXXXXX XXXXX XXXXXX XX XXXXXXX XXXX XXX XXXXXX XXXXXXX XXX XX XXXXXXX XXXXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXX;
            4. -
            5. XXXXXX XXXXXX XXXXX XXXXXX XX XXXXXXXXXX XXXXXX XXX XXXXXXXXXXXX XXXXXXXX;
            6. -
            7. XXXXXXXXXXXX, XXXXX, XXXXX XX XXXXX XXXXXXXXX XXXXXXXXX, XXXX XX XXXXXXX XX XXXXXX XXXXXXX, XXXXXX XXX XX XXXXXXX, XXXXXX XXXXXXXXXX.
            8. +
            9. personnel should only be aware of the existence of, or activities within, a secure area on a need-to-know basis;
            10. +
            11. unsupervised working in secure areas should be avoided both for safety reasons and to prevent opportunities for malicious activities;
            12. +
            13. vacant secure areas should be physically locked and periodically reviewed;
            14. +
            15. photographic, video, audio or other recording equipment, such as cameras in mobile devices, should not be allowed, unless authorized.
            -

            XXX XXXXXXXXXXXX XXX XXXXXXX XX XXXXXX XXXXX XXXXXXX XXXXXXXX XXX XXX XXXXXXXXX XXX XXXXXXXX XXXXX XXXXX XXXXXXX XX XXX XXXXXX XXXX XXX XXXX XXXXX XXX XXXXXXXXXX XXXXXX XXXXX XX XXX XXXXXX XXXX.

            +

            The arrangements for working in secure areas include controls for the employees and external party users working in the secure area and they cover all activities taking place in the secure area.

            Delivery and loading areas 11.1.6 -

            XXXXXX XXXXXX XXXX XX XXXXXXXX XXX XXXXXXX XXXXX XXX XXXXX XXXXXX XXXXX XXXXXXXXXXXX XXXXXXX XXXXX XXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXX, XX XXXXXXXX, XXXXXXXX XXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XX XXXXX XXXXXXXXXXXX XXXXXX.

            +

            Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

            -

            XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX:

            +

            The following guidelines should be considered:

              -
            1. XXXXXX XX X XXXXXXXX XXX XXXXXXX XXXX XXXX XXXXXXX XX XXX XXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXX;
            2. -
            3. XXX XXXXXXXX XXX XXXXXXX XXXX XXXXXX XX XXXXXXXX XX XXXX XXXXXXXX XXX XX XXXXXX XXX XXXXXXXX XXXXXXX XXXXXXXX XXXXXXXXX XXXXXXX XXXXXX XX XXXXX XXXXX XX XXX XXXXXXXX;
            4. -
            5. XXX XXXXXXXX XXXXX XX X XXXXXXXX XXX XXXXXXX XXXX XXXXXX XX XXXXXXX XXXX XXX XXXXXXXX XXXXX XXX XXXXXX;
            6. -
            7. XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXX, XXXXXXXXX XX XXXXX XXXXXXXXX XXXXXXXXX, XXXXXX XX XX XXXXX XXXX X XXXXXXXX XXX XXXXXXX XXXX;
            8. -
            9. XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXX XXXXX XXXXXXXXXX XXXXXXXXXX (XXX Clause 8) XX XXXXX XX XXX XXXX;
            10. -
            11. XXXXXXXX XXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXXXXXXX, XXXXX XXXXXXXX;
            12. -
            13. XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXX XX XXXXXXXXX XX XXXXX. XX XXXX XXXXXXXXX XX XXXXXXXXXX XX XXXXXX XX XXXXXXXXXXX XXXXXXXX XX XXXXXXXX XXXXXXXXX.
            14. +
            15. access to a delivery and loading area from outside of the building should be restricted to identified and authorized personnel;
            16. +
            17. the delivery and loading area should be designed so that supplies can be loaded and unloaded without delivery personnel gaining access to other parts of the building;
            18. +
            19. the external doors of a delivery and loading area should be secured when the internal doors are opened;
            20. +
            21. incoming material should be inspected and examined for explosives, chemicals or other hazardous materials, before it is moved from a delivery and loading area;
            22. +
            23. incoming material should be registered in accordance with asset management procedures (see Clause 8) on entry to the site;
            24. +
            25. incoming and outgoing shipments should be physically segregated, where possible;
            26. +
            27. incoming material should be inspected for evidence of tampering en route. If such tampering is discovered it should be immediately reported to security personnel.
            @@ -1228,27 +1226,27 @@ Equipment 11.2 -

            XX XXXXXXX XXXX, XXXXXX, XXXXX XX XXXXXXXXXX XX XXXXXX XXX XXXXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXX.

            +

            Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.

            Equipment siting and protection 11.2.1 -

            XXXXXXXXX XXXXXX XX XXXXX XXX XXXXXXXXX XX XXXXXX XXX XXXXX XXXX XXXXXXXXXXXXX XXXXXXX XXX XXXXXXX, XXX XXXXXXXXXXXXX XXX XXXXXXXXXXXX XXXXXX.

            +

            Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

            -

            XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXX XXXXXXXXX:

            +

            The following guidelines should be considered to protect equipment:

              -
            1. XXXXXXXXX XXXXXX XX XXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXX XXXX XXXX XXXXX;
            2. -
            3. XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXXX XXXXXXXXX XXXX XXXXXX XX XXXXXXXXXX XXXXXXXXX XX XXXXXX XXX XXXX XX XXXXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXXXX XXXXXXX XXXXXX XXXXX XXX;
            4. -
            5. XXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXX XXXXXXXXXXXX XXXXXX;
            6. -
            7. XXXXX XXXXXXXXX XXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXX XXXXXXX XXXXX XX XXXXXXXXXX XXXXXXXX;
            8. -
            9. XXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXX XXX XXXX XX XXXXXXXXX XXXXXXXX XXX XXXXXXXXXXXXX XXXXXXX, X.X. XXXXX, XXXX, XXXXXXXXXX, XXXXX, XXXXX (XX XXXXX XXXXXX XXXXXXX), XXXX, XXXXXXXXX, XXXXXXXX XXXXXXX, XXXXXXXXXX XXXXXX XXXXXXXXXXXX, XXXXXXXXXXXXXX XXXXXXXXXXXX, XXXXXXXXXXXXXXX XXXXXXXXX XXX XXXXXXXXX;
            10. -
            11. XXXXXXXXXX XXX XXXXXX, XXXXXXXX XXX XXXXXXX XX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX;
            12. -
            13. XXXXXXXXXXXXX XXXXXXXXXX, XXXX XX XXXXXXXXXXX XXX XXXXXXXX, XXXXXX XX XXXXXXXXX XXX XXXXXXXXXX XXXXX XXXXX XXXXXXXXX XXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX;
            14. -
            15. XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXX XXXXXXXXX XXX XXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXX XX XXXXXX XX XXX XXXXXXXX XXXXX XXX XXXXXXXXXXXXXX XXXXX;
            16. -
            17. XXX XXX XX XXXXXXX XXXXXXXXXX XXXXXXX, XXXX XX XXXXXXXX XXXXXXXXX, XXXXXX XX XXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX;
            18. -
            19. XXXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXXX XXX XXXX XX XXXXXXXXXXX XXXXXXX XXX XX XXXXXXXXXXXXXXX XXXXXXXXX.
            20. +
            21. equipment should be sited to minimize unnecessary access into work areas;
            22. +
            23. information processing facilities handling sensitive data should be positioned carefully to reduce the risk of information being viewed by unauthorized persons during their use;
            24. +
            25. storage facilities should be secured to avoid unauthorized access;
            26. +
            27. items requiring special protection should be safeguarded to reduce the general level of protection required;
            28. +
            29. controls should be adopted to minimize the risk of potential physical and environmental threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation and vandalism;
            30. +
            31. guidelines for eating, drinking and smoking in proximity to information processing facilities should be established;
            32. +
            33. environmental conditions, such as temperature and humidity, should be monitored for conditions which could adversely affect the operation of information processing facilities;
            34. +
            35. lightning protection should be applied to all buildings and lightning protection filters should be fitted to all incoming power and communications lines;
            36. +
            37. the use of special protection methods, such as keyboard membranes, should be considered for equipment in industrial environments;
            38. +
            39. equipment processing confidential information should be protected to minimize the risk of information leakage due to electromagnetic emanation.
            @@ -1256,39 +1254,39 @@ Supporting utilities 11.2.2 -

            XXXXXXXXX XXXXXX XX XXXXXXXXX XXXX XXXXX XXXXXXXX XXX XXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXXXXXX XXXXXXXXX.

            +

            Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.

            -

            XXXXXXXXXX XXXXXXXXX (X.X. XXXXXXXXXXX, XXXXXXXXXXXXXXXXXX, XXXXX XXXXXX, XXX, XXXXXX, XXXXXXXXXXX XXX XXX XXXXXXXXXXXX) XXXXXX:

            +

            Supporting utilities (e.g. electricity, telecommunications, water supply, gas, sewage, ventilation and air conditioning) should:

              -
            1. XXXXXXX XX XXXXXXXXX XXXXXXXXXXXX’X XXXXXXXXXXXXXX XXX XXXXX XXXXX XXXXXXXXXXXX;
            2. -
            3. XX XXXXXXXXX XXXXXXXXX XXX XXXXX XXXXXXXX XX XXXX XXXXXXXX XXXXXX XXX XXXXXXXXXXXX XXXX XXXXX XXXXXXXXXX XXXXXXXXX;
            4. -
            5. XX XXXXXXXXX XXX XXXXXX XXXXXXXXX XX XXXXXX XXXXX XXXXXX XXXXXXXXXXX;
            6. -
            7. XX XXXXXXXXX, XX XXXXXXX XX XXXXXX XXXXXXXXXXXX;
            8. -
            9. XX XXXXXXXXX, XXXX XXXXXXXX XXXXX XXXX XXXXXXX XXXXXXXX XXXXXXX.
            10. +
            11. conform to equipment manufacturer’s specifications and local legal requirements;
            12. +
            13. be appraised regularly for their capacity to meet business growth and interactions with other supporting utilities;
            14. +
            15. be inspected and tested regularly to ensure their proper functioning;
            16. +
            17. if necessary, be alarmed to detect malfunctions;
            18. +
            19. if necessary, have multiple feeds with diverse physical routing.
            -

            XXXXXXXXX XXXXXXXX XXX XXXXXXXXXXXXXX XXXXXX XX XXXXXXXX. XXXXXXXXX XXXXXXXX XXX XXXXXX XX XXX XXX XXXXX, XXXXX, XXX XX XXXXX XXXXXXXXX XXXXXX XX XXXXXXX XXXX XXXXXXXXX XXXXX XX XXXXXXXXX XXXXX.

            +

            Emergency lighting and communications should be provided. Emergency switches and valves to cut off power, water, gas or other utilities should be located near emergency exits or equipment rooms.

            -

            XXXXXXXXXX XXXXXXXXXX XXX XXXXXXX XXXXXXXXXXXX XXX XX XXXXXXXX XX XXXXX XX XXXXXXXX XXXXXX XXXX XXXX XXXX XXX XXXXXXX XXXXXXXX.

            +

            Additional redundancy for network connectivity can be obtained by means of multiple routes from more than one utility provider.

            Cabling security 11.2.3 -

            XXXXX XXX XXXXXXXXXXXXXXXXXX XXXXXXX XXXXXXXX XXXX XX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXX XXXX XXXXXXXXXXXX, XXXXXXXXXXXX XX XXXXXX.

            +

            Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage.

            -

            XXX XXXXXXXXX XXXXXXXXXX XXX XXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX:

            +

            The following guidelines for cabling security should be considered:

              -
            1. XXXXX XXX XXXXXXXXXXXXXXXXXX XXXXX XXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX, XXXXX XXXXXXXX, XX XXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXXXXX;
            2. -
            3. XXXXX XXXXXX XXXXXX XX XXXXXXXXXX XXXX XXXXXXXXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXXXXX;
            4. -
            5. XXX XXXXXXXXX XX XXXXXXXX XXXXXXX XXXXXXX XXXXXXXX XX XXXXXXXX XXXXXXX:
                -
              1. XXXXXXXXXXXX XX XXXXXXXX XXXXXXX XXX XXXXXX XXXXX XX XXXXX XX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXX;
              2. -
              3. XXX XX XXXXXXXXXXXXXXX XXXXXXXXX XX XXXXXXX XXX XXXXXX;
              4. -
              5. XXXXXXXXXX XX XXXXXXXXX XXXXXX XXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXX XXXXXXX XXXXX XXXXXXXX XX XXX XXXXXX;
              6. -
              7. XXXXXXXXXX XXXXXX XX XXXXX XXXXXX XXX XXXXX XXXXX.
              8. +
              9. power and telecommunications lines into information processing facilities should be underground, where possible, or subject to adequate alternative protection;
              10. +
              11. power cables should be segregated from communications cables to prevent interference;
              12. +
              13. for sensitive or critical systems further controls to consider include:
                  +
                1. installation of armoured conduit and locked rooms or boxes at inspection and termination points;
                2. +
                3. use of electromagnetic shielding to protect the cables;
                4. +
                5. initiation of technical sweeps and physical inspections for unauthorized devices being attached to the cables;
                6. +
                7. controlled access to patch panels and cable rooms.
              @@ -1298,17 +1296,17 @@ Equipment maintenance 11.2.4 -

              XXXXXXXXX XXXXXX XX XXXXXXXXX XXXXXXXXXX XX XXXXXX XXX XXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXX.

              +

              Equipment should be correctly maintained to ensure its continued availability and integrity.

              -

              XXX XXXXXXXXX XXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX:

              +

              The following guidelines for equipment maintenance should be considered:

                -
              1. XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXX’X XXXXXXXXXXX XXXXXXX XXXXXXXXX XXX XXXXXXXXXXXXXX;
              2. -
              3. XXXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXXX XXXXXX XXXXX XXX XXXXXXX XXX XXXXXXX XXXXXXXXX;
              4. -
              5. XXXXXXX XXXXXX XX XXXX XX XXX XXXXXXXXX XX XXXXXX XXXXXX, XXX XX XXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXX;
              6. -
              7. XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXX XXXX XXXXXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX, XXXXXX XXXX XXXXXXX XXXXXXX XXXX XXXXXXXXXXX XX XXXXXXXXX XX XXXXXXXXX XX XXXX XX XXXXXXXX XX XXX XXXXXXXXXXXX; XXXXX XXXXXXXXX, XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXXX XXX XXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXXXX XXXXXXX;
              8. -
              9. XXX XXXXXXXXXXX XXXXXXXXXXXX XXXXXXX XX XXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXX XXXX;
              10. -
              11. XXXXXX XXXXXXX XXXXXXXXX XXXX XXXX XXXXXXXXX XXXXX XXX XXXXXXXXXXX, XX XXXXXX XX XXXXXXXXX XX XXXXXX XXXX XXX XXXXXXXXX XXX XXX XXXX XXXXXXXX XXXX XXX XXXX XXX XXXXXXXXXXX.
              12. +
              13. equipment should be maintained in accordance with the supplier’s recommended service intervals and specifications;
              14. +
              15. only authorized maintenance personnel should carry out repairs and service equipment;
              16. +
              17. records should be kept of all suspected or actual faults, and of all preventive and corrective maintenance;
              18. +
              19. appropriate controls should be implemented when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the organization; where necessary, confidential information should be cleared from the equipment or the maintenance personnel should be sufficiently cleared;
              20. +
              21. all maintenance requirements imposed by insurance policies should be complied with;
              22. +
              23. before putting equipment back into operation after its maintenance, it should be inspected to ensure that the equipment has not been tampered with and does not malfunction.
              @@ -1316,78 +1314,78 @@ Removal of assets 11.2.5 -

              XXXXXXXXX, XXXXXXXXXXX XX XXXXXXXX XXXXXX XXX XX XXXXX XXX-XXXX XXXXXXX XXXXX XXXXXXXXXXXXX.

              +

              Equipment, information or software should not be taken off-site without prior authorization.

              -

              XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX:

              +

              The following guidelines should be considered:

                -
              1. XXXXXXXXX XXX XXXXXXXX XXXXX XXXXX XXX XXXX XXXXXXXXX XX XXXXXX XXX-XXXX XXXXXXX XX XXXXXX XXXXXX XX XXXXXXXXXX;
              2. -
              3. XXXX XXXXXX XXX XXXXX XXXXXXX XXXXXX XX XXX XXX XXXXXXX XXXXXXXX XXX XXXXXXXXXX;
              4. -
              5. XXXXX XXXXXXXXX XXX XXXXXXXXXXX, XXXXXX XXXXXX XX XXXXXXXX XX XXXXX XXXXXXX XXX-XXXX XXX XXXXXXXX XXXX XXXXXXXX;
              6. -
              7. XXX XXXXXXXX, XXXX XXX XXXXXXXXXXX XX XXXXXX XXX XXXXXXX XX XXXX XXXXXX XXXXXX XX XXXXXXXXXX XXX XXXX XXXXXXXXXXXXX XXXXXXXX XXXX XXX XXXXXXXXX, XXXXXXXXXXX XX XXXXXXXX.
              8. +
              9. employees and external party users who have authority to permit off-site removal of assets should be identified;
              10. +
              11. time limits for asset removal should be set and returns verified for compliance;
              12. +
              13. where necessary and appropriate, assets should be recorded as being removed off-site and recorded when returned;
              14. +
              15. the identity, role and affiliation of anyone who handles or uses assets should be documented and this documentation returned with the equipment, information or software.
              -

              XXXX XXXXXX, XXXXXXXXXX XX XXXXXX XXXXXXXXXXXX XXXXXXX XX XXXXXX, XXX XXXX XX XXXXXXXXX XX XXXXXX XXXXXXXXXXXX XXXXXXXXX XXXXXXX, XXXXXXX, XXX., XXX XX XXXXXXX XXXXX XXXXX XXXX XXX XXXX XXXX, XXX XXXX. XXXX XXXX XXXXXX XXXXXX XX XXXXXXX XXX XX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXX. XXXXXXXXXXX XXXXXX XX XXXX XXXXX XXXX XXXX XXXXXX XXX XXXXXXX XXX, XXX XXX XXXXXXXXXXXXX XXXXXX XXXX XX XXXXXXXXX XXXX XXXXXXXXXXXXX XXXXXXXXXXX XXX XXX XXXXX XXX XXXXXXXXXX XXXXXXXXXXXX.

              +

              Spot checks, undertaken to detect unauthorized removal of assets, can also be performed to detect unauthorized recording devices, weapons, etc., and to prevent their entry into and exit from, the site. Such spot checks should be carried out in accordance with relevant legislation and regulations. Individuals should be made aware that spot checks are carried out, and the verifications should only be performed with authorization appropriate for the legal and regulatory requirements.

              Security of equipment and assets off-premises 11.2.6 -

              XXXXXXXX XXXXXX XX XXXXXXX XX XXX-XXXX XXXXXX XXXXXX XXXX XXXXXXX XXX XXXXXXXXX XXXXX XX XXXXXXX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX.

              +

              Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

              -

              XXX XXX XX XXX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXXXX. XXXX XXXXXXX XX XXXXXXXXX XXXXX XX XXX XXXXXXXXXXXX XXX XXXX XXXXXXXXX XXXXX XXXXXXXXX XXX XXXX XX XXXXXX XX XXX XXXXXXXXXXXX.

              -

              XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXX XXXXXXXXXX XX XXX-XXXX XXXXXXXXX:

              +

              The use of any information storing and processing equipment outside the organization’s premises should be authorized by management. This applies to equipment owned by the organization and that equipment owned privately and used on behalf of the organization.

              +

              The following guidelines should be considered for the protection of off-site equipment:

                -
              1. XXXXXXXXX XXX XXXXX XXXXX XXX XXXXXXXX XXXXXX XXX XX XXXX XXXXXXXXXX XX XXXXXX XXXXXX;
              2. -
              3. XXXXXXXXXXXXX’ XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXX XX XXX XXXXX, X.X. XXXXXXXXXX XXXXXXX XXXXXXXX XX XXXXXX XXXXXXXXXXXXXXX XXXXXX;
              4. -
              5. XXXXXXXX XXX XXX-XXXXXXXX XXXXXXXXX, XXXX XX XXXX-XXXXXXX, XXXXXXXXXXX XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX XX X XXXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXX XX XXXXXXXXXXX, X.X. XXXXXXXX XXXXXX XXXXXXXX, XXXXX XXXX XXXXXX, XXXXXX XXXXXXXX XXX XXXXXXXXX XXX XXXXXX XXXXXXXXXXXXX XXXX XXX XXXXXX (XXX XXXX XXX/XXX XXXXX[15][16][17][18][19]);
              6. -
              7. XXXX XXX-XXXXXXXX XXXXXXXXX XX XXXXXXXXXXX XXXXX XXXXXXXXX XXXXXXXXXXX XX XXXXXXXX XXXXXXX, X XXX XXXXXX XX XXXXXXXXXX XXXX XXXXXXX XXX XXXXX XX XXXXXXX XXX XXX XXXXXXXXX XXXXXXXXX XX XXXXX XXXXX XXX XXXXXXXXXXXXX XX XXXXX XXX XXX XXXXXXXXXXX XXX XXX XXXXXXXXX.
              8. +
              9. equipment and media taken off premises should not be left unattended in public places;
              10. +
              11. manufacturers’ instructions for protecting equipment should be observed at all times, e.g. protection against exposure to strong electromagnetic fields;
              12. +
              13. controls for off-premises locations, such as home-working, teleworking and temporary sites should be determined by a risk assessment and suitable controls applied as appropriate, e.g. lockable filing cabinets, clear desk policy, access controls for computers and secure communication with the office (see also ISO/IEC 27033[15][16][17][18][19]);
              14. +
              15. when off-premises equipment is transferred among different individuals or external parties, a log should be maintained that defines the chain of custody for the equipment including at least names and organizations of those who are responsible for the equipment.
              -

              XXXXX, X.X. XX XXXXXX, XXXXX XX XXXXXXXXXXXXX, XXX XXXX XXXXXXXXXXXX XXXXXXX XXXXXXXXX XXX XXXXXX XX XXXXX XXXX XXXXXXX XX XXXXXXXXXXX XXX XXXX XXXXXXXXXXX XXXXXXXX.

              +

              Risks, e.g. of damage, theft or eavesdropping, may vary considerably between locations and should be taken into account in determining the most appropriate controls.

              -

              XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXXXXXX XXX XXXXX XX XXXXXXXX XXXXXXXXX, XXXXXXXXXX, XXXXXX XXXXXX, XXXXX XXXXX, XXXXX XX XXXXX XXXX, XXXXX XX XXXX XXX XXXX XXXXXXX XX XXXXX XXXXXXXXXXX XXXX XXXX XXX XXXXXX XXXX XXXXXXXX.

              -

              XXXX XXXXXXXXXXX XXXXX XXXXX XXXXXXX XX XXXXXXXXXX XXXXXX XXXXXXXXX XXX XX XXXXX XX 6.2.

              -

              XX XXX XX XXXXXXXXXXX XX XXXXX XXX XXXX XX XXXXXXXXXXXX XXXXXXX XXXXXXXXX XXXX XXXXXXX XXX-XXXX XX XX XXXXXXXXXXX XXXXX XXX XX XXXXXXXX XX XXXXXXXXX;

              +

              Information storing and processing equipment includes all forms of personal computers, organizers, mobile phones, smart cards, paper or other form, which is held for home working or being transported away from the normal work location.

              +

              More information about other aspects of protecting mobile equipment can be found in 6.2.

              +

              It may be appropriate to avoid the risk by discouraging certain employees from working off-site or by restricting their use of portable IT equipment;

              Secure disposal or re-use of equipment 11.2.7 -

              XXX XXXXX XX XXXXXXXXX XXXXXXXXXX XXXXXXX XXXXX XXXXXX XX XXXXXXXX XX XXXXXX XXXX XXX XXXXXXXXX XXXX XXX XXXXXXXX XXXXXXXX XXX XXXX XXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXX XX XXXXXXXX XX XX-XXX.

              +

              All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

              -

              XXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXX XXXXXXX XX XXX XXXXXXX XXXXX XX XXXXXXXXX XXXXX XX XXXXXXXX XX XX-XXX.

              -

              XXXXXXX XXXXX XXXXXXXXXX XXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXXXXXX XX XXX XXXXXXXXXXX XXXXXX XX XXXXXXXXX, XXXXXXX XX XXXXXXXXXXX XXXXX XXXXXXXXXX XX XXXX XXX XXXXXXXX XXXXXXXXXXX XXX-XXXXXXXXXXX XXXXXX XXXX XXXXX XXX XXXXXXXX XXXXXX XX XXXXXX XXXXXXXX.

              +

              Equipment should be verified to ensure whether or not storage media is contained prior to disposal or re-use.

              +

              Storage media containing confidential or copyrighted information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.

              -

              XXXXXXX XXXXXXXXX XXXXXXXXXX XXXXXXX XXXXX XXX XXXXXXX X XXXX XXXXXXXXXX XX XXXXXXXXX XXXXXXX XXX XXXXX XXXXXX XX XXXXXXXXXX XXXXXXXXX XXXXXX XXXX XXXX XXX XXXXXX XX XXXXXXXXX. XXXXXXXXXXX XXX XX XXXXXXXXXXX XXXXXXX XXXXXXXX XXXXXXXX XX XX-XXX XX XXXXXXXXX.

              -

              XX XXXXXXXX XX XXXXXX XXXX XXXXXXX, XXXXX-XXXX XXXXXXXXXX XXXXXXX XXX XXXX XX XXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX XXXX XXXXXXXXX XX XXXXXXXX XX XX XXXXXXXXXX, XXXXXXXX XXXX:

              +

              Damaged equipment containing storage media may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded. Information can be compromised through careless disposal or re-use of equipment.

              +

              In addition to secure disk erasure, whole-disk encryption reduces the risk of disclosure of confidential information when equipment is disposed of or redeployed, provided that:

                -
              1. XXX XXXXXXXXXX XXXXXXX XX XXXXXXXXXXXX XXXXXX XXX XXXXXX XXX XXXXXX XXXX (XXXXXXXXX XXXXX XXXXX, XXXX XXXXX, XXX.);
              2. -
              3. XXX XXXXXXXXXX XXXX XXX XXXX XXXXXX XX XXXXXX XXXXX XXXXX XXXXXXX;
              4. -
              5. XXX XXXXXXXXXX XXXX XXX XXXXXXXXXX XXXX XXXXXXXXXXXX (X.X. XXXXX XXXXXX XX XXX XXXX XXXX).
              6. +
              7. the encryption process is sufficiently strong and covers the entire disk (including slack space, swap files, etc.);
              8. +
              9. the encryption keys are long enough to resist brute force attacks;
              10. +
              11. the encryption keys are themselves kept confidential (e.g. never stored on the same disk).
              -

              XXX XXXXXXX XXXXXX XX XXXXXXXXXX, XXX Clause 10.

              -

              XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXXXX XXXXX XXXXXX XXXXXXXXX XX XXX XXXXXXX XXXXX XXXXXXXXXX. XXXXXXXXXXX XXXXX XXXXXX XX XXXXXXXX XX XXXX XXXX XXXX XXXX XXX XXXXXXXXXX XX XXX XXXXXXXXXX XX XXX XXXXXXX XXXXX.

              +

              For further advice on encryption, see Clause 10.

              +

              Techniques for securely overwriting storage media differ according to the storage media technology. Overwriting tools should be reviewed to make sure that they are applicable to the technology of the storage media.

              Unattended user equipment 11.2.8 -

              XXXXX XXXXXX XXXXXX XXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX.

              +

              Users should ensure that unattended equipment has appropriate protection.

              -

              XXX XXXXX XXXXXX XX XXXX XXXXX XX XXX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXX XXXXXXXXX, XX XXXX XX XXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXXXX XXXX XXXXXXXXXX. XXXXX XXXXXX XX XXXXXXX XX:

              +

              All users should be made aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection. Users should be advised to:

                -
              1. XXXXXXXXX XXXXXX XXXXXXXX XXXX XXXXXXXX, XXXXXX XXXX XXX XX XXXXXXX XX XX XXXXXXXXXXX XXXXXXX XXXXXXXXX, X.X. X XXXXXXXX XXXXXXXXX XXXXXX XXXXX;
              2. -
              3. XXX-XXX XXXX XXXXXXXXXXXX XX XXXXXXX XXXXXXXX XXXX XX XXXXXX XXXXXX;
              4. -
              5. XXXXXX XXXXXXXXX XX XXXXXX XXXXXXX XXXX XXXXXXXXXXXX XXX XX X XXX XXXX XX XX XXXXXXXXXX XXXXXXX, X.X. XXXXXXXX XXXXXX, XXXX XXX XX XXX.
              6. +
              7. terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver;
              8. +
              9. log-off from applications or network services when no longer needed;
              10. +
              11. secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use.
              @@ -1395,20 +1393,20 @@ Clear desk and clear screen policy 11.2.9 -

              X XXXXX XXXX XXXXXX XXX XXXXXX XXX XXXXXXXXX XXXXXXX XXXXX XXX X XXXXX XXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX.

              +

              A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.

              -

              XXX XXXXX XXXX XXX XXXXX XXXXXX XXXXXX XXXXXX XXXX XXXX XXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXXXXX (XXX 8.2), XXXXX XXX XXXXXXXXXXX XXXXXXXXXXXX (XXX 18.1) XXX XXX XXXXXXXXXXXXX XXXXX XXX XXXXXXXX XXXXXXX XX XXX XXXXXXXXXXXX. XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX:

              +

              The clear desk and clear screen policy should take into account the information classifications (see 8.2), legal and contractual requirements (see 18.1) and the corresponding risks and cultural aspects of the organization. The following guidelines should be considered:

                -
              1. XXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXXXX, X.X. XX XXXXX XX XX XXXXXXXXXX XXXXXXX XXXXX, XXXXXX XX XXXXXX XXXX (XXXXXXX XX X XXXX XX XXXXXXX XX XXXXX XXXXX XX XXXXXXXX XXXXXXXXX) XXXX XXX XXXXXXXX, XXXXXXXXXX XXXX XXX XXXXXX XX XXXXXXX.
              2. -
              3. XXXXXXXXX XXX XXXXXXXXX XXXXXX XX XXXX XXXXXX XXX XX XXXXXXXXX XXXX X XXXXXX XXX XXXXXXXX XXXXXXX XXXXXXXXX XXXXXXXXXX XX X XXXXXXXX, XXXXX XX XXXXXXX XXXX XXXXXXXXXXXXXX XXXXXXXXX XXXX XXXXXXXXXX XXX XXXXXX XX XXXXXXXXX XX XXX XXXXX, XXXXXXXXX XX XXXXX XXXXXXXX XXXX XXX XX XXX;
              4. -
              5. XXXXXXXXXXXX XXX XX XXXXXXXXXXXX XXX XXXXX XXXXXXXXXXXX XXXXXXXXXX (X.X. XXXXXXXX, XXXXXXX XXXXXXX) XXXXXX XX XXXXXXXXX;
              6. -
              7. XXXXX XXXXXXXXXX XXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXXX XXXXXXXX XXXXXXXXXXX.
              8. +
              9. sensitive or critical business information, e.g. on paper or on electronic storage media, should be locked away (ideally in a safe or cabinet or other forms of security furniture) when not required, especially when the office is vacated.
              10. +
              11. computers and terminals should be left logged off or protected with a screen and keyboard locking mechanism controlled by a password, token or similar user authentication mechanism when unattended and should be protected by key locks, passwords or other controls when not in use;
              12. +
              13. unauthorised use of photocopiers and other reproduction technology (e.g. scanners, digital cameras) should be prevented;
              14. +
              15. media containing sensitive or classified information should be removed from printers immediately.
              -

              X XXXXX XXXX/XXXXX XXXXXX XXXXXX XXXXXXX XXX XXXXX XX XXXXXXXXXXXX XXXXXX, XXXX XX XXX XXXXXX XX XXXXXXXXXXX XXXXXX XXX XXXXXXX XXXXXX XXXXXXX XXXXX. XXXXX XX XXXXX XXXXX XX XXXXXX XXXXXXX XXXXXXXXXX XXXXX XXXX XXXXXXX XXXXXXXXXXX XXXXXX XXXXXXX XXXXXXX XXXXXXXXX XXXX XX X XXXX, XXXXXXXXXX, XXXXX XX XXXXXXXXX.

              -

              XXXXXXXX XXX XXX XX XXXXXXXX XXXX XXX XXXX XXXXXXXX, XX XXX XXXXXXXXXXX XXX XXX XXXX XXXX XXX XXX XXX XXXXX XXXXX-XXXX XXX XXXX XXXX XXXXXXXX XXXX XX XXX XXXXXXX.

              +

              A clear desk/clear screen policy reduces the risks of unauthorized access, loss of and damage to information during and outside normal working hours. Safes or other forms of secure storage facilities might also protect information stored therein against disasters such as a fire, earthquake, flood or explosion.

              +

              Consider the use of printers with PIN code function, so the originators are the only ones who can get their print-outs and only when standing next to the printer.

              @@ -1420,103 +1418,103 @@ Operational procedures and responsibilities 12.1 -

              XX XXXXXX XXXXXXX XXX XXXXXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX.

              +

              Objective: To ensure correct and secure operations of information processing facilities.

              Documented operating procedures 12.1.1 -

              XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXX XXXXXXXXX XX XXX XXXXX XXX XXXX XXXX.

              +

              Operating procedures should be documented and made available to all users who need them.

              -

              XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX, XXXX XX XXXXXXXX XXXXX-XX XXX XXXXX-XXXX XXXXXXXXXX, XXXXXX, XXXXXXXXX XXXXXXXXXXX, XXXXX XXXXXXXX, XXXXXXXX XXXX XXX XXXX XXXXXXXX XXXXXXXXXX XXX XXXXXX.

              -

              XXX XXXXXXXXX XXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXX, XXXXXXXXX:

              +

              Documented procedures should be prepared for operational activities associated with information processing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handling management and safety.

              +

              The operating procedures should specify the operational instructions, including:

                -
              1. XXX XXXXXXXXXXXX XXX XXXXXXXXXXXXX XX XXXXXXX;
              2. -
              3. XXXXXXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXX XXXXXXXXX XXX XXXXXX;
              4. -
              5. XXXXXX (XXX 12.3);
              6. -
              7. XXXXXXXXXX XXXXXXXXXXXX, XXXXXXXXX XXXXXXXXXXXXXXXXX XXXX XXXXX XXXXXXX, XXXXXXXX XXX XXXXX XXX XXXXXX XXX XXXXXXXXXX XXXXX;
              8. -
              9. XXXXXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXX XXXXXXXXXXX XXXXXXXXXX, XXXXX XXXXX XXXXX XXXXXX XXX XXXXXXXXX, XXXXXXXXX XXXXXXXXXXXX XX XXX XXX XX XXXXXX XXXXXXXXX (XXX 9.4.4);
              10. -
              11. XXXXXXX XXX XXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXX XXXXXXX XXXXXXXX XX XXX XXXXX XX XXXXXXXXXX XXXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXX;
              12. -
              13. XXXXXXX XXXXXX XXX XXXXX XXXXXXXX XXXXXXXXXXXX, XXXX XX XXX XXX XX XXXXXXX XXXXXXXXXX XX XXX XXXXXXXXXX XX XXXXXXXXXXXX XXXXXX XXXXXXXXX XXXXXXXXXX XXX XXXXXX XXXXXXXX XX XXXXXX XXXX XXXXXX XXXX (XXX 8.3 XXX 11.2.7);
              14. -
              15. XXXXXX XXXXXXX XXX XXXXXXXX XXXXXXXXXX XXX XXX XX XXX XXXXX XX XXXXXX XXXXXXX;
              16. -
              17. XXX XXXXXXXXXX XX XXXXX-XXXXX XXX XXXXXX XXX XXXXXXXXXXX (XXX 12.4);
              18. -
              19. XXXXXXXXXX XXXXXXXXXX.
              20. +
              21. the installation and configuration of systems;
              22. +
              23. processing and handling of information both automated and manual;
              24. +
              25. backup (see 12.3);
              26. +
              27. scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion times;
              28. +
              29. instructions for handling errors or other exceptional conditions, which might arise during job execution, including restrictions on the use of system utilities (see 9.4.4);
              30. +
              31. support and escalation contacts including external support contacts in the event of unexpected operational or technical difficulties;
              32. +
              33. special output and media handling instructions, such as the use of special stationery or the management of confidential output including procedures for secure disposal of output from failed jobs (see 8.3 and 11.2.7);
              34. +
              35. system restart and recovery procedures for use in the event of system failure;
              36. +
              37. the management of audit-trail and system log information (see 12.4);
              38. +
              39. monitoring procedures.
              -

              XXXXXXXXX XXXXXXXXXX XXX XXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXX XXXXXXXXX XXX XXXXXXX XXXXXXXXXX XX XXXXXXXXXX. XXXXX XXXXXXXXXXX XXXXXXXX, XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXX XXXXXXXXXXXX, XXXXX XXX XXXX XXXXXXXXXX, XXXXX XXX XXXXXXXXX.

              +

              Operating procedures and the documented procedures for system activities should be treated as formal documents and changes authorized by management. Where technically feasible, information systems should be managed consistently, using the same procedures, tools and utilities.

              Change management 12.1.2 -

              XXXXXXX XX XXX XXXXXXXXXXXX, XXXXXXXX XXXXXXXXX, XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXX XXXX XXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX.

              +

              Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled.

              -

              XX XXXXXXXXXX, XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX:

              +

              In particular, the following items should be considered:

                -
              1. XXXXXXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXX;
              2. -
              3. XXXXXXXX XXX XXXXXXX XX XXXXXXX;
              4. -
              5. XXXXXXXXXX XX XXX XXXXXXXXX XXXXXXX, XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXX, XX XXXX XXXXXXX;
              6. -
              7. XXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXXX;
              8. -
              9. XXXXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXX XXXX XXX;
              10. -
              11. XXXXXXXXXXXXX XX XXXXXX XXXXXXX XX XXX XXXXXXXX XXXXXXX;
              12. -
              13. XXXX-XXXX XXXXXXXXXX, XXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXX XXXX XXXXXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXX;
              14. -
              15. XXXXXXXXX XX XX XXXXXXXXX XXXXXX XXXXXXX XX XXXXXX XXXXX XXX XXXXXXXXXX XXXXXXXXXXXXXX XX XXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXX (XXX 16.1).
              16. +
              17. identification and recording of significant changes;
              18. +
              19. planning and testing of changes;
              20. +
              21. assessment of the potential impacts, including information security impacts, of such changes;
              22. +
              23. formal approval procedure for proposed changes;
              24. +
              25. verification that information security requirements have been met;
              26. +
              27. communication of change details to all relevant persons;
              28. +
              29. fall-back procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events;
              30. +
              31. provision of an emergency change process to enable quick and controlled implementation of changes needed to resolve an incident (see 16.1).
              -

              XXXXXX XXXXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXX XXXXXX XX XX XXXXX XX XXXXXX XXXXXXXXXXXX XXXXXXX XX XXX XXXXXXX. XXXX XXXXXXX XXX XXXX, XX XXXXX XXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXX.

              +

              Formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes. When changes are made, an audit log containing all relevant information should be retained.

              -

              XXXXXXXXXX XXXXXXX XX XXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXX XX X XXXXXX XXXXX XX XXXXXX XX XXXXXXXX XXXXXXXX. XXXXXXX XX XXX XXXXXXXXXXX XXXXXXXXXXX, XXXXXXXXXX XXXX XXXXXXXXXXXX X XXXXXX XXXX XXXXXXXXXXX XX XXXXXXXXXXX XXXXX, XXX XXXXXX XX XXX XXXXXXXXXXX XX XXXXXXXXXXXX (XXX 14.2.2).

              +

              Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Changes to the operational environment, especially when transferring a system from development to operational stage, can impact on the reliability of applications (see 14.2.2).

              Capacity management 12.1.3 -

              XXX XXX XX XXXXXXXXX XXXXXX XX XXXXXXXXX, XXXXX XXX XXXXXXXXXXX XXXX XX XXXXXX XXXXXXXX XXXXXXXXXXXX XX XXXXXX XXX XXXXXXXX XXXXXX XXXXXXXXXXX.

              +

              The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

              -

              XXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX, XXXXXX XXXX XXXXXXX XXX XXXXXXXX XXXXXXXXXXX XX XXX XXXXXXXXX XXXXXX. XXXXXX XXXXXX XXX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXX XXX, XXXXX XXXXXXXXX, XXXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXX. XXXXXXXXX XXXXXXXX XXXXXX XX XXX XX XXXXX XX XXXXXXXX XXXXXXXX XX XXX XXXX. XXXXXXXXXXX XX XXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XXXX XXXXXXX XX XXX XXXXXXXX XXX XXXXXX XXXXXXXXXXXX XXX XXXXXXX XXX XXXXXXXXX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXXXX.

              -

              XXXXXXXXXX XXXXXXXXX XXXXX XX XX XXXX XX XXX XXXXXXXXX XXXX XXXX XXXXXXXXXXX XXXX XXXXX XX XXXX XXXXX; XXXXXXXXX XXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXXX XX XXX XXXXXX XXXXXXXXX. XXXX XXXXXX XXXXXXXX XXXXXX XX XXXXX, XXXXXXXXXXXX XX XXXXXXXX XX XXXXXXXX XXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXX XXXXXXXXXX XXXXX.

              -

              XXXXXXXX XXXXXX XXX XXXX XXXXXXXXXXX XX XXXXXXXX XXX XXXXX XXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXX XX XXX XXXXXXXXX XXXX XXXXX XXXXXXX X XXXXXX XX XXXXXX XXXXXXXX XX XXXXXXXX, XXX XXXX XXXXXXXXXXX XXXXXX.

              -

              XXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XX XXXXXXXX XX XXXXXXXXXX XXXXXXXX XX XX XXXXXXXX XXXXXX. XXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXX XXXXXXX:

              +

              Capacity requirements should be identified, taking into account the business criticality of the concerned system. System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems. Detective controls should be put in place to indicate problems in due time. Projections of future capacity requirements should take account of new business and system requirements and current and projected trends in the organization’s information processing capabilities.

              +

              Particular attention needs to be paid to any resources with long procurement lead times or high costs; therefore managers should monitor the utilization of key system resources. They should identify trends in usage, particularly in relation to business applications or information systems management tools.

              +

              Managers should use this information to identify and avoid potential bottlenecks and dependence on key personnel that might present a threat to system security or services, and plan appropriate action.

              +

              Providing sufficient capacity can be achieved by increasing capacity or by reducing demand. Examples of managing capacity demand include:

                -
              1. XXXXXXXX XX XXXXXXXX XXXX (XXXX XXXXX);
              2. -
              3. XXXXXXXXXXXXXXX XX XXXXXXXXXXXX, XXXXXXX, XXXXXXXXX XX XXXXXXXXXXXX;
              4. -
              5. XXXXXXXXXX XXXXX XXXXXXXXX XXX XXXXXXXXX;
              6. -
              7. XXXXXXXXXX XXXXXXXXXXX XXXXX XX XXXXXXXX XXXXXXX;
              8. -
              9. XXXXXXX XX XXXXXXXXXXX XXXXXXXXX XXX XXXXXXXX-XXXXXX XXXXXXXX XX XXXXX XXX XXX XXXXXXXX XXXXXXXX (X.X. XXXXX XXXXXXXXX).
              10. +
              11. deletion of obsolete data (disk space);
              12. +
              13. decommissioning of applications, systems, databases or environments;
              14. +
              15. optimising batch processes and schedules;
              16. +
              17. optimising application logic or database queries;
              18. +
              19. denying or restricting bandwidth for resource-hungry services if these are not business critical (e.g. video streaming).
              -

              X XXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXX XXXXXXXX XXXXXXX.

              +

              A documented capacity management plan should be considered for mission critical systems.

              -

              XXXX XXXXXXX XXXX XXXXXXXXX XXX XXXXXXXX XX XXX XXXXX XXXXXXXXX, XX XXXX XX XXXXXXX XXX XXXXXXXXXX.

              +

              This control also addresses the capacity of the human resources, as well as offices and facilities.

              Separation of development, testing and operational environments 12.1.4 -

              XXXXXXXXXXX, XXXXXXX, XXX XXXXXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXX XXX XXXXX XX XXXXXXXXXXXX XXXXXX XX XXXXXXX XX XXX XXXXXXXXXXX XXXXXXXXXXX.

              +

              Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.

              -

              XXX XXXXX XX XXXXXXXXXX XXXXXXX XXXXXXXXXXX, XXXXXXX, XXX XXXXXXXXXXX XXXXXXXXXXXX XXXX XX XXXXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXXXX.

              -

              XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX:

              +

              The level of separation between operational, testing, and development environments that is necessary to prevent operational problems should be identified and implemented.

              +

              The following items should be considered:

                -
              1. XXXXX XXX XXX XXXXXXXX XX XXXXXXXX XXXX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXXX;
              2. -
              3. XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XX XXXXXXXXX XXXXXXX XX XXXXXXXX XXXXXXXXXX XXX XX XXXXXXXXX XXXXXXX XX XXXXXXXXXXX;
              4. -
              5. XXXXXXX XX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXXXXX XX XXXXXX XX X XXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXX XX XXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXX;
              6. -
              7. XXXXX XXXX XX XXXXXXXXXXX XXXXXXXXXXXXX, XXXXXXX XXXXXX XXX XX XXXX XX XXXXXXXXXXX XXXXXXX;
              8. -
              9. XXXXXXXXX, XXXXXXX XXX XXXXX XXXXXXXXXXX XXXXX XX XXXXXX XXXXXXXXX XXXXXX XXX XX XXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXX XXXX XXX XXXXXXXX;
              10. -
              11. XXXXX XXXXXX XXX XXXXXXXXX XXXX XXXXXXXX XXX XXXXXXXXXXX XXX XXXXXXX XXXXXXX, XXX XXXXX XXXXXX XXXXXXX XXXXXXXXXXX XXXXXXXXXXXXXX XXXXXXXX XX XXXXXX XXX XXXX XX XXXXX;
              12. -
              13. XXXXXXXXX XXXX XXXXXX XXX XX XXXXXX XXXX XXX XXXXXXX XXXXXX XXXXXXXXXXX XXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXX XXX XXXXXXX XXXXXX (XXX 14.3).
              14. +
              15. rules for the transfer of software from development to operational status should be defined and documented;
              16. +
              17. development and operational software should run on different systems or computer processors and in different domains or directories;
              18. +
              19. changes to operational systems and applications should be tested in a testing or staging environment prior to being applied to operational systems;
              20. +
              21. other than in exceptional circumstances, testing should not be done on operational systems;
              22. +
              23. compilers, editors and other development tools or system utilities should not be accessible from operational systems when not required;
              24. +
              25. users should use different user profiles for operational and testing systems, and menus should display appropriate identification messages to reduce the risk of error;
              26. +
              27. sensitive data should not be copied into the testing system environment unless equivalent controls are provided for the testing system (see 14.3).
              -

              XXXXXXXXXXX XXX XXXXXXX XXXXXXXXXX XXX XXXXX XXXXXXX XXXXXXXX, X.X. XXXXXXXX XXXXXXXXXXXX XX XXXXX XX XXXXXX XXXXXXXXXXX XX XXXXXX XXXXXXX. XXXXX XX X XXXX XX XXXXXXXX X XXXXX XXX XXXXXX XXXXXXXXXXX XX XXXXX XX XXXXXXX XXXXXXXXXX XXXXXXX XXX XX XXXXXXX XXXXXXXXXXXXX XXXXXXXXX XXXXXX XX XXX XXXXXXXXXXX XXXXXXXXXXX.

              -

              XXXXX XXXXXXXXXXX XXX XXXXXXX XXXXXXXXX XXXX XXXXXX XX XXX XXXXXXXXXXX XXXXXX XXX XXX XXXXXXXXXXX, XXXX XXX XX XXXX XX XXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXX XX XXXXX XXXXXXXXXXX XXXX. XX XXXX XXXXXXX XXXX XXXXXXXXXX XXXXX XX XXXXXXX XX XXXXXX XXXXX XX XXXXXXXXX XXXXXXXX XX XXXXXXXXX XXXX, XXXXX XXX XXXXX XXXXXXX XXXXXXXXXXX XXXXXXXX.

              -

              XXXXXXXXXXX XXX XXXXXXX XXXXXXXXX XXXX XXXX X XXXXXX XX XXX XXXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX. XXXXXXXXXXX XXX XXXXXXX XXXXXXXXXX XXX XXXXX XXXXXXXXXX XXXXXXX XX XXXXXXXX XX XXXXXXXXXXX XX XXXX XXXXX XXX XXXX XXXXXXXXX XXXXXXXXXXX. XXXXXXXXXX XXXXXXXXXXX, XXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXX XX XXXXXXXXX XXXXXXXXX XX XXXXXX XXX XXXX XX XXXXXXXXXX XXXXXX XX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXX (XXX 14.3 XXX XXX XXXXXXXXXX XX XXXX XXXX).

              +

              Development and testing activities can cause serious problems, e.g. unwanted modification of files or system environment or system failure. There is a need to maintain a known and stable environment in which to perform meaningful testing and to prevent inappropriate developer access to the operational environment.

              +

              Where development and testing personnel have access to the operational system and its information, they may be able to introduce unauthorized and untested code or alter operational data. On some systems this capability could be misused to commit fraud or introduce untested or malicious code, which can cause serious operational problems.

              +

              Development and testing personnel also pose a threat to the confidentiality of operational information. Development and testing activities may cause unintended changes to software or information if they share the same computing environment. Separating development, testing and operational environments is therefore desirable to reduce the risk of accidental change or unauthorized access to operational software and business data (see 14.3 for the protection of test data).

              @@ -1524,41 +1522,41 @@ Protection from malware 12.2 -

              XX XXXXXX XXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXX XXXXXXX XXXXXXX.

              +

              Objective: To ensure that information and information processing facilities are protected against malware.

              Controls against malware 12.2.1 -

              XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXXX, XXXXXXXX XXXX XXXXXXXXXXX XXXX XXXXXXXXX.

              +

              Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness.

              -

              XXXXXXXXXX XXXXXXX XXXXXXX XXXXXX XX XXXXX XX XXXXXXX XXXXXXXXX XXX XXXXXX XXXXXXXX, XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXXXX XXX XXXXXX XXXXXXXXXX XXXXXXXX. XXX XXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX:

              +

              Protection against malware should be based on malware detection and repair software, information security awareness and appropriate system access and change management controls. The following guidance should be considered:

                -
              1. XXXXXXXXXXXX X XXXXXX XXXXXX XXXXXXXXXXX XXX XXX XX XXXXXXXXXXXX XXXXXXXX (XXX 12.6.2 XXX 14.2.);
              2. -
              3. XXXXXXXXXXXX XXXXXXXX XXXX XXXXXXX XX XXXXXX XXX XXX XX XXXXXXXXXXXX XXXXXXXX (X.X. XXXXXXXXXXX XXXXXXXXXXXX);
              4. -
              5. XXXXXXXXXXXX XXXXXXXX XXXX XXXXXXX XX XXXXXX XXX XXX XX XXXXX XX XXXXXXXXX XXXXXXXXX XXXXXXXX (X.X. XXXXXXXXXXXX);
              6. -
              7. XXXXXXXXXXXX X XXXXXX XXXXXX XX XXXXXXX XXXXXXX XXXXX XXXXXXXXXX XXXX XXXXXXXXX XXXXX XXX XXXXXXXX XXXXXX XXXX XX XXX XXXXXXXX XXXXXXXX XX XX XXX XXXXX XXXXXX, XXXXXXXXXX XXXX XXXXXXXXXX XXXXXXXX XXXXXX XX XXXXX;
              8. -
              9. XXXXXXXX XXXXXXXXXXXXXXX XXXX XXXXX XX XXXXXXXXX XX XXXXXXX, X.X. XXXXXXX XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX (XXX 12.6);
              10. -
              11. XXXXXXXXXX XXXXXXX XXXXXXX XX XXX XXXXXXXX XXX XXXX XXXXXXX XX XXXXXXX XXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX; XXX XXXXXXXX XX XXX XXXXXXXXXX XXXXX XX XXXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXXXX;
              12. -
              13. XXXXXXXXXXXX XXX XXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX XXX XXXXXX XXXXXXXX XX XXXX XXXXXXXXX XXX XXXXX XX X XXXXXXXXXXXXX XXXXXXX, XX XX X XXXXXXX XXXXX; XXX XXXX XXXXXXX XXX XXXXXX XXXXXXX:
                  -
                1. XXXX XXX XXXXX XXXXXXXX XXXX XXXXXXXX XX XXX XXX XXXX XX XXXXXXX XXXXXX, XXX XXXXXXX XXXXXX XXX;
                2. -
                3. XXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXX XXXXXXXXX XXX XXXXXXX XXXXXX XXX; XXXX XXXX XXXXXX XX XXXXXXX XXX XX XXXXXXXXX XXXXXX, X.X. XX XXXXXXXXXX XXXX XXXXXXX, XXXX XXX XXXXXXXXX XXX XXXX XXXXXXXX XXX XXXXXXX XX XXX XXXXXXXXXXXX;
                4. -
                5. XXXX XXX XXXXX XXX XXXXXXX;
                6. +
                7. establishing a formal policy prohibiting the use of unauthorized software (see 12.6.2 and 14.2.);
                8. +
                9. implementing controls that prevent or detect the use of unauthorized software (e.g. application whitelisting);
                10. +
                11. implementing controls that prevent or detect the use of known or suspected malicious websites (e.g. blacklisting);
                12. +
                13. establishing a formal policy to protect against risks associated with obtaining files and software either from or via external networks or on any other medium, indicating what protective measures should be taken;
                14. +
                15. reducing vulnerabilities that could be exploited by malware, e.g. through technical vulnerability management (see 12.6);
                16. +
                17. conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated;
                18. +
                19. installation and regular update of malware detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the scan carried out should include:
                    +
                  1. scan any files received over networks or via any form of storage medium, for malware before use;
                  2. +
                  3. scan electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of the organization;
                  4. +
                  5. scan web pages for malware;
                20. -
                21. XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXXXXXX XX XXXX XXXX XXXXXXX XXXXXXXXXX XX XXXXXXX, XXXXXXXX XX XXXXX XXX, XXXXXXXXX XXX XXXXXXXXXX XXXX XXXXXXX XXXXXXX;
                22. -
                23. XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXX XXX XXXXXXXXXX XXXX XXXXXXX XXXXXXX, XXXXXXXXX XXX XXXXXXXXX XXXX XXX XXXXXXXX XXXXXX XXX XXXXXXXX XXXXXXXXXXXX (XXX 12.3);
                24. -
                25. XXXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXX XXXXXXX XXXXXXXXXXX, XXXX XX XXXXXXXXXXX XX XXXXXXX XXXXX XX XXXXXXXXX XXXXXXXX XXXXXX XXXXXXXXXXX XXXXX XXX XXXXXXX;
                26. -
                27. XXXXXXXXXXXX XXXXXXXXXX XX XXXXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXX, XXX XXXXXX XXXX XXXXXXX XXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXXX; XXXXXXXX XXXXXX XXXXXX XXXX XXXXXXXXX XXXXXXX, X.X. XXXXXXXXX XXXXXXXX, XXXXXXXX XXXXXXXX XXXXX XX XXXXXXXXX XXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXX, XXX XXXX XX XXXXXXXXXXXXX XXXXXXX XXXXXX XXX XXXX XXXXXXX; XXX XXXXX XXXXXX XX XXXX XXXXX XX XXX XXXXXXX XX XXXXXX XXX XXXX XX XX XX XXXXXXX XX XXXX;
                28. -
                29. XXXXXXXXX XXXXXXXXXXXX XXXXX XXXXXXXXXXXX XXXXXXX XXX XXXXXX.
                30. +
                31. defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks;
                32. +
                33. preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements (see 12.3);
                34. +
                35. implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware;
                36. +
                37. implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them;
                38. +
                39. isolating environments where catastrophic impacts may result.
                -

                XXX XXX XX XXX XX XXXX XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXXX XXXX XXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXX XXXXXXX XXX XXXXXXXXXXXXX XX XXXXXXX XXXXXXXXXX.

                -

                XXXX XXXXXX XX XXXXX XX XXXXXXX XXXXXXX XXX XXXXXXXXXXXX XX XXXXXXX XXXXXX XXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXX, XXXXX XXX XXXXXX XXXXXX XXXXXXX XXXXXXXXXX XXXXXXXX.

                -

                XXXXX XXXXXXX XXXXXXXXXX, XXXXXXX XXXXXXXXXX XXXXX XXXXX XXXXXXXXXXX XXXXXX XXXXXXXXXX.

                -

                XXX XX XXXXXXX XXXXXXXXX XXX XXXXXX XXXXXXXX XXXXX XX X XXXXXXX XXXXXXX XX XXX XXXXXXX XXXXXXXX XXX XXXXXXXX XXXXX XX XX XXXXXXXXXXX XX XXXXXXXXX XXXXXXXXXX XXXX XXXXXXX XXXXXXXXXXXX XX XXXXXXX.

                +

                The use of two or more software products protecting against malware across the information processing environment from different vendors and technology can improve the effectiveness of malware protection.

                +

                Care should be taken to protect against the introduction of malware during maintenance and emergency procedures, which may bypass normal malware protection controls.

                +

                Under certain conditions, malware protection might cause disturbance within operations.

                +

                Use of malware detection and repair software alone as a malware control is not usually adequate and commonly needs to be accompanied by operating procedures that prevent introduction of malware.

                @@ -1566,30 +1564,30 @@ Backup 12.3 -

                XX XXXXXXX XXXXXXX XXXX XX XXXX.

                +

                Objective: To protect against loss of data.

                Information backup 12.3.1 -

                XXXXXX XXXXXX XX XXXXXXXXXXX, XXXXXXXX XXX XXXXXX XXXXXX XXXXXX XX XXXXX XXX XXXXXX XXXXXXXXX XX XXXXXXXXXX XXXX XX XXXXXX XXXXXX XXXXXX.

                +

                Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy.

                -

                X XXXXXX XXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXXX XXX XXXXXX XX XXXXXXXXXXX, XXXXXXXX XXX XXXXXXX.

                -

                XXX XXXXXX XXXXXX XXXXXX XXXXXX XXX XXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXX.

                -

                XXXXXXXX XXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXXX XXX XXXXXXXX XXX XX XXXXXXXXX XXXXXXXXX X XXXXXXXX XX XXXXX XXXXXXX.

                -

                XXXX XXXXXXXXX X XXXXXX XXXX, XXX XXXXXXXXX XXXXX XXXXXX XX XXXXX XXXX XXXXXXXXXXXXX:

                +

                A backup policy should be established to define the organization’s requirements for backup of information, software and systems.

                +

                The backup policy should define the retention and protection requirements.

                +

                Adequate backup facilities should be provided to ensure that all essential information and software can be recovered following a disaster or media failure.

                +

                When designing a backup plan, the following items should be taken into consideration:

                  -
                1. XXXXXXXX XXX XXXXXXXX XXXXXXX XX XXX XXXXXX XXXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX;
                2. -
                3. XXX XXXXXX (X.X. XXXX XX XXXXXXXXXXXX XXXXXX) XXX XXXXXXXXX XX XXXXXXX XXXXXX XXXXXXX XXX XXXXXXXX XXXXXXXXXXXX XX XXX XXXXXXXXXXXX, XXX XXXXXXXX XXXXXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXX XXX XXXXXXXXXXX XX XXX XXXXXXXXXXX XX XXX XXXXXXXXX XXXXXXXXX XX XXX XXXXXXXXXXXX;
                4. -
                5. XXX XXXXXXX XXXXXX XX XXXXXX XX X XXXXXX XXXXXXXX, XX X XXXXXXXXXX XXXXXXXX XX XXXXXX XXX XXXXXX XXXX X XXXXXXXX XX XXX XXXX XXXX;
                6. -
                7. XXXXXX XXXXXXXXXXX XXXXXX XX XXXXX XX XXXXXXXXXXX XXXXX XX XXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX (XXX Clause 11) XXXXXXXXXX XXXX XXX XXXXXXXXX XXXXXXX XX XXX XXXX XXXX;
                8. -
                9. XXXXXX XXXXX XXXXXX XX XXXXXXXXX XXXXXX XX XXXXXX XXXX XXXX XXX XX XXXXXX XXXX XXX XXXXXXXXX XXX XXXX XXXXXXXXX; XXXX XXXXXX XX XXXXXXXX XXXX X XXXX XX XXX XXXXXXXXXXX XXXXXXXXXX XXX XXXXXXX XXXXXXX XXX XXXXXXXXXXX XXXX XXXXXXXX. XXXXXXX XXX XXXXXXX XX XXXXXXX XXXXXX-XX XXXX XXXXXX XX XXXXXXXXX XXXX XXXXXXXXX XXXX XXXXX, XXX XX XXXXXXXXXXX XXX XXXXXXXX XXXXX XX XXXX XXX XXXXXX XX XXXXXXXXXXX XXXXXXX XXXXX XXX XXXXXX XXXXXXXXXXX XXXX XXXXXX XX XXXX;
                10. -
                11. XX XXXXXXXXXX XXXXX XXXXXXXXXXXXXXX XX XX XXXXXXXXXX, XXXXXXX XXXXXX XX XXXXXXXXX XX XXXXX XX XXXXXXXXXX.
                12. +
                13. accurate and complete records of the backup copies and documented restoration procedures should be produced;
                14. +
                15. the extent (e.g. full or differential backup) and frequency of backups should reflect the business requirements of the organization, the security requirements of the information involved and the criticality of the information to the continued operation of the organization;
                16. +
                17. the backups should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site;
                18. +
                19. backup information should be given an appropriate level of physical and environmental protection (see Clause 11) consistent with the standards applied at the main site;
                20. +
                21. backup media should be regularly tested to ensure that they can be relied upon for emergency use when necessary; this should be combined with a test of the restoration procedures and checked against the restoration time required. Testing the ability to restore backed-up data should be performed onto dedicated test media, not by overwriting the original media in case the backup or restoration process fails and causes irreparable data damage or loss;
                22. +
                23. in situations where confidentiality is of importance, backups should be protected by means of encryption.
                -

                XXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX XX XXXXXXX XXX XXXXXXX XXXXXXXX XX XXXXXXXXX XXXXXXX XX XXXXXX XXXXXXXXXXXX XX XXXXXXX XXXXXXXXX XX XXX XXXXXX XXXXXX.

                -

                XXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXXX XXXXXX XX XXXXXX XXXX XXXX XXXX XXX XXXXXXXXXXXX XX XXXXXXXX XXXXXXXXXX XXXXX. XX XXX XXXX XX XXXXXXXX XXXXXXX XXX XXXXXXXX, XXXXXX XXXXXXXXXXXX XXXXXX XXXXX XXX XXXXXXX XXXXXXXXXXX, XXXXXXXXXXXX XXX XXXX XXXXXXXXX XX XXXXXXX XXX XXXXXXXX XXXXXX XX XXX XXXXX XX X XXXXXXXX.

                -

                XXX XXXXXXXXX XXXXXX XXX XXXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX, XXXXXX XXXX XXXXXXX XXX XXXXXXXXXXX XXX XXXXXXX XXXXXX XX XX XXXXXXXXXXX XXXXXXXX.

                +

                Operational procedures should monitor the execution of backups and address failures of scheduled backups to ensure completeness of backups according to the backup policy.

                +

                Backup arrangements for individual systems and services should be regularly tested to ensure that they meet the requirements of business continuity plans. In the case of critical systems and services, backup arrangements should cover all systems information, applications and data necessary to recover the complete system in the event of a disaster.

                +

                The retention period for essential business information should be determined, taking into account any requirement for archive copies to be permanently retained.

                @@ -1597,84 +1595,84 @@ Logging and monitoring 12.4 -

                XX XXXXXX XXXXXX XXX XXXXXXXX XXXXXXXX.

                +

                Objective: To record events and generate evidence.

                Event logging 12.4.1 -

                XXXXX XXXX XXXXXXXXX XXXX XXXXXXXXXX, XXXXXXXXXX, XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXX XX XXXXXXXX, XXXX XXX XXXXXXXXX XXXXXXXX.

                +

                Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.

                -

                XXXXX XXXX XXXXXX XXXXXXX, XXXX XXXXXXXX:

                +

                Event logs should include, when relevant:

                  -
                1. XXXX XXX;
                2. -
                3. XXXXXX XXXXXXXXXX;
                4. -
                5. XXXXX, XXXXX XXX XXXXXXX XX XXX XXXXXX, X.X. XXX-XX XXX XXX-XXX;
                6. -
                7. XXXXXX XXXXXXXX XX XXXXXXXX XX XXXXXXXX XXX XXXXXX XXXXXXXXXX;
                8. -
                9. XXXXXXX XX XXXXXXXXXX XXX XXXXXXXX XXXXXX XXXXXX XXXXXXXX;
                10. -
                11. XXXXXXX XX XXXXXXXXXX XXX XXXXXXXX XXXX XXX XXXXX XXXXXXXX XXXXXX XXXXXXXX;
                12. -
                13. XXXXXXX XX XXXXXX XXXXXXXXXXXXX;
                14. -
                15. XXX XX XXXXXXXXXX;
                16. -
                17. XXX XX XXXXXX XXXXXXXXX XXX XXXXXXXXXXXX;
                18. -
                19. XXXXX XXXXXXXX XXX XXX XXXX XX XXXXXX;
                20. -
                21. XXXXXXX XXXXXXXXX XXX XXXXXXXXX;
                22. -
                23. XXXXXX XXXXXX XX XXX XXXXXX XXXXXXX XXXXXX;
                24. -
                25. XXXXXXXXXX XXX XX-XXXXXXXXXX XX XXXXXXXXXX XXXXXXX, XXXX XX XXXX-XXXXX XXXXXXX XXX XXXXXXXXX XXXXXXXXX XXXXXXX;
                26. -
                27. XXXXXXX XX XXXXXXXXXXXX XXXXXXXX XX XXXXX XX XXXXXXXXXXXX.
                28. +
                29. user IDs;
                30. +
                31. system activities;
                32. +
                33. dates, times and details of key events, e.g. log-on and log-off;
                34. +
                35. device identity or location if possible and system identifier;
                36. +
                37. records of successful and rejected system access attempts;
                38. +
                39. records of successful and rejected data and other resource access attempts;
                40. +
                41. changes to system configuration;
                42. +
                43. use of privileges;
                44. +
                45. use of system utilities and applications;
                46. +
                47. files accessed and the kind of access;
                48. +
                49. network addresses and protocols;
                50. +
                51. alarms raised by the access control system;
                52. +
                53. activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems;
                54. +
                55. records of transactions executed by users in applications.
                -

                XXXXX XXXXXXX XXXX XXX XXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXX XXXXXXX XXXXX XXX XXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXX XXX XXXXXX XX XXXXXX XXXXXXXX.

                +

                Event logging sets the foundation for automated monitoring systems which are capable of generating consolidated reports and alerts on system security.

                -

                XXXXX XXXX XXX XXXXXXX XXXXXXXXX XXXX XXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX. XXXXXXXXXXX XXXXXXX XXXXXXXXXX XXXXXXXX XXXXXX XX XXXXX (XXX 18.1.4).

                -

                XXXXX XXXXXXXX, XXXXXX XXXXXXXXXXXXXX XXXXXX XXX XXXX XXXXXXXXXX XX XXXXX XX XX-XXXXXXXX XXXX XX XXXXX XXX XXXXXXXXXX (XXX 12.4.3).

                +

                Event logs can contain sensitive data and personally identifiable information. Appropriate privacy protection measures should be taken (see 18.1.4).

                +

                Where possible, system administrators should not have permission to erase or de-activate logs of their own activities (see 12.4.3).

                Protection of log information 12.4.2 -

                XXXXXXX XXXXXXXXXX XXX XXX XXXXXXXXXXX XXXXXX XX XXXXXXXXX XXXXXXX XXXXXXXXX XXX XXXXXXXXXXXX XXXXXX.

                +

                Logging facilities and log information should be protected against tampering and unauthorized access.

                -

                XXXXXXXX XXXXXX XXX XX XXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXXX XX XXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXX XXX XXXXXXX XXXXXXXX XXXXXXXXX:

                +

                Controls should aim to protect against unauthorized changes to log information and operational problems with the logging facility including:

                  -
                1. XXXXXXXXXXX XX XXX XXXXXXX XXXXX XXXX XXX XXXXXXXX;
                2. -
                3. XXX XXXXX XXXXX XXXXXX XX XXXXXXX;
                4. -
                5. XXXXXXX XXXXXXXX XX XXX XXX XXXX XXXXX XXXXX XXXXXXXX, XXXXXXXXX XX XXXXXX XXX XXXXXXX XX XXXXXX XXXXXX XX XXXX-XXXXXXX XX XXXX XXXXXXXX XXXXXX.
                6. +
                7. alterations to the message types that are recorded;
                8. +
                9. log files being edited or deleted;
                10. +
                11. storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
                -

                XXXX XXXXX XXXX XXX XX XXXXXXXX XX XX XXXXXXXX XX XXXX XX XXX XXXXXX XXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXXXXXX XX XXXXXXX XXX XXXXXX XXXXXXXX (XXX 16.1.7).

                +

                Some audit logs may be required to be archived as part of the record retention policy or because of requirements to collect and retain evidence (see 16.1.7).

                -

                XXXXXX XXXX XXXXX XXXXXXX X XXXXX XXXXXX XX XXXXXXXXXXX, XXXX XX XXXXX XX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX. XX XXXX XXXXXXXX XXXXXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXX, XXX XXXXXXX XX XXXXXXXXXXX XXXXXXX XXXXX XXXXXXXXXXXXX XX X XXXXXX XXX, XX XXX XXX XX XXXXXXXX XXXXXX XXXXXXXXX XX XXXXX XXXXX XX XXXXXXX XXXX XXXXXXXXXXXXX XXX XXXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX.

                -

                XXXXXX XXXX XXXX XX XX XXXXXXXXX, XXXXXXX XX XXX XXXX XXX XX XXXXXXXX XX XXXX XX XXXX XXXXXXX, XXXXX XXXXXXXXX XXX XXXXXX X XXXXX XXXXX XX XXXXXXXX. XXXX-XXXX XXXXXXX XX XXXX XX X XXXXXX XXXXXXX XXX XXXXXXX XX X XXXXXX XXXXXXXXXXXXX XX XXXXXXXX XXX XX XXXX XX XXXXXXXXX XXXX.

                +

                System logs often contain a large volume of information, much of which is extraneous to information security monitoring. To help identify significant events for information security monitoring purposes, the copying of appropriate message types automatically to a second log, or the use of suitable system utilities or audit tools to perform file interrogation and rationalization should be considered.

                +

                System logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security. Real-time copying of logs to a system outside the control of a system administrator or operator can be used to safeguard logs.

                Administrator and operator logs 12.4.3 -

                XXXXXX XXXXXXXXXXXXX XXX XXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXX XXX XXX XXXX XXXXXXXXX XXX XXXXXXXXX XXXXXXXX.

                +

                System administrator and system operator activities should be logged and the logs protected and regularly reviewed.

                -

                XXXXXXXXXX XXXX XXXXXXX XXXXXXX XXX XX XXXX XX XXXXXXXXXX XXX XXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXX XXXXX XXXXXX XXXXXXX, XXXXXXXXX XX XX XXXXXXXXX XX XXXXXXX XXX XXXXXX XXX XXXX XX XXXXXXXX XXXXXXXXXXXXXX XXX XXX XXXXXXXXXX XXXXX.

                +

                Privileged user account holders may be able to manipulate the logs on information processing facilities under their direct control, therefore it is necessary to protect and review the logs to maintain accountability for the privileged users.

                -

                XX XXXXXXXXX XXXXXXXXX XXXXXX XXXXXXX XXXXXXX XX XXX XXXXXXX XX XXXXXX XXX XXXXXXX XXXXXXXXXXXXXX XXX XX XXXX XX XXXXXXX XXXXXX XXX XXXXXXX XXXXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX.

                +

                An intrusion detection system managed outside of the control of system and network administrators can be used to monitor system and network administration activities for compliance.

                Clock synchronisation 12.4.4 -

                XXX XXXXXX XX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXXXX XX XXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXXXX XX X XXXXXX XXXXXXXXX XXXX XXXXXX.

                +

                The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source.

                -

                XXXXXXXX XXX XXXXXXXX XXXXXXXXXXXX XXX XXXX XXXXXXXXXXXXXX, XXXXXXXXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXXXX. XXXX XXXXXXXXXXXX XXX XX XXXXX, XXXXXXXXXX, XXXXXXXXXXX XXXXXXXXXXXX, XXXXXXXXX XXXXXXXXXX XX XXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX. X XXXXXXXX XXXXXXXXX XXXX XXX XXX XXXXXX XXX XXXXXXXXXXXX XXXXXX XX XXXXXXX.

                -

                XXX XXXXXXXXXXXX’X XXXXXXXX XX XXXXXXXXX X XXXXXXXXX XXXX XXXX XXXXXXXX XXXXXX(X) XXX XXX XX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXXXX.

                +

                External and internal requirements for time representation, synchronisation and accuracy should be documented. Such requirements can be legal, regulatory, contractual requirements, standards compliance or requirements for internal monitoring. A standard reference time for use within the organization should be defined.

                +

                The organization’s approach to obtaining a reference time from external source(s) and how to synchronise internal clocks reliably should be documented and implemented.

                -

                XXX XXXXXXX XXXXXXX XX XXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXX XXX XXXXXXXX XX XXXXX XXXX, XXXXX XXX XX XXXXXXXX XXX XXXXXXXXXXXXXX XX XX XXXXXXXX XX XXXXX XX XXXXXXXXXXXX XXXXX. XXXXXXXXXX XXXXX XXXX XXX XXXXXX XXXX XXXXXXXXXXXXXX XXX XXXXXX XXX XXXXXXXXXXX XX XXXX XXXXXXXX. X XXXXX XXXXXX XX X XXXXX XXXX XXXXXXXXX XXXX X XXXXXXXX XXXXXX XXXXX XXX XX XXXX XX XXX XXXXXX XXXXX XXX XXXXXXX XXXXXXX. X XXXXXXX XXXX XXXXXXXX XXX XX XXXX XX XXXX XXX XX XXX XXXXXXX XX XXXXXXXXXXXXXXX XXXX XXX XXXXXX XXXXX.

                +

                The correct setting of computer clocks is important to ensure the accuracy of audit logs, which may be required for investigations or as evidence in legal or disciplinary cases. Inaccurate audit logs may hinder such investigations and damage the credibility of such evidence. A clock linked to a radio time broadcast from a national atomic clock can be used as the master clock for logging systems. A network time protocol can be used to keep all of the servers in synchronisation with the master clock.

                @@ -1682,30 +1680,30 @@ Control of operational software 12.5 -

                XX XXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXX.

                +

                Objective: To ensure the integrity of operational systems.

                Installation of software on operational systems 12.5.1 -

                XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXX XX XXXXXXXXXXX XXXXXXX.

                +

                Procedures should be implemented to control the installation of software on operational systems.

                -

                XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXX XXXXXXX XX XXXXXXXX XX XXXXXXXXXXX XXXXXXX:

                +

                The following guidelines should be considered to control changes of software on operational systems:

                  -
                1. XXX XXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX, XXXXXXXXXXXX XXX XXXXXXX XXXXXXXXX XXXXXX XXXX XX XXXXXXXXX XX XXXXXXX XXXXXXXXXXXXXX XXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXXXXX (XXX 9.4.5);
                2. -
                3. XXXXXXXXXXX XXXXXXX XXXXXX XXXX XXXX XXXXXXXX XXXXXXXXXX XXXX XXX XXX XXXXXXXXXXX XXXX XX XXXXXXXXX;
                4. -
                5. XXXXXXXXXXXX XXX XXXXXXXXX XXXXXX XXXXXXXX XXXXXX XXXX XX XXXXXXXXXXX XXXXX XXXXXXXXX XXX XXXXXXXXXX XXXXXXX; XXX XXXXX XXXXXX XXXXX XXXXXXXXX, XXXXXXXX, XXXXXXX XX XXXXX XXXXXXX XXX XXXX-XXXXXXXXXXXX XXX XXXXXX XX XXXXXXX XXX XX XXXXXXXX XXXXXXX (XXX 12.1.4); XX XXXXXX XX XXXXXXX XXXX XXX XXXXXXXXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXX XXXX XXXXXXX;
                6. -
                7. X XXXXXXXXXXXXX XXXXXXX XXXXXX XXXXXX XX XXXX XX XXXX XXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XX XXXX XX XXX XXXXXX XXXXXXXXXXXXX;
                8. -
                9. X XXXXXXXX XXXXXXXX XXXXXX XX XX XXXXX XXXXXX XXXXXXX XXX XXXXXXXXXXX;
                10. -
                11. XX XXXXX XXX XXXXXX XX XXXXXXXXXX XX XXX XXXXXXX XX XXXXXXXXXXX XXXXXXX XXXXXXXXX;
                12. -
                13. XXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXX XX X XXXXXXXXXXX XXXXXXX;
                14. -
                15. XXX XXXXXXXX XX XXXXXXXX XXXXXX XX XXXXXXXX, XXXXXXXX XXXX XXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXXXX XXX XX XXXX XX XXX XXXX XXX XXXXXXXX XX XXXXXXX.
                16. +
                17. the updating of the operational software, applications and program libraries should only be performed by trained administrators upon appropriate management authorization (see 9.4.5);
                18. +
                19. operational systems should only hold approved executable code and not development code or compilers;
                20. +
                21. applications and operating system software should only be implemented after extensive and successful testing; the tests should cover usability, security, effects on other systems and user-friendliness and should be carried out on separate systems (see 12.1.4); it should be ensured that all corresponding program source libraries have been updated;
                22. +
                23. a configuration control system should be used to keep control of all implemented software as well as the system documentation;
                24. +
                25. a rollback strategy should be in place before changes are implemented;
                26. +
                27. an audit log should be maintained of all updates to operational program libraries;
                28. +
                29. previous versions of application software should be retained as a contingency measure;
                30. +
                31. old versions of software should be archived, together with all required information and parameters, procedures, configuration details and supporting software for as long as the data are retained in archive.
                -

                XXXXXX XXXXXXXX XXXXXXXX XXXX XX XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXX XX X XXXXX XXXXXXXXX XX XXX XXXXXXXX. XXXX XXXX, XXXXXXXX XXXXXXX XXXX XXXXX XX XXXXXXX XXXXX XXXXXXXX XX XXXXXXXX. XXX XXXXXXXXXXXX XXXXXX XXXXXXXX XXX XXXXX XX XXXXXXX XX XXXXXXXXXXX XXXXXXXX.

                -

                XXX XXXXXXXX XX XXXXXXX XX X XXX XXXXXXX XXXXXX XXXX XXXX XXXXXXX XXX XXXXXXXX XXXXXXXXXXXX XXX XXX XXXXXX XXX XXX XXXXXXXX XX XXX XXXXXXX, X.X. XXX XXXXXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXX XX XXX XXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXXX XXXXXXX. XXXXXXXX XXXXXXX XXXXXX XX XXXXXXX XXXX XXXX XXX XXXX XX XXXXXX XX XXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX (XXX 12.6).

                -

                XXXXXXXX XX XXXXXXX XXXXXX XXXXXX XXXX XX XXXXX XX XXXXXXXXX XXX XXXXXXX XXXXXXXX XXXX XXXXXXXXX XXX XXXX XXXXXXXXXX XXXXXXXX. XXX XXXXXXXX’X XXXXXXXXXX XXXXXX XX XXXXXXXXX (XXX 15.2.1).

                -

                XXXXXXXX XXXXXXXX XXX XXXX XX XXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXX, XXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXX XX XXXXX XXXXXXXXXXXX XXXXXXX, XXXXX XXXXX XXXXXXXXX XXXXXXXX XXXXXXXXXX.

                +

                Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Over time, software vendors will cease to support older versions of software. The organization should consider the risks of relying on unsupported software.

                +

                Any decision to upgrade to a new release should take into account the business requirements for the change and the security of the release, e.g. the introduction of new information security functionality or the number and severity of information security problems affecting this version. Software patches should be applied when they can help to remove or reduce information security weaknesses (see 12.6).

                +

                Physical or logical access should only be given to suppliers for support purposes when necessary and with management approval. The supplier’s activities should be monitored (see 15.2.1).

                +

                Computer software may rely on externally supplied software and modules, which should be monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses.

                @@ -1713,56 +1711,56 @@ Technical vulnerability management 12.6 -

                XX XXXXXXX XXXXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXXXXX.

                +

                Objective: To prevent exploitation of technical vulnerabilities.

                Management of technical vulnerabilities 12.6.1 -

                XXXXXXXXXXX XXXXX XXXXXXXXX XXXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXX XXXXX XXXX XXXXXX XX XXXXXXXX XX X XXXXXX XXXXXXX, XXX XXXXXXXXXXXX’X XXXXXXXX XX XXXX XXXXXXXXXXXXXXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXX XX XXXXXXX XXX XXXXXXXXXX XXXX.

                +

                Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

                -

                X XXXXXXX XXX XXXXXXXX XXXXXXXXX XX XXXXXX (XXX Clause 8) XX X XXXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX. XXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXX, XXXXXXX XXXXXXX, XXXXXXX XXXXX XX XXXXXXXXXX (X.X. XXXX XXXXXXXX XX XXXXXXXXX XX XXXX XXXXXXX) XXX XXX XXXXXX(X) XXXXXX XXX XXXXXXXXXXXX XXXXXXXXXXX XXX XXX XXXXXXXX.

                -

                XXXXXXXXXXX XXX XXXXXX XXXXXX XXXXXX XX XXXXX XX XXXXXXXX XX XXX XXXXXXXXXXXXXX XX XXXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXX. XXX XXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXXXXX XX XXXXXXXXX XXXXXXXXXX XXXXXXX XXX XXXXXXXXX XXXXXXXXXXXXXXX:

                +

                A current and complete inventory of assets (see Clause 8) is a prerequisite for effective technical vulnerability management. Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within the organization responsible for the software.

                +

                Appropriate and timely action should be taken in response to the identification of potential technical vulnerabilities. The following guidance should be followed to establish an effective management process for technical vulnerabilities:

                  -
                1. XXX XXXXXXXXXXXX XXXXXX XXXXXX XXX XXXXXXXXX XXX XXXXX XXX XXXXXXXXXXXXXXXX XXXXXXXXXX XXXX XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX, XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX, XXXXXXXXXXXXX XXXX XXXXXXXXXX, XXXXXXXX, XXXXX XXXXXXXX XXX XXX XXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXX;
                2. -
                3. XXXXXXXXXXX XXXXXXXXX XXXX XXXX XX XXXX XX XXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXX XXX XX XXXXXXXX XXXXXXXXX XXXXX XXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXX XXX XXXXX XXXXXXXXXX (XXXXX XX XXX XXXXX XXXXXXXXX XXXX, XXX 8.1.1); XXXXX XXXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXX XXXXX XX XXXXXXX XX XXX XXXXXXXXX XX XXXX XXXXX XXX XX XXXXXX XXXXXXXXX XXX XXXXX;
                4. -
                5. X XXXXXXXX XXXXXX XX XXXXXXX XX XXXXX XX XXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXX;
                6. -
                7. XXXX X XXXXXXXXX XXXXXXXXX XXXXXXXXXXXXX XXX XXXX XXXXXXXXXX, XXX XXXXXXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXXX XXXXX XXX XXX XXXXXXX XX XX XXXXX; XXXX XXXXXX XXXXX XXXXXXX XXXXXXXX XX XXXXXXXXXX XXXXXXX XX XXXXXXXX XXXXX XXXXXXXX;
                8. -
                9. XXXXXXXXX XX XXX XXXXXXXX X XXXXXXXXX XXXXXXXXXXXXX XXXXX XX XX XXXXXXXXX, XXX XXXXXX XXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXX XX XXX XXXXXXXX XXXXXXX XX XXXXXX XXXXXXXXXX (XXX 12.1.2) XX XX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXX (XXX 16.1.5);
                10. -
                11. XX X XXXXX XX XXXXXXXXX XXXX X XXXXXXXXXX XXXXXX, XXX XXXXX XXXXXXXXXX XXXX XXXXXXXXXX XXX XXXXX XXXXXX XX XXXXXXXX (XXX XXXXX XXXXX XX XXX XXXXXXXXXXXXX XXXXXX XX XXXXXXXX XXXX XXX XXXX XX XXXXXXXXXX XXX XXXXX);
                12. -
                13. XXXXXXX XXXXXX XX XXXXXX XXX XXXXXXXXX XXXXXX XXXX XXX XXXXXXXXX XX XXXXXX XXXX XXX XXXXXXXXX XXX XX XXX XXXXXX XX XXXX XXXXXXX XXXX XXXXXX XX XXXXXXXXX; XX XX XXXXX XX XXXXXXXXX, XXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX, XXXX XX:
                    -
                  1. XXXXXXX XXX XXXXXXXX XX XXXXXXXXXXXX XXXXXXX XX XXX XXXXXXXXXXXXX;
                  2. -
                  3. XXXXXXXX XX XXXXXX XXXXXX XXXXXXXX, X.X. XXXXXXXXX, XX XXXXXXX XXXXXXX (XXX 13.1);
                  4. -
                  5. XXXXXXXXX XXXXXXXXXX XX XXXXXX XXXXXX XXXXXXX;
                  6. -
                  7. XXXXXXX XXXXXXXXX XX XXX XXXXXXXXXXXXX;
                  8. +
                  9. the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking and any coordination responsibilities required;
                  10. +
                  11. information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology (based on the asset inventory list, see 8.1.1); these information resources should be updated based on changes in the inventory or when other new or useful resources are found;
                  12. +
                  13. a timeline should be defined to react to notifications of potentially relevant technical vulnerabilities;
                  14. +
                  15. once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken; such action could involve patching of vulnerable systems or applying other controls;
                  16. +
                  17. depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management (see 12.1.2) or by following information security incident response procedures (see 16.1.5);
                  18. +
                  19. if a patch is available from a legitimate source, the risks associated with installing the patch should be assessed (the risks posed by the vulnerability should be compared with the risk of installing the patch);
                  20. +
                  21. patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered, such as:
                      +
                    1. turning off services or capabilities related to the vulnerability;
                    2. +
                    3. adapting or adding access controls, e.g. firewalls, at network borders (see 13.1);
                    4. +
                    5. increased monitoring to detect actual attacks;
                    6. +
                    7. raising awareness of the vulnerability;
                  22. -
                  23. XX XXXXX XXX XXXXXX XX XXXX XXX XXX XXXXXXXXXX XXXXXXXXXX;
                  24. -
                  25. XXX XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXX XXXXXXXXX XXX XXXXXXXXX XX XXXXX XX XXXXXX XXX XXXXXXXXXXXXX XXX XXXXXXXXXX;
                  26. -
                  27. XXXXXXX XX XXXX XXXX XXXXXX XX XXXXXXXXX XXXXX;
                  28. -
                  29. XX XXXXXXXXX XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXX XXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX, XX XXXXXXXXXXX XXXX XX XXXXXXXXXXXXXXX XX XXX XXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXXX XXXXXXXXXX XX XX XXXXXXX XXX XXXXXX XX XXXXXXXX XXXXX;
                  30. -
                  31. XXXXXX X XXXXXXXXX XX XXXXXXX XXX XXXXXXXXX XXXXX X XXXXXXXXXXXXX XXX XXXX XXXXXXXXXX XXX XXXXX XX XX XXXXXXXX XXXXXXXXXXXXXX. XX XXXX XXXXXXXXX, XXX XXXXXXXXXXXX XXXXXX XXXXXXXX XXXXX XXXXXXXX XX XXX XXXXX XXXXXXXXXXXXX XXX XXXXXX XXXXXXXXXXX XXXXXXXXX XXX XXXXXXXXXX XXXXXXX.
                  32. +
                  33. an audit log should be kept for all procedures undertaken;
                  34. +
                  35. the technical vulnerability management process should be regularly monitored and evaluated in order to ensure its effectiveness and efficiency;
                  36. +
                  37. systems at high risk should be addressed first;
                  38. +
                  39. an effective technical vulnerability management process should be aligned with incident management activities, to communicate data on vulnerabilities to the incident response function and provide technical procedures to be carried out should an incident occur;
                  40. +
                  41. define a procedure to address the situation where a vulnerability has been identified but there is no suitable countermeasure. In this situation, the organization should evaluate risks relating to the known vulnerability and define appropriate detective and corrective actions.
                  -

                  XXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXX XXX XX XXXXXX XX X XXX-XXXXXXXX XX XXXXXX XXXXXXXXXX XXX XX XXXX XXX XXXX XXXXXXXXX XX XXX XXXXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXXXXXX (XXX 12.1.2 XXX 14.2.2).

                  -

                  XXXXXXX XXX XXXXX XXXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXX XX XXXX XX XXXXXXXX. XXXXXXXXX, XXXXX XX X XXXXXXXXXXX XXXX X XXXXX XXXX XXX XXXXXXX XXX XXXXXXX XXXXXXXXXX XXX XXX XXXXXXXX XXXX XXXXXXX. XXXX, XX XXXX XXXXX, XXXXXXXXXXXX X XXXXX XXXXXX XX XXXXXX XXXXXXXX XXXX XXX XXXXX XXX XXXX XXXXXXX.

                  -

                  XX XXXXXXXX XXXXXXX XX XXX XXXXXXX XX XXX XXXXXXXX, X.X. XXXXXXX XX XXXXX XX XXXX XX XXXXXXXXX, X XXXXX XX XXXXXXXX XXX XX XXXXXXXXXX XX XXXXXXXX XXX XXXXXXXXXX XXXXX, XXXXX XX XXX XXXXXXXXXX XXXXXXXX XX XXXXX XXXXX. XXX XXX XX XXX/XXX XXXXX[14] XXX XX XXXXXXXXXX.

                  +

                  Technical vulnerability management can be viewed as a sub-function of change management and as such can take advantage of the change management processes and procedures (see 12.1.2 and 14.2.2).

                  +

                  Vendors are often under significant pressure to release patches as soon as possible. Therefore, there is a possibility that a patch does not address the problem adequately and has negative side effects. Also, in some cases, uninstalling a patch cannot be easily achieved once the patch has been applied.

                  +

                  If adequate testing of the patches is not possible, e.g. because of costs or lack of resources, a delay in patching can be considered to evaluate the associated risks, based on the experience reported by other users. The use of ISO/IEC 27031[14] can be beneficial.

                  Restrictions on software installation 12.6.2 -

                  XXXXX XXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXX XX XXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXX.

                  +

                  Rules governing the installation of software by users should be established and implemented.

                  -

                  XXX XXXXXXXXXXXX XXXXXX XXXXXX XXX XXXXXXX XXXXXX XXXXXX XX XXXXX XXXXX XX XXXXXXXX XXXXX XXX XXXXXXX.

                  -

                  XXX XXXXXXXXX XX XXXXX XXXXXXXXX XXXXXX XX XXXXXXX. XX XXXXXXX XXXXXXX XXXXXXXXXX, XXXXX XXX XXXX XXX XXXXXXX XX XXXXXXX XXXXXXXX. XXX XXXXXXXXXXXX XXXXXX XXXXXXXX XXXX XXXXX XX XXXXXXXX XXXXXXXXXXXXX XXX XXXXXXXXX (X.X. XXXXXXX XXX XXXXXXXX XXXXXXX XX XXXXXXXX XXXXXXXX) XXX XXXX XXXXX XX XXXXXXXXXXXXX XXX XXXXXXXXXX (X.X. XXXXXXXX XXXX XX XXXX XXX XXXXXXXX XXX XXX XXXXXXXX XXXXX XXXXXXXX XXXX XXXXXX XX XXXXX XXXXXXXXXXX XXXXXXXXX XX XXXXXXX XX XXXXXXX). XXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XXXXXX XXXXXX XX XXX XXXXX XX XXX XXXXX XXXXXXXXX.

                  +

                  The organization should define and enforce strict policy on which types of software users may install.

                  +

                  The principle of least privilege should be applied. If granted certain privileges, users may have the ability to install software. The organization should identify what types of software installations are permitted (e.g. updates and security patches to existing software) and what types of installations are prohibited (e.g. software that is only for personal use and software whose pedigree with regard to being potentially malicious is unknown or suspect). These privileges should be granted having regard to the roles of the users concerned.

                  -

                  XXXXXXXXXXXX XXXXXXXXXXXX XX XXXXXXXX XX XXXXXXXXX XXXXXXX XXX XXXX XX XXXXXXXXXXX XXXXXXXXXXXXXXX XXX XXXX XX XXXXXXXXXXX XXXXXXX, XXXX XX XXXXXXXXX XX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX, XX XX XXXXXXXXX XX XXXXXXXXXXXX XXXXXXXX XXXXXX.

                  +

                  Uncontrolled installation of software on computing devices can lead to introducing vulnerabilities and then to information leakage, loss of integrity or other information security incidents, or to violation of intellectual property rights.

                  @@ -1770,24 +1768,24 @@ Information systems audit considerations 12.7 -

                  XX XXXXXXXX XXX XXXXXX XX XXXXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXX.

                  +

                  Objective: To minimise the impact of audit activities on operational systems.

                  Information systems audit controls 12.7.1 -

                  XXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXX XXXXXXX XXX XXXXXX XX XXXXXXXX XXXXXXXXXXX XX XXXXXXXX XXXXXXXXX.

                  +

                  Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes.

                  -

                  XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX:

                  +

                  The following guidelines should be observed:

                    -
                  1. XXXXX XXXXXXXXXXXX XXX XXXXXX XX XXXXXXX XXX XXXX XXXXXX XX XXXXXX XXXX XXXXXXXXXXX XXXXXXXXXX;
                  2. -
                  3. XXX XXXXX XX XXXXXXXXX XXXXX XXXXX XXXXXX XX XXXXXX XXX XXXXXXXXXX;
                  4. -
                  5. XXXXX XXXXX XXXXXX XX XXXXXXX XX XXXX-XXXX XXXXXX XX XXXXXXXX XXX XXXX;
                  6. -
                  7. XXXXXX XXXXX XXXX XXXX-XXXX XXXXXX XXXX XX XXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXX XXXXX, XXXXX XXXXXX XX XXXXXX XXXX XXX XXXXX XX XXXXXXXXX, XX XXXXX XXXXXXXXXXX XXXXXXXXXX XX XXXXX XX XX XXXXXXXXXX XX XXXX XXXX XXXXX XXXXX XXXXX XXXXXXXXXXXXX XXXXXXXXXXXX;
                  8. -
                  9. XXXXXXXXXXXX XXX XXXXXXX XX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXX;
                  10. -
                  11. XXXXX XXXXX XXXX XXXXX XXXXXX XXXXXX XXXXXXXXXXXX XXXXXX XX XXX XXXXXXX XXXXXXXX XXXXX;
                  12. -
                  13. XXX XXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXX XX XXXXXXX X XXXXXXXXX XXXXX.
                  14. +
                  15. audit requirements for access to systems and data should be agreed with appropriate management;
                  16. +
                  17. the scope of technical audit tests should be agreed and controlled;
                  18. +
                  19. audit tests should be limited to read-only access to software and data;
                  20. +
                  21. access other than read-only should only be allowed for isolated copies of system files, which should be erased when the audit is completed, or given appropriate protection if there is an obligation to keep such files under audit documentation requirements;
                  22. +
                  23. requirements for special or additional processing should be identified and agreed;
                  24. +
                  25. audit tests that could affect system availability should be run outside business hours;
                  26. +
                  27. all access should be monitored and logged to produce a reference trail.
                  @@ -1800,47 +1798,47 @@ Network security management 13.1 -

                  XX XXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XX XXXXXXXX XXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX.

                  +

                  Objective: To ensure the protection of information in networks and its supporting information processing facilities.

                  Network controls 13.1.1 -

                  XXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXXXXXX XX XXXXXXX XXXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXXX.

                  +

                  Networks should be managed and controlled to protect information in systems and applications.

                  -

                  XXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XX XXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXX XXXXXXXX XXXX XXXXXXXXXXXX XXXXXX. XX XXXXXXXXXX, XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX:

                  +

                  Controls should be implemented to ensure the security of information in networks and the protection of connected services from unauthorized access. In particular, the following items should be considered:

                    -
                  1. XXXXXXXXXXXXXXXX XXX XXXXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXXX;
                  2. -
                  3. XXXXXXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXXX XXXX XXXXXXXX XXXXXXXXXX XXXXX XXXXXXXXXXX (XXX 6.1.2);
                  4. -
                  5. XXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXXXX XXX XXXXXXXXXXXXXXX XXX XXXXXXXXX XX XXXX XXXXXXX XXXX XXXXXX XXXXXXXX XX XXXX XXXXXXXX XXXXXXXX XXX XX XXXXXXX XXX XXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX (XXX Clause 10 XXX 13.2); XXXXXXX XXXXXXXX XXX XXXX XX XXXXXXXX XX XXXXXXXX XXX XXXXXXXXXXXX XX XXX XXXXXXX XXXXXXXX XXX XXXXXXXXX XXXXXXXXX;
                  6. -
                  7. XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXX XXXXXXXXX XXX XXXXXXXXX XX XXXXXXX XXXX XXX XXXXXX, XX XXX XXXXXXXX XX, XXXXXXXXXXX XXXXXXXX;
                  8. -
                  9. XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXXXX XXXX XX XXXXXXXX XXX XXXXXXX XX XXX XXXXXXXXXXXX XXX XX XXXXXX XXXX XXXXXXXX XXX XXXXXXXXXXXX XXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXXXXXX;
                  10. -
                  11. XXXXXXX XX XXX XXXXXXX XXXXXX XX XXXXXXXXXXXXX;
                  12. -
                  13. XXXXXXX XXXXXXXXXX XX XXX XXXXXXX XXXXXX XX XXXXXXXXXX.
                  14. +
                  15. responsibilities and procedures for the management of networking equipment should be established;
                  16. +
                  17. operational responsibility for networks should be separated from computer operations where appropriate (see 6.1.2);
                  18. +
                  19. special controls should be established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications (see Clause 10 and 13.2); special controls may also be required to maintain the availability of the network services and computers connected;
                  20. +
                  21. appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, information security;
                  22. +
                  23. management activities should be closely coordinated both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
                  24. +
                  25. systems on the network should be authenticated;
                  26. +
                  27. systems connection to the network should be restricted.
                  -

                  XXXXXXXXXX XXXXXXXXXXX XX XXXXXXX XXXXXXXX XXX XX XXXXX XX XXX/XXX XXXXX.[15][16][17][18][19]

                  +

                  Additional information on network security can be found in ISO/IEC 27033.[15][16][17][18][19]

                  Security of network services 13.1.2 -

                  XXXXXXXX XXXXXXXXXX, XXXXXXX XXXXXX XXX XXXXXXXXXX XXXXXXXXXXXX XX XXX XXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXX XX XXXXXXX XXXXXXXX XXXXXXXXXX, XXXXXXX XXXXX XXXXXXXX XXX XXXXXXXX XX-XXXXX XX XXXXXXXXXX.

                  +

                  Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.

                  -

                  XXX XXXXXXX XX XXX XXXXXXX XXXXXXX XXXXXXXX XX XXXXXX XXXXXX XXXXXXXX XX X XXXXXX XXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXX XXXXXXXXX, XXX XXX XXXXX XX XXXXX XXXXXX XX XXXXXX.

                  -

                  XXX XXXXXXXX XXXXXXXXXXXX XXXXXXXXX XXX XXXXXXXXXX XXXXXXXX, XXXX XX XXXXXXXX XXXXXXXX, XXXXXXX XXXXXX XXX XXXXXXXXXX XXXXXXXXXXXX, XXXXXX XX XXXXXXXXXX. XXX XXXXXXXXXXXX XXXXXX XXXXXX XXXX XXXXXXX XXXXXXX XXXXXXXXX XXXXXXXXX XXXXX XXXXXXXX.

                  +

                  The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored, and the right to audit should be agreed.

                  +

                  The security arrangements necessary for particular services, such as security features, service levels and management requirements, should be identified. The organization should ensure that network service providers implement these measures.

                  -

                  XXXXXXX XXXXXXXX XXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX, XXXXXXX XXXXXXX XXXXXXXX XXX XXXXX XXXXX XXXXXXXX XXX XXXXXXX XXXXXXX XXXXXXXX XXXXXXXXX XXXX XX XXXXXXXXX XXX XXXXXXXXX XXXXXXXXX XXXXXXX. XXXXX XXXXXXXX XXX XXXXX XXXX XXXXXX XXXXXXXXX XXXXXXXXX XX XXXXXXX XXXXX-XXXXX XXXXXXXXX.

                  -

                  XXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXXX XXXXX XX:

                  +

                  Network services include the provision of connections, private network services and value added networks and managed network security solutions such as firewalls and intrusion detection systems. These services can range from simple unmanaged bandwidth to complex value-added offerings.

                  +

                  Security features of network services could be:

                    -
                  1. XXXXXXXXXX XXXXXXX XXX XXXXXXXX XX XXXXXXX XXXXXXXX, XXXX XX XXXXXXXXXXXXXX, XXXXXXXXXX XXX XXXXXXX XXXXXXXXXX XXXXXXXX;
                  2. -
                  3. XXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXXXX XXXX XXX XXXXXXX XXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXX XXX XXXXXXX XXXXXXXXXX XXXXX;
                  4. -
                  5. XXXXXXXXXX XXX XXX XXXXXXX XXXXXXX XXXXX XX XXXXXXXX XXXXXX XX XXXXXXX XXXXXXXX XX XXXXXXXXXXXX, XXXXX XXXXXXXXX.
                  6. +
                  7. technology applied for security of network services, such as authentication, encryption and network connection controls;
                  8. +
                  9. technical parameters required for secured connection with the network services in accordance with the security and network connection rules;
                  10. +
                  11. procedures for the network service usage to restrict access to network services or applications, where necessary.
                  @@ -1848,16 +1846,16 @@ Segregation in networks 13.1.3 -

                  XXXXXX XX XXXXXXXXXXX XXXXXXXX, XXXXX XXX XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXXX.

                  +

                  Groups of information services, users and information systems should be segregated on networks.

                  -

                  XXX XXXXXX XX XXXXXXXX XXX XXXXXXXX XX XXXXX XXXXXXXX XX XX XXXXXX XXXX XXXX XXXXXXXX XXXXXXX XXXXXXX. XXX XXXXXXX XXX XX XXXXXX XXXXX XX XXXXX XXXXXX (X.X. XXXXXX XXXXXX XXXXXX, XXXXXXX XXXXXX, XXXXXX XXXXXX), XXXXX XXXXXXXXXXXXXX XXXXX (X.X. XXXXX XXXXXXXXX, XXXXXXX, XXXXXXXXX) XX XXXX XXXXXXXXXXX (X.X. XXXXXX XXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXXXXXXXX XXXXX). XXX XXXXXXXXXXX XXX XX XXXX XXXXX XXXXXX XXXXXXXXXX XXXXXXXXX XXXXXXXX XX XX XXXXX XXXXXXXXX XXXXXXX XXXXXXXX (X.X.XXXXXXX XXXXXXX XXXXXXXXXX).

                  -

                  XXX XXXXXXXXX XX XXXX XXXXXX XXXXXX XX XXXX XXXXXXX. XXXXXX XXXXXXX XXXXXXX XXXXXXX XX XXXXXXX, XXX XXXXXX XX XXXXXXXXXX XX XXX XXXXXXXXX XXXXX X XXXXXXX (X.X. XXXXXXXX, XXXXXXXXX XXXXXX). XXX XXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXX XXXX XXXXXXX, XXX XXX XXXXXX XXXXXXX XXXXXXX XXX XXXXXXXX, XXXXXX XX XXXXX XX XX XXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXXX XX XXXX XXXXXX. XXX XXXXXXXXXX XXXXXX XX XX XXXXXXXXXX XXXX XXX XXXXXX XXXXXXX XXXXXX (XXX 9.1.1), XXXXXX XXXXXXXXXXXX, XXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXX XXX XXXX XXXX XXXXXXX XX XXX XXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXXXXX XXXXXXXX XXXXXXX XXXXXXXXXX.

                  -

                  XXXXXXXX XXXXXXXX XXXXXXX XXXXXXX XXXXXXXXX XXX XX XXX XXXXXX XXXXXXX XXXXXXX XXXXXXXXX. XXX XXXXXXXXX XXXXXXXXXXXX, XXXXXXXXXXXXX XXXXXX XX XXXX XX XXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXXX XXX XX XXXXXXXXX XXXX XXXXXX XXXX XXXXXXXX XXXXXXXX XXXXX XXX XXXXXX XXX XXXXXX XXXXXXX X XXXXXXX XX XXXXXXXXXX XXXX XXXXXXX XXXXXXXX XXXXXX (XXX 13.1.1) XXXXXX XXXXXXXX XXXXXX XX XXXXXXXX XXXXXXX.

                  -

                  XXX XXXXXXXXXXXXXX, XXXXXXXXXX XXX XXXX XXXXX XXXXXXX XXXXXX XXXXXXX XXXXXXXXXXXX XX XXXXXX, XXXXXXXXX XXXXX XXXXXXXX XXXXXXXX XXX XX XXXXXXXXXX XXX XXXXXX XXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXX XXXX XXXXXXXX XXXXXXXXXXX.

                  +

                  One method of managing the security of large networks is to divide them into separate network domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g.virtual private networking).

                  +

                  The perimeter of each domain should be well defined. Access between network domains is allowed, but should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains, and the access allowed through the gateways, should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the access control policy (see 9.1.1), access requirements, value and classification of information processed and also take account of the relative cost and performance impact of incorporating suitable gateway technology.

                  +

                  Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy (see 13.1.1) before granting access to internal systems.

                  +

                  The authentication, encryption and user level network access control technologies of modern, standards based wireless networks may be sufficient for direct connection to the organization’s internal network when properly implemented.

                  -

                  XXXXXXXX XXXXX XXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXXX, XX XXXXXXXX XXXXXXXXXXXX XXX XXXXXX XXXX XXXXXXX XXX XXXXXXXXXXXXXXX XX XXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXX. XXXX XXXXXXXXXX XXX XXXXXXXX XXX XXXX XX XXXXXXXXXXXX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXX XXXX XXX XXX XXXXXXX, XXXX XX XXXXX XXXXXXX XXXXXXXXXX XXXX XXXXX XXXXXXX XXXXX XXXXXXX XX XXXXX XXXXXXXXXXX XX XXXXXXXXXXX.

                  +

                  Networks often extend beyond organizational boundaries, as business partnerships are formed that require the interconnection or sharing of information processing and networking facilities. Such extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of which require protection from other network users because of their sensitivity or criticality.

                  @@ -1865,119 +1863,119 @@ Information transfer 13.2 -

                  XX XXXXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXXXX XXX XXXX XXX XXXXXXXX XXXXXX.

                  +

                  Objective: To maintain the security of information transferred within an organization and with any external entity.

                  Information transfer policies and procedures 13.2.1 -

                  XXXXXX XXXXXXXX XXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XXXXXX XX XX XXXXX XX XXXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXX XXX XXX XX XXX XXXXX XX XXXXXXXXXXXXX XXXXXXXXXX.

                  -
                  - -

                  XXX XXXXXXXXXX XXX XXXXXXXX XX XX XXXXXXXX XXXX XXXXX XXXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXX XXXXX:

                  -
                    -
                  1. XXXXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXX XXXXXXXXXXXX, XXXXXXX, XXXXXXXXXXXX, XXX-XXXXXXX XXX XXXXXXXXXXX;
                  2. -
                  3. XXXXXXXXXX XXX XXX XXXXXXXXX XX XXX XXXXXXXXXX XXXXXXX XXXXXXX XXXX XXX XX XXXXXXXXXXX XXXXXXX XXX XXX XX XXXXXXXXXX XXXXXXXXXXXXXX (XXX 12.2.1);
                  4. -
                  5. XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXX XXXXXXXXXX XXXXXXXXXXX XXXX XX XX XXX XXXX XX XX XXXXXXXXXX;
                  6. -
                  7. XXXXXX XX XXXXXXXXXX XXXXXXXXX XXXXXXXXXX XXX XX XXXXXXXXXXXXX XXXXXXXXXX (XXX 8.1.3);
                  8. -
                  9. XXXXXXXXX, XXXXXXXX XXXXX XXX XXX XXXXX XXXX’X XXXXXXXXXXXXXXXX XXX XX XXXXXXXXXX XXX XXXXXXXXXXXX, X.X. XXXXXXX XXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXXXX, XXXXXXXXXX XX XXXXX XXXXXXX, XXXXXXXXXXXX XXXXXXXXXX, XXX.;
                  10. -
                  11. XXX XX XXXXXXXXXXXXX XXXXXXXXXX X.X. XX XXXXXXX XXX XXXXXXXXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXXX (XXX Clause 10);
                  12. -
                  13. XXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXX XXX XXXXXXXX XXXXXXXXXXXXXX, XXXXXXXXX XXXXXXXX, XX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXX XXX XXXXX XXXXXXXXXXX XXX XXXXXXXXXXX;
                  14. -
                  15. XXXXXXXX XXX XXXXXXXXXXXX XXXXXXXXXX XXXX XXXXX XXXXXXXXXXXXX XXXXXXXXXX, X.X. XXXXXXXXX XXXXXXXXXX XX XXXXXXXXXX XXXX XX XXXXXXXX XXXX XXXXXXXXX;
                  16. -
                  17. XXXXXXXX XXXXXXXXX XX XXXX XXXXXXXXXXX XXXXXXXXXXX XXX XX XXXXXX XXXXXXXXXXXX XXXXXXXXXXX;
                  18. -
                  19. XXX XXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXXXXXX XXXXXXXX XXXXX XXXXX XXX XX XXXXXXXX XX XXXXXXXXXXXX XXXXXXX, XXXXXX XX XXXXXXXX XXXXXXX XX XXXXXX XXXXXXXXXXX XX X XXXXXX XX XXXXXXXXXXX;
                  20. -
                  21. XXXXXXXX XXXXXXXXX XXXXX XXX XXXXXXXX XX XXXXX XXXXXXXXX XXXXXXXX XX XXXXXXXX, XXXXXX:
                      -
                    1. XXXXXXXXXXXX XXXXXX XX XXXXX-XX XXXXXXX XXXXXX XX XXXXXXXX XXXXXXXX;
                    2. -
                    3. XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXX XX XXXXXXXX XX XXXX XXXXXXXX XX XXXXXXXX XXXXXXX;
                    4. -
                    5. XXXXXXX XXXXXXXXX XXX XXXXXXXX XX XXX XXXXX XXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXX XXX XXXXX XXXXXX XXXXXX.
                    6. +

                      Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities.

                      + + +

                      The procedures and controls to be followed when using communication facilities for information transfer should consider the following items:

                      +
                        +
                      1. procedures designed to protect transferred information from interception, copying, modification, mis-routing and destruction;
                      2. +
                      3. procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications (see 12.2.1);
                      4. +
                      5. procedures for protecting communicated sensitive electronic information that is in the form of an attachment;
                      6. +
                      7. policy or guidelines outlining acceptable use of communication facilities (see 8.1.3);
                      8. +
                      9. personnel, external party and any other user’s responsibilities not to compromise the organization, e.g. through defamation, harassment, impersonation, forwarding of chain letters, unauthorized purchasing, etc.;
                      10. +
                      11. use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity of information (see Clause 10);
                      12. +
                      13. retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations;
                      14. +
                      15. controls and restrictions associated with using communication facilities, e.g. automatic forwarding of electronic mail to external mail addresses;
                      16. +
                      17. advising personnel to take appropriate precautions not to reveal confidential information;
                      18. +
                      19. not leaving messages containing confidential information on answering machines since these may be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling;
                      20. +
                      21. advising personnel about the problems of using facsimile machines or services, namely:
                          +
                        1. unauthorized access to built-in message stores to retrieve messages;
                        2. +
                        3. deliberate or accidental programming of machines to send messages to specific numbers;
                        4. +
                        5. sending documents and messages to the wrong number either by misdialling or using the wrong stored number.
                      -

                      XX XXXXXXXX, XXXXXXXXX XXXXXX XX XXXXXXXX XXXX XXXX XXXXXX XXX XXXX XXXXXXXXXXXX XXXXXXXXXXXXX XX XXXXXX XXXXXX XX XXXX XXXXXXXX XXXXXXXXXXXXX XXXXXXXX, XXXX XXXXXXX XXX XXXXXXX XXXXXX.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XXXXXX XXXX XXX XXXXXXXX XXXXX XXXXXXXXXXXX (XXX 18.1).

                      +

                      In addition, personnel should be reminded that they should not have confidential conversations in public places or over insecure communication channels, open offices and meeting places.

                      +

                      Information transfer services should comply with any relevant legal requirements (see 18.1).

                      -

                      XXXXXXXXXXX XXXXXXXX XXX XXXXX XXXXXXX XXX XXX XX X XXXXXX XX XXXXXXXXX XXXXX XX XXXXXXXXXXXXX XXXXXXXXXX, XXXXXXXXX XXXXXXXXXX XXXX, XXXXX, XXXXXXXXX XXX XXXXX.

                      -

                      XXXXXXXX XXXXXXXX XXX XXXXX XXXXXXX X XXXXXX XX XXXXXXXXX XXXXXXX, XXXXXXXXX XXXXXXXXXXX XXXX XXX XXXXXXXX XXX XXXXXXXXXXX XXXX XXXXXXX XXXXXXX XXX-XXX-XXXXX XXXXXXXX.

                      -

                      XXX XXXXXXXX, XXXXX XXX XXXXXXXX XXXXXXXXXXXX XXXXXXXXXX XXXX XXXXXXXXXX XXXX XXXXXXXXXXX, XXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXXXX XXX XXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXXXX.

                      +

                      Information transfer may occur through the use of a number of different types of communication facilities, including electronic mail, voice, facsimile and video.

                      +

                      Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors selling off-the-shelf products.

                      +

                      The business, legal and security implications associated with electronic data interchange, electronic commerce and electronic communications and the requirements for controls should be considered.

                      Agreements on information transfer 13.2.2 -

                      XXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXX XXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXXX.

                      +

                      Agreements should address the secure transfer of business information between the organization and external parties.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XXXXXXXXXXX XXX XXXXXXXXX:

                      +

                      Information transfer agreements should incorporate the following:

                        -
                      1. XXXXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXXX, XXXXXXXX XXX XXXXXXX;
                      2. -
                      3. XXXXXXXXXX XX XXXXXX XXXXXXXXXXXX XXX XXX-XXXXXXXXXXX;
                      4. -
                      5. XXXXXXX XXXXXXXXX XXXXXXXXX XXX XXXXXXXXX XXX XXXXXXXXXXXX;
                      6. -
                      7. XXXXXX XXXXXXXXXX;
                      8. -
                      9. XXXXXXX XXXXXXXXXXXXXX XXXXXXXXX;
                      10. -
                      11. XXXXXXXXXXXXXXXX XXX XXXXXXXXXXX XX XXX XXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX, XXXX XX XXXX XX XXXX;
                      12. -
                      13. XXX XX XX XXXXXX XXXXXXXXX XXXXXX XXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXX, XXXXXXXX XXXX XXX XXXXXXX XX XXX XXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXX XXXX XXX XXXXXXXXXXX XX XXXXXXXXXXXXX XXXXXXXXX (XXX 8.2);
                      14. -
                      15. XXXXXXXXX XXXXXXXXX XXX XXXXXXXXX XXX XXXXXXX XXXXXXXXXXX XXX XXXXXXXX;
                      16. -
                      17. XXX XXXXXXX XXXXXXXX XXXX XXX XXXXXXXX XX XXXXXXX XXXXXXXXX XXXXX, XXXX XX XXXXXXXXXXXX (XXX Clause 10);
                      18. -
                      19. XXXXXXXXXXX X XXXXX XX XXXXXXX XXX XXXXXXXXXXX XXXXX XX XXXXXXX;
                      20. -
                      21. XXXXXXXXXX XXXXXX XX XXXXXX XXXXXXX.
                      22. +
                      23. management responsibilities for controlling and notifying transmission, dispatch and receipt;
                      24. +
                      25. procedures to ensure traceability and non-repudiation;
                      26. +
                      27. minimum technical standards for packaging and transmission;
                      28. +
                      29. escrow agreements;
                      30. +
                      31. courier identification standards;
                      32. +
                      33. responsibilities and liabilities in the event of information security incidents, such as loss of data;
                      34. +
                      35. use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected (see 8.2);
                      36. +
                      37. technical standards for recording and reading information and software;
                      38. +
                      39. any special controls that are required to protect sensitive items, such as cryptography (see Clause 10);
                      40. +
                      41. maintaining a chain of custody for information while in transit;
                      42. +
                      43. acceptable levels of access control.
                      -

                      XXXXXXXX, XXXXXXXXXX XXX XXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXX XXXXXXXXXXX XXX XXXXXXXX XXXXX XX XXXXXXX (XXX 8.3.3), XXX XXXXXX XX XXXXXXXXXX XX XXXX XXXXXXXX XXXXXXXXXX.

                      -

                      XXX XXXXXXXXXXX XXXXXXXX XXXXXXX XX XXX XXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXX.

                      +

                      Policies, procedures and standards should be established and maintained to protect information and physical media in transit (see 8.3.3), and should be referenced in such transfer agreements.

                      +

                      The information security content of any agreement should reflect the sensitivity of the business information involved.

                      -

                      XXXXXXXXXX XXX XX XXXXXXXXXX XX XXXXXX, XXX XXX XXXX XXX XXXX XX XXXXXX XXXXXXXXX. XXX XXXXXXXXXXXX XXXXXXXXXXX, XXX XXXXXXXX XXXXXXXXXX XXXX XXX XXX XXXXXXXX XX XXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXX XXXXXXXXXXXXX XXX XXXXX XX XXXXXXXXXX.

                      +

                      Agreements may be electronic or manual, and may take the form of formal contracts. For confidential information, the specific mechanisms used for the transfer of such information should be consistent for all organizations and types of agreements.

                      Electronic messaging 13.2.3 -

                      XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXXXXX XXXXXXXXX.

                      +

                      Information involved in electronic messaging should be appropriately protected.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX:

                      +

                      Information security considerations for electronic messaging should include the following:

                        -
                      1. XXXXXXXXXX XXXXXXXX XXXX XXXXXXXXXXXX XXXXXX, XXXXXXXXXXXX XX XXXXXX XX XXXXXXX XXXXXXXXXXXX XXXX XXX XXXXXXXXXXXXXX XXXXXX XXXXXXX XX XXX XXXXXXXXXXXX;
                      2. -
                      3. XXXXXXXX XXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXXXX XX XXX XXXXXXX;
                      4. -
                      5. XXXXXXXXXXX XXX XXXXXXXXXXXX XX XXX XXXXXXX;
                      6. -
                      7. XXXXX XXXXXXXXXXXXXX, XXX XXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXX;
                      8. -
                      9. XXXXXXXXX XXXXXXXX XXXXX XX XXXXX XXXXXXXX XXXXXX XXXXXXXX XXXX XX XXXXXXX XXXXXXXXX, XXXXXX XXXXXXXXXX XX XXXX XXXXXXX;
                      10. -
                      11. XXXXXXXX XXXXXX XX XXXXXXXXXXXXXX XXXXXXXXXXX XXXXXX XXXX XXXXXXXX XXXXXXXXXX XXXXXXXX.
                      12. +
                      13. protecting messages from unauthorized access, modification or denial of service commensurate with the classification scheme adopted by the organization;
                      14. +
                      15. ensuring correct addressing and transportation of the message;
                      16. +
                      17. reliability and availability of the service;
                      18. +
                      19. legal considerations, for example requirements for electronic signatures;
                      20. +
                      21. obtaining approval prior to using external public services such as instant messaging, social networking or file sharing;
                      22. +
                      23. stronger levels of authentication controlling access from publicly accessible networks.
                      -

                      XXXXX XXX XXXX XXXXX XX XXXXXXXXXX XXXXXXXXX XXXX XX XXXXX, XXXXXXXXXX XXXX XXXXXXXXXXX XXX XXXXXX XXXXXXXXXX XXXXX XXXX X XXXX XX XXXXXXXX XXXXXXXXXXXXXX.

                      +

                      There are many types of electronic messaging such as email, electronic data interchange and social networking which play a role in business communications.

                      Confidentiality or non-disclosure agreements 13.2.4 -

                      XXXXXXXXXXXX XXX XXXXXXXXXXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXX’X XXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX, XXXXXXXXX XXXXXXXX XXX XXXXXXXXXX.

                      +

                      Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented.

                      -

                      XXXXXXXXXXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXXX XX XXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXX XXXXXXX XXXXXXXXXXX XXXXX. XXXXXXXXXXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXXX XXXXXXX XX XXXXXXXXX XX XXX XXXXXXXXXXXX. XXXXXXXX XXXXXX XX XXXXXXXX XX XXXXX XX XXXXXXXXXXXXX XX XXX XXXX XX XXX XXXXX XXXXX XXX XXX XXXXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX. XX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXXX, XXX XXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXX:

                      +

                      Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organization. Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information. To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:

                        -
                      1. X XXXXXXXXXX XX XXX XXXXXXXXXXX XX XX XXXXXXXXX (X.X. XXXXXXXXXXXX XXXXXXXXXXX);
                      2. -
                      3. XXXXXXXX XXXXXXXX XX XX XXXXXXXXX, XXXXXXXXX XXXXX XXXXX XXXXXXXXXXXXXXX XXXXX XXXX XX XX XXXXXXXXXX XXXXXXXXXXXX;
                      4. -
                      5. XXXXXXXX XXXXXXX XXXX XX XXXXXXXXX XX XXXXXXXXXX;
                      6. -
                      7. XXXXXXXXXXXXXXXX XXX XXXXXXX XX XXXXXXXXXXX XX XXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX;
                      8. -
                      9. XXXXXXXXX XX XXXXXXXXXXX, XXXXX XXXXXXX XXX XXXXXXXXXXXX XXXXXXXX, XXX XXX XXXX XXXXXXX XX XXX XXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX;
                      10. -
                      11. XXX XXXXXXXXX XXX XX XXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXX XX XXX XXXXXXXXX XX XXX XXXXXXXXXXX;
                      12. -
                      13. XXX XXXXX XX XXXXX XXX XXXXXXX XXXXXXXXXX XXXX XXXXXXX XXXXXXXXXXXX XXXXXXXXXXX;
                      14. -
                      15. XXXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXX;
                      16. -
                      17. XXXXX XXX XXXXXXXXXXX XX XX XXXXXXXX XX XXXXXXXXX XX XXXXXXXXX XXXXXXXXX;
                      18. -
                      19. XXXXXXXX XXXXXXX XX XX XXXXX XX XXXX XX X XXXXXX XX XXX XXXXXXXXX.
                      20. +
                      21. a definition of the information to be protected (e.g. confidential information);
                      22. +
                      23. expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
                      24. +
                      25. required actions when an agreement is terminated;
                      26. +
                      27. responsibilities and actions of signatories to avoid unauthorized information disclosure;
                      28. +
                      29. ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
                      30. +
                      31. the permitted use of confidential information and rights of the signatory to use information;
                      32. +
                      33. the right to audit and monitor activities that involve confidential information;
                      34. +
                      35. process for notification and reporting of unauthorized disclosure or confidential information leakage;
                      36. +
                      37. terms for information to be returned or destroyed at agreement cessation;
                      38. +
                      39. expected actions to be taken in case of a breach of the agreement.
                      -

                      XXXXX XX XX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX, XXXXX XXXXXXXX XXX XX XXXXXX XX X XXXXXXXXXXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXX.

                      -

                      XXXXXXXXXXXXXXX XXX XXX-XXXXXXXXXX XXXXXXXXXX XXXXXX XXXXXX XXXX XXX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXX XXX XXXXXXXXXXXX XX XXXXX XXXX XXXXX (XXX 18.1).

                      -

                      XXXXXXXXXXXX XXX XXXXXXXXXXXXXXX XXX XXX-XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXXXX XXX XXXX XXXXXXX XXXXX XXXX XXXXXXXXX XXXXX XXXXXXXXXXXX.

                      +

                      Based on an organization’s information security requirements, other elements may be needed in a confidentiality or non-disclosure agreement.

                      +

                      Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations for the jurisdiction to which they apply (see 18.1).

                      +

                      Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and when changes occur that influence these requirements.

                      -

                      XXXXXXXXXXXXXXX XXX XXX-XXXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXX XXXXXXXXXXX XX XXXXX XXXXXXXXXXXXXX XX XXXXXXX, XXX XXX XXXXXXXX XXXXXXXXXXX XX X XXXXXXXXXXX XXX XXXXXXXXXX XXXXXX.

                      -

                      XXXXX XXX XX X XXXX XXX XX XXXXXXXXXXXX XX XXX XXXXXXXXX XXXXX XX XXXXXXXXXXXXXXX XX XXX-XXXXXXXXXX XXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXXX.

                      +

                      Confidentiality and non-disclosure agreements protect organizational information and inform signatories of their responsibility to protect, use and disclose information in a responsible and authorized manner.

                      +

                      There may be a need for an organization to use different forms of confidentiality or non-disclosure agreements in different circumstances.

                      @@ -1989,93 +1987,93 @@ Security requirements of information systems 14.1 -

                      XX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XX XX XXXXXXXX XXXX XX XXXXXXXXXXX XXXXXXX XXXXXX XXX XXXXXX XXXXXXXXX. XXXX XXXX XXXXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXXX XXXXXXX XXXXXXXX XXXX XXXXXX XXXXXXXX.

                      +

                      Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

                      Information security requirements analysis and specification 14.1.1 -

                      XXX XXXXXXXXXXX XXXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXX XX XXX XXXXXXXXXXXX XXX XXX XXXXXXXXXXX XXXXXXX XX XXXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXX.

                      +

                      The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXX XXXXXXX XXXXXXX XXXX XX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXX XXXXXXXX XXX XXXXXXXXXXX, XXXXXX XXXXXXXXX, XXXXXXXX XXXXXXX, XX XXX XX XXXXXXXXXXXXX XXXXXXXXXX. XXXXXXX XX XXX XXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXX XX XXX XXXXXXXXXXXX.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXX XXXXX XX XXX XXXXXXXXXXX XXXXXXXX (XXX 8.2) XXX XXX XXXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XXXXX XXXXX XXXXXX XXXX XXXX XX XXXXXXXX XXXXXXXX.

                      -

                      XXXXXXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXX XXXXXX XX XXXXXXXXXXX XXXXXXX XXXXXXXX. XXXXX XXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX, X.X. XX XXX XXXXXX XXXXX XXX XXXX XX XXXX XXXXXXXXX XXX XXXX XXXXXXXXX XXXXXXXXX.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XXXX XXXXXXXX:

                      +

                      Information security requirements should be identified using various methods such as deriving compliance requirements from policies and regulations, threat modelling, incident reviews, or use of vulnerability thresholds. Results of the identification should be documented and reviewed by all stakeholders.

                      +

                      Information security requirements and controls should reflect the business value of the information involved (see 8.2) and the potential negative business impact which might result from lack of adequate security.

                      +

                      Identification and management of information security requirements and associated processes should be integrated in early stages of information systems projects. Early consideration of information security requirements, e.g. at the design stage can lead to more effective and cost efficient solutions.

                      +

                      Information security requirements should also consider:

                        -
                      1. XXX XXXXX XX XXXXXXXXXX XXXXXXXX XXXXXXX XXX XXXXXXX XXXXXXXX XX XXXXX, XX XXXXX XX XXXXXX XXXX XXXXXXXXXXXXXX XXXXXXXXXXXX;
                      2. -
                      3. XXXXXX XXXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXX, XXX XXXXXXXX XXXXX XX XXXX XX XXX XXXXXXXXXX XX XXXXXXXXX XXXXX;
                      4. -
                      5. XXXXXXXXX XXXXX XXX XXXXXXXXX XX XXXXX XXXXXX XXX XXXXXXXXXXXXXXXX;
                      6. -
                      7. XXX XXXXXXXX XXXXXXXXXX XXXXX XX XXX XXXXXX XXXXXXXX, XX XXXXXXXXXX XXXXXXXXX XXXXXXXXXXXX, XXXXXXXXXXXXXXX, XXXXXXXXX;
                      8. -
                      9. XXXXXXXXXXXX XXXXXXX XXXX XXXXXXXX XXXXXXXXX, XXXX XX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXX, XXX-XXXXXXXXXXX XXXXXXXXXXXX;
                      10. -
                      11. XXXXXXXXXXXX XXXXXXXX XX XXXXX XXXXXXXX XXXXXXXX, X.X. XXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXX XX XXXX XXXXXXX XXXXXXXXX XXXXXXX.
                      12. +
                      13. the level of confidence required towards the claimed identity of users, in order to derive user authentication requirements;
                      14. +
                      15. access provisioning and authorization processes, for business users as well as for privileged or technical users;
                      16. +
                      17. informing users and operators of their duties and responsibilities;
                      18. +
                      19. the required protection needs of the assets involved, in particular regarding availability, confidentiality, integrity;
                      20. +
                      21. requirements derived from business processes, such as transaction logging and monitoring, non-repudiation requirements;
                      22. +
                      23. requirements mandated by other security controls, e.g. interfaces to logging and monitoring or data leakage detection systems.
                      -

                      XXX XXXXXXXXXXXX XXXX XXXXXXX XXXXXXXX XXXX XXXXXX XXXXXXXX XX XXXXX XXXXXXXXX XXXXXXXXXXXX, XXX XXXXXXXXX XXXXXXXX 14.1.2 XXX 14.1.3 XXXXXX XX XXXXXXXXXX.

                      -

                      XX XXXXXXXX XXX XXXXXXXX, X XXXXXX XXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXX. XXXXXXXXX XXXX XXX XXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXXXX XXXXXXXXXXXX. XXXXX XXX XXXXXXXX XXXXXXXXXXXXX XX X XXXXXXXX XXXXXXX XXXX XXX XXXXXXX XXX XXXXXXXXX XXXXXXXXXXX, XXX XXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXXX XXXXX XX XXXXXXXXXX XXX XXXXXXX.

                      -

                      XXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXXXXX XX XXX XXXXXXX XXXXXXX XXXX XXX XXXXX XXXXXXXX / XXXXXXX XXXXX XX XXXX XXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX.

                      -

                      XXXXXXXX XXX XXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXX X.X. XX XXXXX XX XXXXX XXXXXXXXXXXXX, XXXXX XXXX XXXX XXXXXXXXX XXXX XXX XXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXX. XXXXXXXX XXXXXX XX XXXXXXXXX XXXXXXX XXXXX XXXXXXXX XXXXXX XXXXXXXXXXX. XXXXXXXXXX XXXXXXXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXX XX XXXX XXX XXXXXXXXX XXXXXXXXXXXX XXXXXXXXXX XXXXX.

                      +

                      For applications that provide services over public networks or which implement transactions, the dedicated controls 14.1.2 and 14.1.3 should be considered.

                      +

                      If products are acquired, a formal testing and acquisition process should be followed. Contracts with the supplier should address the identified security requirements. Where the security functionality in a proposed product does not satisfy the specified requirement, the risk introduced and associated controls should be reconsidered prior to purchasing the product.

                      +

                      Available guidance for security configuration of the product aligned with the final software / service stack of that system should be evaluated and implemented.

                      +

                      Criteria for accepting products should be defined e.g. in terms of their functionality, which will give assurance that the identified security requirements are met. Products should be evaluated against these criteria before acquisition. Additional functionality should be reviewed to ensure it does not introduce unacceptable additional risks.

                      -

                      XXX/XXX XXXXX[11] XXX XXX XXXXX[27] XXXXXXX XXXXXXXX XX XXX XXX XX XXXX XXXXXXXXXX XXXXXXXXX XX XXXXXXXX XXXXXXXX XX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX.

                      +

                      ISO/IEC 27005[11] and ISO 31000[27] provide guidance on the use of risk management processes to identify controls to meet information security requirements.

                      Securing application services on public networks 14.1.2 -

                      XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXX XXXX XXXXXX XXXXXXXX XXXXXX XX XXXXXXXXX XXXX XXXXXXXXXX XXXXXXXX, XXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXX.

                      +

                      Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXX XXXX XXXXXX XXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX:

                      +

                      Information security considerations for application services passing over public networks should include the following:

                        -
                      1. XXX XXXXX XX XXXXXXXXXX XXXX XXXXX XXXXXXXX XX XXXX XXXXX’X XXXXXXX XXXXXXXX, X.X. XXXXXXX XXXXXXXXXXXXXX;
                      2. -
                      3. XXXXXXXXXXXXX XXXXXXXXX XXXXXXXXXX XXXX XXX XXX XXXXXXX XXXXXXXX XX, XXXXX XX XXXX XXX XXXXXXXXXXXXX XXXXXXXXX;
                      4. -
                      5. XXXXXXXX XXXX XXXXXXXXXXXXX XXXXXXXX XXX XXXXX XXXXXXXX XX XXXXX XXXXXXXXXXXXXX XXX XXXXXXXXX XX XXX XX XXX XXXXXXX;
                      6. -
                      7. XXXXXXXXXXX XXX XXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXXXXXXX, XXXXXXXXX, XXXXX XX XXXXXXXX XXX XXXXXXX XX XXX XXXXXXXXX XXX XXX XXX-XXXXXXXXXXX XX XXXXXXXXX, X.X. XXXXXXXXXX XXXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXX;
                      8. -
                      9. XXX XXXXX XX XXXXX XXXXXXXX XX XXX XXXXXXXXX XX XXX XXXXXXXXX;
                      10. -
                      11. XXX XXXXXXXXXX XXXXXXXXXXXX XX XXX XXXXXXXXXXXX XXXXXXXXXXX;
                      12. -
                      13. XXX XXXXXXXXXXXXXXX XXX XXXXXXXXX XX XXX XXXXX XXXXXXXXXXXX, XXXXXXX XXXXXXXXXXX, XXXXXXXX XXXXXXX XXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXX;
                      14. -
                      15. XXX XXXXXX XX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXXX XXXXXXX XXXXXXXXXXX XXXXXXXX XX X XXXXXXXX;
                      16. -
                      17. XXXXXXXXX XXX XXXX XXXXXXXXXXX XXXXXXXXXX XXXX XX XXXXXXX XX XXXXX XXXXXXX XXXXX;
                      18. -
                      19. XXX XXXXX XX XXXXXXXXXX XXXXXXXX XX XXXXXXXX XXX XXXXXXXXXXXXXXX XXX XXXXXXXXX XX XXXXX XXXXXXXXXXX;
                      20. -
                      21. XXXXXXXXX XX XXXX XX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX;
                      22. -
                      23. XXXXXXXXX XXXXXXXXXX XXXX XXX XXXXXXXXXX XXXXXXXXXXXX;
                      24. -
                      25. XXXXXXXXX XXXXXXXXXXXX.
                      26. +
                      27. the level of confidence each party requires in each other’s claimed identity, e.g. through authentication;
                      28. +
                      29. authorization processes associated with who may approve contents of, issue or sign key transactional documents;
                      30. +
                      31. ensuring that communicating partners are fully informed of their authorizations for provision or use of the service;
                      32. +
                      33. determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt of key documents and the non-repudiation of contracts, e.g. associated with tendering and contract processes;
                      34. +
                      35. the level of trust required in the integrity of key documents;
                      36. +
                      37. the protection requirements of any confidential information;
                      38. +
                      39. the confidentiality and integrity of any order transactions, payment information, delivery address details and confirmation of receipts;
                      40. +
                      41. the degree of verification appropriate to verify payment information supplied by a customer;
                      42. +
                      43. selecting the most appropriate settlement form of payment to guard against fraud;
                      44. +
                      45. the level of protection required to maintain the confidentiality and integrity of order information;
                      46. +
                      47. avoidance of loss or duplication of transaction information;
                      48. +
                      49. liability associated with any fraudulent transactions;
                      50. +
                      51. insurance requirements.
                      -

                      XXXX XX XXX XXXXX XXXXXXXXXXXXXX XXX XX XXXXXXXXX XX XXX XXXXXXXXXXX XX XXXXXXXXXXXXX XXXXXXXX (XXX Clause 10), XXXXXX XXXX XXXXXXX XXXXXXXXXX XXXX XXXXX XXXXXXXXXXXX (XXX Clause 18, XXXXXXXXXX XXX 18.1.5 XXX XXXXXXXXXXXX XXXXXXXXXXX).

                      -

                      XXXXXXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXX XX X XXXXXXXXXX XXXXXXXXX XXXXX XXXXXXX XXXX XXXXXXX XX XXX XXXXXX XXXXX XX XXXXXXXX, XXXXXXXXX XXXXXXX XX XXXXXXXXXXXXX (XXX X) XXXXX).

                      -

                      XXXXXXXXXX XXXXXXXXXXXX XXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXX, XXXXX XXX XXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXXXX XX XXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXX XXXXXXXXXXXXXXXX XXXXXXXX XX XXXXXXX XXX XXXXXXX.

                      +

                      Many of the above considerations can be addressed by the application of cryptographic controls (see Clause 10), taking into account compliance with legal requirements (see Clause 18, especially see 18.1.5 for cryptography legislation).

                      +

                      Application service arrangements between partners should be supported by a documented agreement which commits both parties to the agreed terms of services, including details of authorization (see b) above).

                      +

                      Resilience requirements against attacks should be considered, which can include requirements for protecting the involved application servers or ensuring the availability of network interconnections required to deliver the service.

                      -

                      XXXXXXXXXXXX XXXXXXXXXX XXX XXXXXX XXXXXXXX XXX XXXXXXX XX X XXXXX XX XXXXXXX XXXXXXX XXXXXXX, XXXX XX XXXXXXXXXX XXXXXXXXXX, XXXXXXXX XXXXXXXX XX XXXXXXXXXX XX XXXXXXXXXXX XX XXX XXXXXX. XXXXXXXXX, XXXXXXXX XXXX XXXXXXXXXXX XXX XXXXXX XXXXXXXXX XX XXXXXXXX XXX XXXXXXXXXXXXX. XXXXXXXX XXXXXXXX XXXXX XXXXXXX XXXXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXXXX XXX XXXXXXXX XXXX XXXXXXXX.

                      -

                      XXXXXXXXXXX XXXXXXXX XXX XXXX XXX XX XXXXXX XXXXXXXXXXXXXX XXXXXXX, X.X. XXXXX XXXXXX XXX XXXXXXXXXXXX XXX XXXXXXX XXXXXXXXXX (XXX Clause 10) XX XXXXXX XXX XXXXX. XXXX, XXXXXXX XXXXX XXXXXXX XXX XX XXXX, XXXXX XXXX XXXXXXXX XXX XXXXXX.

                      +

                      Applications accessible via public networks are subject to a range of network related threats, such as fraudulent activities, contract disputes or disclosure of information to the public. Therefore, detailed risk assessments and proper selection of controls are indispensable. Controls required often include cryptographic methods for authentication and securing data transfer.

                      +

                      Application services can make use of secure authentication methods, e.g. using public key cryptography and digital signatures (see Clause 10) to reduce the risks. Also, trusted third parties can be used, where such services are needed.

                      Protecting application services transactions 14.1.3 -

                      XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXX XXXXXXXXXX XXXXXXXXXXXX, XXX-XXXXXXX, XXXXXXXXXXXX XXXXXXX XXXXXXXXXX, XXXXXXXXXXXX XXXXXXXXXX, XXXXXXXXXXXX XXXXXXX XXXXXXXXXXX XX XXXXXX.

                      +

                      Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

                      -

                      XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX:

                      +

                      Information security considerations for application service transactions should include the following:

                        -
                      1. XXX XXX XX XXXXXXXXXX XXXXXXXXXX XX XXXX XX XXX XXXXXXX XXXXXXXX XX XXX XXXXXXXXXXX;
                      2. -
                      3. XXX XXXXXXX XX XXX XXXXXXXXXXX, X.X. XXXXXXXX XXXX:
                          -
                        1. XXXX’X XXXXXX XXXXXXXXXXXXXX XXXXXXXXXXX XX XXX XXXXXXX XXX XXXXX XXX XXXXXXXX;
                        2. -
                        3. XXX XXXXXXXXXXX XXXXXXX XXXXXXXXXXXX;
                        4. -
                        5. XXXXXXX XXXXXXXXXX XXXX XXX XXXXXXX XXXXXXXX XX XXXXXXXX;
                        6. +
                        7. the use of electronic signatures by each of the parties involved in the transaction;
                        8. +
                        9. all aspects of the transaction, i.e. ensuring that:
                            +
                          1. user’s secret authentication information of all parties are valid and verified;
                          2. +
                          3. the transaction remains confidential;
                          4. +
                          5. privacy associated with all parties involved is retained;
                        10. -
                        11. XXXXXXXXXXXXXX XXXX XXXXXXX XXX XXXXXXXX XXXXXXX XX XXXXXXXXX;
                        12. -
                        13. XXXXXXXXX XXXX XX XXXXXXXXXXX XXXXXXX XXX XXXXXXXX XXXXXXX XXX XXXXXXX;
                        14. -
                        15. XXXXXXXX XXXX XXX XXXXXXX XX XXX XXXXXXXXXXX XXXXXXX XX XXXXXXX XXXXXXX XX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXX, X.X. XX X XXXXXXX XXXXXXXX XXXXXXXX XX XXX XXXXXXXXXXXXXX XXXXXXXX, XXX XXX XXXXXXXX XXX XXXXXXX XX X XXXXXXX XXXXXX XXXXXXXX XXXXXXXXXX XXXX XXX XXXXXXXX;
                        16. -
                        17. XXXXX X XXXXXXX XXXXXXXXX XX XXXX (X.X. XXX XXX XXXXXXXX XX XXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXXXXXXXX XX XXXXXXX XXXXXXXXXXXX) XXXXXXXX XX XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXX XXXXXX XXX-XX-XXX XXXXXXXXXXX/XXXXXXXXX XXXXXXXXXX XXXXXXX.
                        18. +
                        19. communications path between all involved parties is encrypted;
                        20. +
                        21. protocols used to communicate between all involved parties are secured;
                        22. +
                        23. ensuring that the storage of the transaction details is located outside of any publicly accessible environment, e.g. on a storage platform existing on the organizational intranet, and not retained and exposed on a storage medium directly accessible from the Internet;
                        24. +
                        25. where a trusted authority is used (e.g. for the purposes of issuing and maintaining digital signatures or digital certificates) security is integrated and embedded throughout the entire end-to-end certificate/signature management process.
                        -

                        XXX XXXXXX XX XXX XXXXXXXX XXXXXXX XXXXX XX XX XXXXXXXXXXXX XXXX XXX XXXXX XX XXX XXXX XXXXXXXXXX XXXX XXXX XXXX XX XXXXXXXXXXX XXXXXXX XXXXXXXXXXX.

                        -

                        XXXXXXXXXXXX XXX XXXX XX XXXXXX XXXX XXXXX XXX XXXXXXXXXX XXXXXXXXXXXX XX XXX XXXXXXXXXXXX XXXXX XXX XXXXXXXXXXX XX XXXXXXXXX XXXX, XXXXXXXXX XXX, XXXXXXXXX XX XX XXXXXX XX.

                        +

                        The extent of the controls adopted needs to be commensurate with the level of the risk associated with each form of application service transaction.

                        +

                        Transactions may need to comply with legal and regulatory requirements in the jurisdiction which the transaction is generated from, processed via, completed at or stored in.

                        @@ -2083,187 +2081,187 @@ Security in development and support processes 14.2 -

                        XX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXX XXX XXXXXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXX.

                        +

                        Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

                        Secure development policy 14.2.1 -

                        XXXXX XXX XXX XXXXXXXXXXX XX XXXXXXXX XXX XXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXXX XX XXXXXXXXXXXX XXXXXX XXX XXXXXXXXXXXX.

                        +

                        Rules for the development of software and systems should be established and applied to developments within the organization.

                        -

                        XXXXXX XXXXXXXXXXX XX X XXXXXXXXXXX XX XXXXX XX X XXXXXX XXXXXXX, XXXXXXXXXXXX, XXXXXXXX XXX XXXXXX. XXXXXX X XXXXXX XXXXXXXXXXX XXXXXX, XXX XXXXXXXXX XXXXXXX XXXXXX XX XXX XXXXX XXXXXXXXXXXXX:

                        +

                        Secure development is a requirement to build up a secure service, architecture, software and system. Within a secure development policy, the following aspects should be put under consideration:

                          -
                        1. XXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXXXXX;
                        2. -
                        3. XXXXXXXX XX XXX XXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXXX:
                            -
                          1. XXXXXXXX XX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXXXXX;
                          2. -
                          3. XXXXXX XXXXXX XXXXXXXXXX XXX XXXX XXXXXXXXXXX XXXXXXXX XXXX;
                          4. +
                          5. security of the development environment;
                          6. +
                          7. guidance on the security in the software development lifecycle:
                              +
                            1. security in the software development methodology;
                            2. +
                            3. secure coding guidelines for each programming language used;
                          8. -
                          9. XXXXXXXX XXXXXXXXXXXX XX XXX XXXXXX XXXXX;
                          10. -
                          11. XXXXXXXX XXXXXXXXXXX XXXXXX XXX XXXXXXX XXXXXXXXXX;
                          12. -
                          13. XXXXXX XXXXXXXXXXXX;
                          14. -
                          15. XXXXXXXX XX XXX XXXXXXX XXXXXXX;
                          16. -
                          17. XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX;
                          18. -
                          19. XXXXXXXXXX’ XXXXXXXXXX XX XXXXXXXX, XXXXXXX XXX XXXXXX XXXXXXXXXXXXXXX.
                          20. +
                          21. security requirements in the design phase;
                          22. +
                          23. security checkpoints within the project milestones;
                          24. +
                          25. secure repositories;
                          26. +
                          27. security in the version control;
                          28. +
                          29. required application security knowledge;
                          30. +
                          31. developers’ capability of avoiding, finding and fixing vulnerabilities.
                          -

                          XXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXX XXXX XXX XXX XXXXXXXXXXXX XXX XX XXXX XX-XXX XXXXXXXXX XXXXX XXX XXXXXXXXX XXXXXXX XX XXXXXXXXXXX XXX XXX XX XXXXX XX XXXX XXX XXXXXXXXXX XXXX XXXXXXX XXXX XXXXXXXXX. XXXXXX XXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXX XXXXXXXX XXXXXXXX XXX XXX. XXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXX XXX XXX XXXXXXX XXX XXXX XXXXXX XXXXXX XXXXXX XXXXX XXX.

                          -

                          XX XXXXXXXXXXX XX XXXXXXXXXX, XXX XXXXXXXXXXXX XXXXXX XXXXXX XXXXXXXXX XXXX XXX XXXXXXXX XXXXX XXXXXXXX XXXX XXXXX XXXXX XXX XXXXXX XXXXXXXXXXX (XXX 14.2.7).

                          +

                          Secure programming techniques should be used both for new developments and in code re-use scenarios where the standards applied to development may not be known or were not consistent with current best practices. Secure coding standards should be considered and where relevant mandated for use. Developers should be trained in their use and testing and code review should verify their use.

                          +

                          If development is outsourced, the organization should obtain assurance that the external party complies with these rules for secure development (see 14.2.7).

                          -

                          XXXXXXXXXXX XXX XXXX XXXX XXXXX XXXXXX XXXXXXXXXXXX, XXXX XX XXXXXX XXXXXXXXXXXX, XXXXXXXXX, XXXXXXXX XXX XXXXXXXXX.

                          +

                          Development may also take place inside applications, such as office applications, scripting, browsers and databases.

                          System change control procedures 14.2.2 -

                          XXXXXXX XX XXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXX XXX XX XXXXXX XXXXXX XXXXXXX XXXXXXXXXX.

                          +

                          Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.

                          -

                          XXXXXX XXXXXX XXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXX XX XXXXXX XXX XXXXXXXXX XX XXXXXX, XXXXXXXXXXXX XXX XXXXXXXX, XXXX XXX XXXXX XXXXXX XXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXX. XXXXXXXXXXXX XX XXX XXXXXXX XXX XXXXX XXXXXXX XX XXXXXXXX XXXXXXX XXXXXX XXXXXX X XXXXXX XXXXXXX XX XXXXXXXXXXXXX, XXXXXXXXXXXXX, XXXXXXX, XXXXXXX XXXXXXX XXX XXXXXXX XXXXXXXXXXXXXX.

                          -

                          XXXX XXXXXXX XXXXXX XXXXXXX X XXXX XXXXXXXXXX, XXXXXXXX XX XXX XXXXXXX XX XXXXXXX XXX XXXXXXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXX. XXXX XXXXXXX XXXXXX XXXX XXXXXX XXXX XXXXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXXXX XXX XXX XXXXXXXXXXX, XXXX XXXXXXX XXXXXXXXXXX XXX XXXXX XXXXXX XXXX XX XXXXX XXXXX XX XXX XXXXXX XXXXXXXXX XXX XXXXX XXXX XXX XXXX XXXXXX XXXXXXXXX XXX XXXXXXXX XXX XXX XXXXXX XX XXXXXXXX.

                          -

                          XXXXXXXX XXXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX (XXX 12.1.2). XXX XXXXXX XXXXXXX XXXXXXXXXX XXXXXX XXXXXXX XXX XXX XX XXXXXXX XX:

                          +

                          Formal change control procedures should be documented and enforced to ensure the integrity of system, applications and products, from the early design stages through all subsequent maintenance efforts. Introduction of new systems and major changes to existing systems should follow a formal process of documentation, specification, testing, quality control and managed implementation.

                          +

                          This process should include a risk assessment, analysis of the impacts of changes and specification of security controls needed. This process should also ensure that existing security and control procedures are not compromised, that support programmers are given access only to those parts of the system necessary for their work and that formal agreement and approval for any change is obtained.

                          +

                          Wherever practicable, application and operational change control procedures should be integrated (see 12.1.2). The change control procedures should include but not be limited to:

                            -
                          1. XXXXXXXXXXX X XXXXXX XX XXXXXX XXXXXXXXXXXXX XXXXXX;
                          2. -
                          3. XXXXXXXX XXXXXXX XXX XXXXXXXXX XX XXXXXXXXXX XXXXX;
                          4. -
                          5. XXXXXXXXX XXXXXXXX XXX XXXXXXXXX XXXXXXXXXX XX XXXXXX XXXX XXXX XXXX XXX XX XXXXXXXXXXX XX XXX XXXXXXX;
                          6. -
                          7. XXXXXXXXXXX XXX XXXXXXXX, XXXXXXXXXXX, XXXXXXXX XXXXXXXX XXX XXXXXXXX XXXX XXXXXXX XXXXXXXXX;
                          8. -
                          9. XXXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXX XXXX XX XXXXXXXX XXX XXXXXXXXXX XX XXXXX XXXXXXXX XXXXXXXXXX;
                          10. -
                          11. XXXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXX XXXXXX XXXX XXXXXXXXX;
                          12. -
                          13. XXXXXXXX XXXXXXXXXX XXXXX XXXXXX XXXXXXX XXXXX XX XXXXXXXXXXXXXX;
                          14. -
                          15. XXXXXXXX XXXX XXX XXXXXX XXXXXXXXXXXXX XXX XX XXXXXXX XX XXX XXXXXXXXXX XX XXXX XXXXXX XXX XXXX XXX XXXXXXXXXXXXX XX XXXXXXXX XX XXXXXXXX XX;
                          16. -
                          17. XXXXXXXXXXX X XXXXXXX XXXXXXX XXX XXX XXXXXXXX XXXXXXX;
                          18. -
                          19. XXXXXXXXXXX XX XXXXX XXXXX XX XXX XXXXXX XXXXXXXX;
                          20. -
                          21. XXXXXXXX XXXX XXXXXXXXX XXXXXXXXXXXXX (XXX 12.1.1) XXX XXXX XXXXXXXXXX XXX XXXXXXX XX XXXXXXXXX XX XXXXXX XXXXXXXXXXX;
                          22. -
                          23. XXXXXXXX XXXX XXX XXXXXXXXXXXXXX XX XXXXXXX XXXXX XXXXX XX XXX XXXXX XXXX XXX XXXX XXX XXXXXXX XXX XXXXXXXX XXXXXXXXX XXXXXXXX.
                          24. +
                          25. maintaining a record of agreed authorization levels;
                          26. +
                          27. ensuring changes are submitted by authorized users;
                          28. +
                          29. reviewing controls and integrity procedures to ensure that they will not be compromised by the changes;
                          30. +
                          31. identifying all software, information, database entities and hardware that require amendment;
                          32. +
                          33. identifying and checking security critical code to minimize the likelihood of known security weaknesses;
                          34. +
                          35. obtaining formal approval for detailed proposals before work commences;
                          36. +
                          37. ensuring authorized users accept changes prior to implementation;
                          38. +
                          39. ensuring that the system documentation set is updated on the completion of each change and that old documentation is archived or disposed of;
                          40. +
                          41. maintaining a version control for all software updates;
                          42. +
                          43. maintaining an audit trail of all change requests;
                          44. +
                          45. ensuring that operating documentation (see 12.1.1) and user procedures are changed as necessary to remain appropriate;
                          46. +
                          47. ensuring that the implementation of changes takes place at the right time and does not disturb the business processes involved.
                          -

                          XXXXXXXX XXXXXXXX XXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXXXX XXX XXXX XXXXX.

                          -

                          XXXX XXXXXXXX XXXXXXXX XXX XXXXXXX XX XXX XXXXXXXX XX XX XXXXXXXXXXX XXXXXXXXXX XXXX XXXX XXX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXX (XXX 12.1.4). XXXX XXXXXXXX X XXXXX XX XXXXXX XXXXXXX XXXX XXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX XXXX XX XXXX XXX XXXXXXX XXXXXXXX. XXXX XXXXXX XXXXXXX XXXXXXX, XXXXXXX XXXXX XXX XXXXX XXXXXXX.

                          -

                          XXXXX XXXXXXXXX XXXXXXX XXX XXXXXXXXXX, XXX XXXX XX XXX XXXXXXXXX XXX XXXXXXXXXXXX XX XXX XXXXXX XXXXXX XX XXXXXXX XXXXXXX XXX XXXXXXX XX XXXXXX XXXXXXXXXX XX XXXXXXX. XXXXXXXXX XXXXXXX XXXXXX XXX XX XXXX XX XXXXXXXX XXXXXXX XX XXXX XXXXXXX XXX XXXXX XXXXXXXX XXXXXXXXXXXX XX XXXX.

                          +

                          Changing software can impact the operational environment and vice versa.

                          +

                          Good practice includes the testing of new software in an environment segregated from both the production and development environments (see 12.1.4). This provides a means of having control over new software and allowing additional protection of operational information that is used for testing purposes. This should include patches, service packs and other updates.

                          +

                          Where automatic updates are considered, the risk to the integrity and availability of the system should be weighed against the benefit of speedy deployment of updates. Automated updates should not be used on critical systems as some updates can cause critical applications to fail.

                          Technical review of applications after operating platform changes 14.2.3 -

                          XXXX XXXXXXXXX XXXXXXXXX XXX XXXXXXX, XXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXX XX XXXXXX XXXXX XX XX XXXXXXX XXXXXX XX XXXXXXXXXXXXXX XXXXXXXXXX XX XXXXXXXX.

                          +

                          When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

                          -

                          XXXX XXXXXXX XXXXXX XXXXX:

                          +

                          This process should cover:

                            -
                          1. XXXXXX XX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXX XXXXXXXXXX XX XXXXXX XXXX XXXX XXXX XXX XXXX XXXXXXXXXXX XX XXX XXXXXXXXX XXXXXXXX XXXXXXX;
                          2. -
                          3. XXXXXXXX XXXX XXXXXXXXXXXX XX XXXXXXXXX XXXXXXXX XXXXXXX XX XXXXXXXX XX XXXX XX XXXXX XXXXXXXXXXX XXXXX XXX XXXXXXX XX XXXX XXXXX XXXXXX XXXXXXXXXXXXXX;
                          4. -
                          5. XXXXXXXX XXXX XXXXXXXXXXX XXXXXXX XXX XXXX XX XXX XXXXXXXX XXXXXXXXXX XXXXX (XXX Clause 17).
                          6. +
                          7. review of application control and integrity procedures to ensure that they have not been compromised by the operating platform changes;
                          8. +
                          9. ensuring that notification of operating platform changes is provided in time to allow appropriate tests and reviews to take place before implementation;
                          10. +
                          11. ensuring that appropriate changes are made to the business continuity plans (see Clause 17).
                          -

                          XXXXXXXXX XXXXXXXXX XXXXXXX XXXXXXXXX XXXXXXX, XXXXXXXXX XXX XXXXXXXXXX XXXXXXXXX. XXX XXXXXXX XXXXXX XXXX XX XXXXXXX XXX XXXXXXX XX XXXXXXXXXXXX.

                          +

                          Operating platforms include operating systems, databases and middleware platforms. The control should also be applied for changes of applications.

                          Restrictions on changes to software packages 14.2.4 -

                          XXXXXXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXX, XXXXXXX XX XXXXXXXXX XXXXXXX XXX XXX XXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXX.

                          +

                          Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.

                          -

                          XX XXX XX XXXXXXXX XXX XXXXXXXXXXX, XXXXXX-XXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XX XXXX XXXXXXX XXXXXXXXXXXX. XXXXX X XXXXXXXX XXXXXXX XXXXX XX XX XXXXXXXX XXX XXXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXX:

                          +

                          As far as possible and practicable, vendor-supplied software packages should be used without modification. Where a software package needs to be modified the following points should be considered:

                            -
                          1. XXX XXXX XX XXXXX-XX XXXXXXXX XXX XXXXXXXXX XXXXXXXXX XXXXX XXXXXXXXXXX;
                          2. -
                          3. XXXXXXX XXX XXXXXXX XX XXX XXXXXX XXXXXX XX XXXXXXXX;
                          4. -
                          5. XXX XXXXXXXXXXX XX XXXXXXXXX XXX XXXXXXXX XXXXXXX XXXX XXX XXXXXX XX XXXXXXXX XXXXXXX XXXXXXX;
                          6. -
                          7. XXX XXXXXX XX XXX XXXXXXXXXXXX XXXXXXX XXXXXXXXXXX XXX XXX XXXXXX XXXXXXXXXXX XX XXX XXXXXXXX XX X XXXXXX XX XXXXXXX;
                          8. -
                          9. XXXXXXXXXXXXX XXXX XXXXX XXXXXXXX XX XXX.
                          10. +
                          11. the risk of built-in controls and integrity processes being compromised;
                          12. +
                          13. whether the consent of the vendor should be obtained;
                          14. +
                          15. the possibility of obtaining the required changes from the vendor as standard program updates;
                          16. +
                          17. the impact if the organization becomes responsible for the future maintenance of the software as a result of changes;
                          18. +
                          19. compatibility with other software in use.
                          -

                          XX XXXXXXX XXX XXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXX XXX XXX XXXXXXX XXXXXXX XX X XXXXXXXXXX XXXX. X XXXXXXXX XXXXXX XXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXX XXXX XX-XX-XXXX XXXXXXXX XXXXXXX XXX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXX XXX XXX XXXXXXXXXX XXXXXXXX (XXX 12.6.1). XXX XXXXXXX XXXXXX XX XXXXX XXXXXX XXX XXXXXXXXXX, XX XXXX XXXX XXX XX XXXXXXXXX, XX XXXXXXXXX, XX XXXXXX XXXXXXXX XXXXXXXX. XX XXXXXXXX, XXX XXXXXXXXXXXXX XXXXXX XX XXXXXX XXX XXXXXXXXX XX XX XXXXXXXXXXX XXXXXXXXXX XXXX.

                          +

                          If changes are necessary the original software should be retained and the changes applied to a designated copy. A software update management process should be implemented to ensure the most up-to-date approved patches and application updates are installed for all authorized software (see 12.6.1). All changes should be fully tested and documented, so that they can be reapplied, if necessary, to future software upgrades. If required, the modifications should be tested and validated by an independent evaluation body.

                          Secure system engineering principles 14.2.5 -

                          XXXXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXXXXX XXXXXX XX XXXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXX XXX XXXXXXX XX XXX XXXXXXXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXX.

                          +

                          Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.

                          -

                          XXXXXX XXXXXXXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX, XXXXXXXXXX XXX XXXXXXX XX XX-XXXXX XXXXXXXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXXX. XXXXXXXX XXXXXX XX XXXXXXXX XXXX XXX XXXXXXXXXXXX XXXXXX (XXXXXXXX, XXXX, XXXXXXXXXXXX XXX XXXXXXXXXX) XXXXXXXXX XXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXX XXX XXXX XXX XXXXXXXXXXXXX. XXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXXX XXXXX XXX XXX XXXXXX XXXXXX XX XXXXXXXX XXXXXXX XXXXX XXXXXX XXXXXXXX.

                          -

                          XXXXX XXXXXXXXXX XXX XXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXX XXXXXXXX XX XXXXXX XXXX XXXX XXX XXXXXXXXXXX XXXXXXXXXXXX XX XXXXXXXX XXXXXXXXX XX XXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXX. XXXX XXXXXX XXXX XX XXXXXXXXX XXXXXXXX XX XXXXXX XXXX XXXX XXXXXX XX-XX-XXXX XX XXXXX XX XXXXXXXXX XXX XXX XXXXXXXXX XXXXXXX XXX XX XXXXXXXXX XXXXXXXXXX XX XXXXXXXX XX XXX XXXXXXXXXXXX XXX XXXXXXXXX XXXXX XXXXXXX.

                          -

                          XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX, XXXXX XXXXXXXXXX, XX XXXXXXXXXX XXXXXXXXXXX XXXXXXX XXXXXXX XXX XXXXXXXXX XXX XXXXX XXXXXXX XXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXX XXX XXXXXXXX XX XXXX XXX XXXXXXXXXXXX XXXXXXXXXX. XXX XXXXXXXXXXXX XXXXXX XXXXXXX XXXX XXX XXXXXX XX XXXXXXXXX’ XXXXXXXX XXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXXX XXXX XXX XXX.

                          +

                          Secure information system engineering procedures based on security engineering principles should be established, documented and applied to in-house information system engineering activities. Security should be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility. New technology should be analysed for security risks and the design should be reviewed against known attack patterns.

                          +

                          These principles and the established engineering procedures should be regularly reviewed to ensure that they are effectively contributing to enhanced standards of security within the engineering process. They should also be regularly reviewed to ensure that they remain up-to-date in terms of combating any new potential threats and in remaining applicable to advances in the technologies and solutions being applied.

                          +

                          The established security engineering principles should be applied, where applicable, to outsourced information systems through the contracts and other binding agreements between the organization and the supplier to whom the organization outsources. The organization should confirm that the rigour of suppliers’ security engineering principles is comparable with its own.

                          -

                          XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX XXXXXX XXXXXXXXXXX XXXXXXXXXX XX XXX XXXXXXXXXXX XX XXXXXXXXXXXX XXXX XXXX XXXXX XXX XXXXXX XXXXXXXXXX. XXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXXX XX XXXX XXXXXXXXXXXXXX XXXXXXXXXX, XXXXXX XXXXXXX XXXXXXX XXX XXXX XXXXXXXXXX, XXXXXXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXXX XXXXX.

                          +

                          Application development procedures should apply secure engineering techniques in the development of applications that have input and output interfaces. Secure engineering techniques provide guidance on user authentication techniques, secure session control and data validation, sanitisation and elimination of debugging codes.

                          Secure development environment 14.2.6 -

                          XXXXXXXXXXXXX XXXXXX XXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXXXXX XXX XXXXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXX XXXX XXXXX XXX XXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXX.

                          +

                          Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

                          -

                          X XXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX, XXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXX XXXX XXXXXX XXXXXXXXXXX XXX XXXXXXXXXXX.

                          -

                          XXXXXXXXXXXXX XXXXXX XXXXXX XXXXX XXXXXXXXXX XXXX XXXXXXXXXX XXXXXX XXXXXXXXXXX XXXXXXX XXX XXXXXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXX XXXXXXXXXXX XXXXXXX, XXXXXXXXXXX:

                          +

                          A secure development environment includes people, processes and technology associated with system development and integration.

                          +

                          Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:

                            -
                          1. XXXXXXXXXXX XX XXXX XX XX XXXXXXXXX, XXXXXX XXX XXXXXXXXXXX XX XXX XXXXXX;
                          2. -
                          3. XXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXXXX, X.X. XXXX XXXXXXXXXXX XX XXXXXXXX;
                          4. -
                          5. XXXXXXXX XXXXXXXX XXXXXXX XXXXXXXXXXX XX XXX XXXXXXXXXXXX XXXX XXXXXXX XXXXXX XXXXXXXXXXX;
                          6. -
                          7. XXXXXXXXXXXXXXX XX XXXXXXXXX XXXXXXX XX XXX XXXXXXXXXXX (XXX 7.1.1);
                          8. -
                          9. XXX XXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXX XXXXXX XXXXXXXXXXX;
                          10. -
                          11. XXX XXXX XXX XXXXXXXXXXX XXXXXXX XXXXXXXXX XXXXXXXXXXX XXXXXXXXXXXX;
                          12. -
                          13. XXXXXXX XX XXXXXX XX XXX XXXXXXXXXXX XXXXXXXXXXX;
                          14. -
                          15. XXXXXXXXXX XX XXXXXX XX XXX XXXXXXXXXXX XXX XXXX XXXXXX XXXXXXX;
                          16. -
                          17. XXXXXXX XXX XXXXXX XX XXXXXX XXXXXXX XXXXXXXXX;
                          18. -
                          19. XXXXXXX XXXX XXXXXXXX XX XXXX XXXX XXX XX XXX XXXXXXXXXXX.
                          20. +
                          21. sensitivity of data to be processed, stored and transmitted by the system;
                          22. +
                          23. applicable external and internal requirements, e.g. from regulations or policies;
                          24. +
                          25. security controls already implemented by the organization that support system development;
                          26. +
                          27. trustworthiness of personnel working in the environment (see 7.1.1);
                          28. +
                          29. the degree of outsourcing associated with system development;
                          30. +
                          31. the need for segregation between different development environments;
                          32. +
                          33. control of access to the development environment;
                          34. +
                          35. monitoring of change to the environment and code stored therein;
                          36. +
                          37. backups are stored at secure offsite locations;
                          38. +
                          39. control over movement of data from and to the environment.
                          -

                          XXXX XXX XXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXX X XXXXXXXX XXXXXXXXXXX XXXXXXXXXXX, XXXXXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXXXXX XXXXXXXXX XX XXXXXX XXXXXXXXXXX XXXXXXXXXX XXX XXXXXXX XXXXX XX XXX XXXXXXXXXXX XXX XXXX XXXX.

                          +

                          Once the level of protection is determined for a specific development environment, organizations should document corresponding processes in secure development procedures and provide these to all individuals who need them.

                          Outsourced development 14.2.7 -

                          XXX XXXXXXXXXXXX XXXXXX XXXXXXXXX XXX XXXXXXX XXX XXXXXXXX XX XXXXXXXXXX XXXXXX XXXXXXXXXXX.

                          -

                          XXXXXXXXXXXXXX XXXXXXXX:

                          -

                          XXXXX XXXXXX XXXXXXXXXXX XX XXXXXXXXXX, XXX XXXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXX XXXXXX XXX XXXXXXXXXXXX’X XXXXXX XXXXXXXX XXXXXX XXXXX:

                          +

                          The organization should supervise and monitor the activity of outsourced system development.

                          +

                          Implementation guidance:

                          +

                          Where system development is outsourced, the following points should be considered across the organization’s entire external supply chain:

                            -
                          1. XXXXXXXXX XXXXXXXXXXXX, XXXX XXXXXXXXX XXX XXXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXX XX XXX XXXXXXXXXX XXXXXXX (XXX 18.1.2);
                          2. -
                          3. XXXXXXXXXXX XXXXXXXXXXXX XXX XXXXXX XXXXXX, XXXXXX XXX XXXXXXX XXXXXXXXX (XXX 14.2.1);
                          4. -
                          5. XXXXXXXXX XX XXX XXXXXXXX XXXXXX XXXXX XX XXX XXXXXXXX XXXXXXXXX;
                          6. -
                          7. XXXXXXXXXX XXXXXXX XXX XXX XXXXXXX XXX XXXXXXXX XX XXX XXXXXXXXXXXX;
                          8. -
                          9. XXXXXXXXX XX XXXXXXXX XXXX XXXXXXXX XXXXXXXXXX XXXX XXXX XX XXXXXXXXX XXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXX XXXXXXX;
                          10. -
                          11. XXXXXXXXX XX XXXXXXXX XXXX XXXXXXXXXX XXXXXXX XXX XXXX XXXXXXX XX XXXXX XXXXXXX XXX XXXXXXX XX XXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXX XXXXXXX XXXX XXXXXXXX;
                          12. -
                          13. XXXXXXXXX XX XXXXXXXX XXXX XXXXXXXXXX XXXXXXX XXX XXXX XXXXXXX XX XXXXX XXXXXXX XXX XXXXXXXX XX XXXXX XXXXXXXXXXXXXXX;
                          14. -
                          15. XXXXXX XXXXXXXXXXXX, X.X. XX XXXXXX XXXX XX XX XXXXXX XXXXXXXXX;
                          16. -
                          17. XXXXXXXXXXX XXXXX XX XXXXX XXXXXXXXXXX XXXXXXXXX XXX XXXXXXXX;
                          18. -
                          19. XXXXXXXXX XXXXXXXXXXXXX XX XXX XXXXX XXXXXXXXXXX XXXX XX XXXXXX XXXXXXXXXXXX;
                          20. -
                          21. XXX XXXXXXXXXXXX XXXXXXX XXXXXXXXXXX XXX XXXXXXXXXX XXXX XXXXXXXXXX XXXX XXX XXXXXXX XXXXXXXXXX XXXXXXXXXXXX.
                          22. +
                          23. licensing arrangements, code ownership and intellectual property rights related to the outsourced content (see 18.1.2);
                          24. +
                          25. contractual requirements for secure design, coding and testing practices (see 14.2.1);
                          26. +
                          27. provision of the approved threat model to the external developer;
                          28. +
                          29. acceptance testing for the quality and accuracy of the deliverables;
                          30. +
                          31. provision of evidence that security thresholds were used to establish minimum acceptable levels of security and privacy quality;
                          32. +
                          33. provision of evidence that sufficient testing has been applied to guard against the absence of both intentional and unintentional malicious content upon delivery;
                          34. +
                          35. provision of evidence that sufficient testing has been applied to guard against the presence of known vulnerabilities;
                          36. +
                          37. escrow arrangements, e.g. if source code is no longer available;
                          38. +
                          39. contractual right to audit development processes and controls;
                          40. +
                          41. effective documentation of the build environment used to create deliverables;
                          42. +
                          43. the organization remains responsible for compliance with applicable laws and control efficiency verification.
                          -

                          XXXXXXX XXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXXXX XXX XX XXXXX XX XXX/XXX XXXXX.[21][22][23]

                          +

                          Further information on supplier relationships can be found in ISO/IEC 27036.[21][22][23]

                          System security testing 14.2.8 -

                          XXXXXXX XX XXXXXXXX XXXXXXXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXX XXXXXXXXXXX.

                          +

                          Testing of security functionality should be carried out during development.

                          -

                          XXX XXX XXXXXXX XXXXXXX XXXXXXX XXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXXX XX X XXXXXXXX XXXXXXXX XX XXXXXXXXXX XXX XXXX XXXXXX XXX XXXXXXXX XXXXXXX XXXXX X XXXXX XX XXXXXXXXXX. XXX XX-XXXXX XXXXXXXXXXXX, XXXX XXXXX XXXXXX XXXXXXXXX XX XXXXXXXXX XX XXX XXXXXXXXXXX XXXX. XXXXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXX XXXX XX XXXXXXXXXX (XXXX XXX XX-XXXXX XXX XXX XXXXXXXXXX XXXXXXXXXXXX) XX XXXXXX XXXX XXX XXXXXX XXXXX XX XXXXXXXX XXX XXXX XX XXXXXXXX (XXX 14.1.1 XXX XX.X.X). XXX XXXXXX XX XXXXXXX XXXXXX XX XX XXXXXXXXXX XX XXX XXXXXXXXXX XXX XXXXXX XX XXX XXXXXX.

                          +

                          New and updated systems require thorough testing and verification during the development processes, including the preparation of a detailed schedule of activities and test inputs and expected outputs under a range of conditions. For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken (both for in-house and for outsourced developments) to ensure that the system works as expected and only as expected (see 14.1.1 and 14.1.9). The extent of testing should be in proportion to the importance and nature of the system.

                          System acceptance testing 14.2.9 -

                          XXXXXXXXXX XXXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXX XXXXXXXXXXX XXXXXXX, XXXXXXXX XXX XXX XXXXXXXX.

                          +

                          Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.

                          -

                          XXXXXX XXXXXXXXXX XXXXXXX XXXXXX XXXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX (XXX 14.1.1 XXX 14.1.2) XXX XXXXXXXXX XX XXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXX (XXX 14.2.1). XXX XXXXXXX XXXXXX XXXX XX XXXXXXXXX XX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXX. XXXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXX XXXXX, XXXX XX XXXX XXXXXXXX XXXXX XX XXXXXXXXXXXXX XXXXXXXX, XXX XXXXXX XXXXXX XXX XXXXXXXXXXX XX XXXXXXXX-XXXXXXX XXXXXXX.

                          -

                          XXXXXXX XXXXXX XX XXXXXXXXX XX X XXXXXXXXX XXXX XXXXXXXXXXX XX XXXXXX XXXX XXX XXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXX XXXX XXX XXXXX XXX XXXXXXXX.

                          +

                          System acceptance testing should include testing of information security requirements (see 14.1.1 and 14.1.2) and adherence to secure system development practices (see 14.2.1). The testing should also be conducted on received components and integrated systems. Organizations can leverage automated tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of security-related defects.

                          +

                          Testing should be performed in a realistic test environment to ensure that the system will not introduce vulnerabilities to the organization’s environment and that the tests are reliable.

                          @@ -2271,26 +2269,26 @@ Test data 14.3 -

                          XX XXXXXX XXX XXXXXXXXXX XX XXXX XXXX XXX XXXXXXX.

                          +

                          Objective: To ensure the protection of data used for testing.

                          Protection of test data 14.3.1 -

                          XXXX XXXX XXXXXX XX XXXXXXXX XXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXX.

                          +

                          Test data should be selected carefully, protected and controlled.

                          -

                          XXX XXX XX XXXXXXXXXXX XXXX XXXXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXX XXXXX XXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXXX XXXXXXXX XXXXXX XX XXXXXXX. XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXXX XXX XXXXXXX XXXXXXXX, XXX XXXXXXXXX XXXXXXX XXX XXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXXX XX XXXXXXXXXXXX (XXX XXX/XXX XXXXX[26]).

                          -

                          XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXX XXXXXXXXXXX XXXX, XXXX XXXX XXX XXXXXXX XXXXXXXX:

                          +

                          The use of operational data containing personally identifiable information or any other confidential information for testing purposes should be avoided. If personally identifiable information or otherwise confidential information is used for testing purposes, all sensitive details and content should be protected by removal or modification (see ISO/IEC 29101[26]).

                          +

                          The following guidelines should be applied to protect operational data, when used for testing purposes:

                            -
                          1. XXX XXXXXX XXXXXXX XXXXXXXXXX, XXXXX XXXXX XX XXXXXXXXXXX XXXXXXXXXXX XXXXXXX, XXXXXX XXXX XXXXX XX XXXX XXXXXXXXXXX XXXXXXX;
                          2. -
                          3. XXXXX XXXXXX XX XXXXXXXX XXXXXXXXXXXXX XXXX XXXX XXXXXXXXXXX XXXXXXXXXXX XX XXXXXX XX X XXXX XXXXXXXXXXX;
                          4. -
                          5. XXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXX XXXX X XXXX XXXXXXXXXXX XXXXXXXXXXX XXXXX XXX XXXXXXX XX XXXXXXXX;
                          6. -
                          7. XXX XXXXXXX XXX XXX XX XXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXX XX XXXXXXX XX XXXXX XXXXX.
                          8. +
                          9. the access control procedures, which apply to operational application systems, should also apply to test application systems;
                          10. +
                          11. there should be separate authorization each time operational information is copied to a test environment;
                          12. +
                          13. operational information should be erased from a test environment immediately after the testing is complete;
                          14. +
                          15. the copying and use of operational information should be logged to provide an audit trail.
                          -

                          XXXXXX XXX XXXXXXXXXX XXXXXXX XXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXX XX XXXX XXXX XXXX XXX XX XXXXX XX XXXXXXXX XX XXXXXXXXXXX XXXX.

                          +

                          System and acceptance testing usually requires substantial volumes of test data that are as close as possible to operational data.

                          @@ -2302,93 +2300,93 @@ Information security in supplier relationships 15.1 -

                          XX XXXXXX XXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXX XXXX XX XXXXXXXXXX XX XXXXXXXXX.

                          +

                          Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

                          Information security policy for supplier relationships 15.1.1 -

                          XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXX XXXXX XXXXXXXXXX XXXX XXXXXXXX’X XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXX XXXXXX XX XXXXXX XXXX XXX XXXXXXXX XXX XXXXXXXXXX.

                          +

                          Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented.

                          -

                          XXX XXXXXXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XX XXXXXXXXXXXX XXXXXXX XXXXXXXX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XX X XXXXXX. XXXXX XXXXXXXX XXXXXX XXXXXXX XXXXXXXXX XXX XXXXXXXXXX XX XX XXXXXXXXXXX XX XXX XXXXXXXXXXXX, XX XXXX XX XXXXX XXXXXXXXX XXX XXXXXXXXXX XXXX XXX XXXXXXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXX XX XXXXXXXXX, XXXXXXXXX:

                          +

                          The organization should identify and mandate information security controls to specifically address supplier access to the organization’s information in a policy. These controls should address processes and procedures to be implemented by the organization, as well as those processes and procedures that the organization should require the supplier to implement, including:

                            -
                          1. XXXXXXXXXXX XXX XXXXXXXXXXX XXX XXXXX XX XXXXXXXXX, X.X. XX XXXXXXXX, XXXXXXXXX XXXXXXXXX, XXXXXXXXX XXXXXXXX, XX XXXXXXXXXXXXXX XXXXXXXXXX, XXXX XXX XXXXXXXXXXXX XXXX XXXXX XX XXXXXX XXX XXXXXXXXXXX;
                          2. -
                          3. X XXXXXXXXXXXX XXXXXXX XXX XXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXXXXXXX;
                          4. -
                          5. XXXXXXXX XXX XXXXX XX XXXXXXXXXXX XXXXXX XXXX XXXXXXXXX XXXXX XX XXXXXXXXX XXXX XX XXXXXXX, XXX XXXXXXXXXX XXX XXXXXXXXXXX XXX XXXXXX;
                          6. -
                          7. XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXX XXXX XX XXXXXXXXXXX XXX XXXX XX XXXXXX XX XXXXX XX XXX XXXXX XXX XXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXX XXX XXXXXXXXXXXX XXX XXX XXXX XXXXXXX;
                          8. -
                          9. XXXXXXXXX XXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXX XXXX XX XXXXXXXX XXX XXXX XX XXXXXX, XXXXXXXXX XXXXX XXXXX XXXXXX XXX XXXXXXX XXXXXXXXXX;
                          10. -
                          11. XXXXXXXX XXX XXXXXXXXXXXX XXXXXXXX XX XXXXXX XXX XXXXXXXXX XX XXX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXX XX XXXXXX XXXXX;
                          12. -
                          13. XXXXX XX XXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX;
                          14. -
                          15. XXXXXXXX XXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXX XXXXXXXX XXXXXX XXXXXXXXX XXXXXXXXXXXXXXXX XX XXXX XXX XXXXXXXXXXXX XXX XXXXXXXXX;
                          16. -
                          17. XXXXXXXXXX XXX, XX XXXXXXXXX, XXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXX XX XXXXXX XXX XXXXXXXXXXXX XX XXX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXX XX XXXXXX XXXXX;
                          18. -
                          19. XXXXXXXXX XXXXXXXX XXX XXX XXXXXXXXXXXX’X XXXXXXXXX XXXXXXXX XX XXXXXXXXXXXX XXXXXXXXX XXXXXXXXXX XXXXXXXX, XXXXXXXXX XXX XXXXXXXXXX;
                          20. -
                          21. XXXXXXXXX XXXXXXXX XXX XXX XXXXXXXXXXXX’X XXXXXXXXX XXXXXXXXXXX XXXX XXXXXXXX XXXXXXXXX XXXXXXXXX XXXXXXXXXXX XXXXX XX XXXXXXXXXX XXX XXXXXXXXX XXXXX XX XXX XXXX XX XXXXXXXX XXX XXX XXXXX XX XXXXXXXX XXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXX XXX XXXXXXXXXXX;
                          22. -
                          23. XXXXXXXXXX XXXXX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXX XX XXXXXXXXXX XX XX XXXXXXXXX XXXXXX XX XXXX XXXXXXX;
                          24. -
                          25. XXXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XX XXXXXXXXXXX, XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXX XXXX XXXX XXXXX XX XX XXXXX, XXX XXXXXXXX XXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXX.
                          26. +
                          27. identifying and documenting the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;
                          28. +
                          29. a standardised process and lifecycle for managing supplier relationships;
                          30. +
                          31. defining the types of information access that different types of suppliers will be allowed, and monitoring and controlling the access;
                          32. +
                          33. minimum information security requirements for each type of information and type of access to serve as the basis for individual supplier agreements based on the organization’s business needs and requirements and its risk profile;
                          34. +
                          35. processes and procedures for monitoring adherence to established information security requirements for each type of supplier and type of access, including third party review and product validation;
                          36. +
                          37. accuracy and completeness controls to ensure the integrity of the information or information processing provided by either party;
                          38. +
                          39. types of obligations applicable to suppliers to protect the organization’s information;
                          40. +
                          41. handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;
                          42. +
                          43. resilience and, if necessary, recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;
                          44. +
                          45. awareness training for the organization’s personnel involved in acquisitions regarding applicable policies, processes and procedures;
                          46. +
                          47. awareness training for the organization’s personnel interacting with supplier personnel regarding appropriate rules of engagement and behaviour based on the type of supplier and the level of supplier access to the organization’s systems and information;
                          48. +
                          49. conditions under which information security requirements and controls will be documented in an agreement signed by both parties;
                          50. +
                          51. managing the necessary transitions of information, information processing facilities and anything else that needs to be moved, and ensuring that information security is maintained throughout the transition period.
                          -

                          XXXXXXXXXXX XXX XX XXX XX XXXX XX XXXXXXXXX XXXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX. XXXXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXX XX XXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX. XXX XXXXXXX, XX XXXXX XX X XXXXXXX XXXX XXX XXXXXXXXXXXXXXX XX XXX XXXXXXXXXXX, XXX-XXXXXXXXXX XXXXXXXXXX XXX XX XXXX. XXXXXXX XXXXXXX XX XXXX XXXXXXXXXX XXXXX XXXX XXX XXXXXXXX XXXXXXXXX XXXXXXXX XXXXXXXX XX, XX XXXXXX XX, XXXXXXXXXXX XXXXXX XXXXXXX. XXX XXXXXXXXXXXX XXXXX XX XX XXXXX XXXX XXX XXXXX XX XXXXXXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXX XXXX XXX XXXXXXXXXXXX.

                          +

                          Information can be put at risk by suppliers with inadequate information security management. Controls should be identified and applied to administer supplier access to information processing facilities. For example, if there is a special need for confidentiality of the information, non-disclosure agreements can be used. Another example is data protection risks when the supplier agreement involves transfer of, or access to, information across borders. The organization needs to be aware that the legal or contractual responsibility for protecting information remains with the organization.

                          Addressing security within supplier agreements 15.1.2 -

                          XXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXX XXXX XXXX XXXXXXXX XXXX XXX XXXXXX, XXXXXXX, XXXXX, XXXXXXXXXXX, XX XXXXXXX XX XXXXXXXXXXXXXX XXXXXXXXXX XXX, XXX XXXXXXXXXXXX’X XXXXXXXXXXX.

                          +

                          All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

                          -

                          XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXX XX XXXXXX XXXX XXXXX XX XX XXXXXXXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXX XXX XXXXXXXX XXXXXXXXX XXXX XXXXXXX’ XXXXXXXXXXX XX XXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX.

                          -

                          XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXX XX XXX XXXXXXXXXX XX XXXXX XX XXXXXXX XXX XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX:

                          +

                          Supplier agreements should be established and documented to ensure that there is no misunderstanding between the organization and the supplier regarding both parties’ obligations to fulfil relevant information security requirements.

                          +

                          The following terms should be considered for inclusion in the agreements in order to satisfy the identified information security requirements:

                            -
                          1. XXXXXXXXXXX XX XXX XXXXXXXXXXX XX XX XXXXXXXX XX XXXXXXXX XXX XXXXXXX XX XXXXXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX;
                          2. -
                          3. XXXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXXXXX XXXXXX (XXX 8.2); XX XXXXXXXXX XXXX XXXXXXX XXXXXXX XXX XXXXXXXXXXXX’X XXX XXXXXXXXXXXXXX XXXXXX XXX XXX XXXXXXXXXXXXXX XXXXXX XX XXX XXXXXXXX;
                          4. -
                          5. XXXXX XXX XXXXXXXXXX XXXXXXXXXXXX, XXXXXXXXX XXXX XXXXXXXXXX, XXXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXX, XXX X XXXXXXXXXXX XX XXX XX XXXX XX XXXXXXX XXXX XXXX XXX XXX;
                          6. -
                          7. XXXXXXXXXX XX XXXX XXXXXXXXXXX XXXXX XX XXXXXXXXX XX XXXXXX XXX XX XXXXXXXX XXXXXXXXX XXXXXX XXXXXXX, XXXXXXXXXXX XXXXXX, XXXXXXXXXX, XXXXXXXXX XXX XXXXXXXX;
                          8. -
                          9. XXXXX XX XXXXXXXXXX XXX XX XXXXXXXXXXX, XXXXXXXXX XXXXXXXXXXXX XXX XX XXXXXXXXX;
                          10. -
                          11. XXXXXX XXXXXXXX XXXX XX XXXXXXXX XXXXXXXXX XXXXXXXXXX XX XXXXXX XX XXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XX XXXXXXXXXX XX XXXXXXXXXX XXX XXXXXXXXXXXXX, XXX XXXXXXX XX XXX XXXXXXXXXXXXX, XXX XXXXXX XX XX XXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XX XXXXXXXX XXXXXXXXX;
                          12. -
                          13. XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XX XXX XXXXXXXX XXXXXXXX;
                          14. -
                          15. XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX (XXXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXXX);
                          16. -
                          17. XXXXXXXX XXX XXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX, X.X. XXX XXXXXXXX XXXXXXXX, XXXXXXXXXXXXX XXXXXXXXXX;
                          18. -
                          19. XXXXXXXX XXXXXXXXXXX XXX XXX-XXXXXXXXXXX, XXXXXXXXX XXX XXXXXXXX XXXX XXXX XX XX XXXXXXXXXXX;
                          20. -
                          21. XXXXXXXX XXXXXXXXX XXXXXXXX, XXXXXXXXX X XXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX;
                          22. -
                          23. XXXXXXXXX XXXXXXXXXXXX, XX XXX, XXX XXXXXXXX’X XXXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXX XXX XXXXXXXXX XXX XXXXXXXXXXXX XXXXXXXXXX XX XXXXXXXXX XXX XXX XXXX XXXXXXXXX XX XX XXX XXXXXXX XXXX XXXXX XXX XXXXX XX XXXXXXX;
                          24. -
                          25. XXXXX XX XXXXX XXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXXX XX XXX XXXXXXXXX;
                          26. -
                          27. XXXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXX;
                          28. -
                          29. XXXXXXXX’X XXXXXXXXXX XX XXXXXXXXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXX XX XXX XXXXXXXXXXXXX XX XXXXXXXX XXX XXXXXXXXX XX XXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXX XXXXXX XX XXX XXXXXX;
                          30. -
                          31. XXXXXXXX’X XXXXXXXXXXX XX XXXXXX XXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXXXXXXX.
                          32. +
                          33. description of the information to be provided or accessed and methods of providing or accessing the information;
                          34. +
                          35. classification of information according to the organization’s classification scheme (see 8.2); if necessary also mapping between the organization’s own classification scheme and the classification scheme of the supplier;
                          36. +
                          37. legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured that they are met;
                          38. +
                          39. obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;
                          40. +
                          41. rules of acceptable use of information, including unacceptable use if necessary;
                          42. +
                          43. either explicit list of supplier personnel authorized to access or receive the organization’s information or procedures or conditions for authorization, and removal of the authorization, for access to or receipt of the organization’s information by supplier personnel;
                          44. +
                          45. information security policies relevant to the specific contract;
                          46. +
                          47. incident management requirements and procedures (especially notification and collaboration during incident remediation);
                          48. +
                          49. training and awareness requirements for specific procedures and information security requirements, e.g. for incident response, authorization procedures;
                          50. +
                          51. relevant regulations for sub-contracting, including the controls that need to be implemented;
                          52. +
                          53. relevant agreement partners, including a contact person for information security issues;
                          54. +
                          55. screening requirements, if any, for supplier’s personnel including responsibilities for conducting the screening and notification procedures if screening has not been completed or if the results give cause for doubt or concern;
                          56. +
                          57. right to audit the supplier processes and controls related to the agreement;
                          58. +
                          59. defect resolution and conflict resolution processes;
                          60. +
                          61. supplier’s obligation to periodically deliver an independent report on the effectiveness of controls and agreement on timely correction of relevant issues raised in the report;
                          62. +
                          63. supplier’s obligations to comply with the organization’s security requirements.
                          -

                          XXX XXXXXXXXXX XXX XXXX XXXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXXXX XXX XXXXX XXX XXXXXXXXX XXXXX XX XXXXXXXXX. XXXXXXXXX, XXXX XXXXXX XX XXXXX XX XXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXX XXX XXXXXXXXXXXX. XXXXXXXX XXXXXXXXXX XXX XXXX XXXXXXX XXXXX XXXXXXX (X.X. XXX-XXXXXXXXX).

                          -

                          XXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXX XX XXX XXXXX XXXX XXX XXXXXXXX XXXXXXX XXXXXX XX XXXXXX XXX XXXXXXXX XX XXXXXXXX XXXX XX XX XXXXXXXXXX XX XXX XXXXXXXXX XX XXXXX XXX XXXXX XX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXX.

                          +

                          The agreements can vary considerably for different organizations and among the different types of suppliers. Therefore, care should be taken to include all relevant information security risks and requirements. Supplier agreements may also involve other parties (e.g. sub-suppliers).

                          +

                          The procedures for continuing processing in the event that the supplier becomes unable to supply its products or services need to be considered in the agreement to avoid any delay in arranging replacement products or services.

                          Information and communication technology supply chain 15.1.3 -

                          XXXXXXXXXX XXXX XXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXXXX XX XXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXX XXXXXXXXXX XXXX XXXXXXXXXXX XXX XXXXXXXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXX XXXXXX XXXXX.

                          +

                          Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.

                          -

                          XXX XXXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX XXXXXXXX:

                          +

                          The following topics should be considered for inclusion in supplier agreements concerning supply chain security:

                            -
                          1. XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XX XXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXX XX XXXXXXX XXXXXXXXXXX XX XXXXXXXX XX XXX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXXXX;
                          2. -
                          3. XXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXX, XXXXXXXXX XXXX XXXXXXXXX XXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXXXXXXX XXXXXXXXXX XXX XXXXXX XXXXX XX XXXXXXXXX XXXXXXXXXXX XXX XXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXXX XX XXX XXXXXXXXXXXX;
                          4. -
                          5. XXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXX, XXXXXXXXX XXXX XXXXXXXXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXXX XXX XXXXXX XXXXX XX XXXXX XXXXXXXX XXXXXXX XXXXXXXXXX XXXXXXXXX XXXX XXXXX XXXXXXXXX;
                          6. -
                          7. XXXXXXXXXXXX X XXXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXX XXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXX XXXXXXXX XX XXXXXX XXXXXXXX XXXXXXXXXXXX;
                          8. -
                          9. XXXXXXXXXXXX X XXXXXXX XXX XXXXXXXXXXX XXXXXXX XX XXXXXXX XXXXXXXXXX XXXX XXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXXX XXX XXXXXXXXX XXXXXXX XXXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXX XXXXX XXXXXXX XX XXX XXXXXXXXXXXX XXXXXXXXXX XX XXX XXX XXXX XXXXXXXX XXXXXXXXXX XXXXXXX XX XXXXXXX XX XXXXXXX XXXXXXXXXX XX XXXXX XXXXXXXXX;
                          10. -
                          11. XXXXXXXXX XXXXXXXXX XXXX XXXXXXXX XXXXXXXXXX XXX XXXXX XXXXXX XXX XX XXXXXX XXXXXXXXXX XXX XXXXXX XXXXX;
                          12. -
                          13. XXXXXXXXX XXXXXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXXXXXX XX XXXXXXXX XXXXXXX XXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX;
                          14. -
                          15. XXXXXXXX XXXXX XXX XXXXXXX XX XXXXXXXXXXX XXXXXXXXX XXX XXXXXX XXXXX XXX XXX XXXXXXXXX XXXXXX XXX XXXXXXXXXXX XXXXX XXX XXXXXXXXXXXX XXX XXXXXXXXX;
                          16. -
                          17. XXXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXXX XXXXXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXX XXXXX. XXXX XXXXXXXX XXXXXXXX XXX XXXXX XX XXXXXXXXXX XX XXXXXX XXXXX XXXXXXXXX XXX XX XXXXXXXXX XX XXXXXX XXXXX XX XXXXXXXX XX XXXXXXXXX XX XXXXXX XXXXXXXXX XXXXX XXXXXXXXXX XXX XX XXXXXXXXXX XXXXXXXXXXXX.
                          18. +
                          19. defining information security requirements to apply to information and communication technology product or service acquisition in addition to the general information security requirements for supplier relationships;
                          20. +
                          21. for information and communication technology services, requiring that suppliers propagate the organization’s security requirements throughout the supply chain if suppliers subcontract for parts of information and communication technology service provided to the organization;
                          22. +
                          23. for information and communication technology products, requiring that suppliers propagate appropriate security practices throughout the supply chain if these products include components purchased from other suppliers;
                          24. +
                          25. implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;
                          26. +
                          27. implementing a process for identifying product or service components that are critical for maintaining functionality and therefore require increased attention and scrutiny when built outside of the organization especially if the top tier supplier outsources aspects of product or service components to other suppliers;
                          28. +
                          29. obtaining assurance that critical components and their origin can be traced throughout the supply chain;
                          30. +
                          31. obtaining assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features;
                          32. +
                          33. defining rules for sharing of information regarding the supply chain and any potential issues and compromises among the organization and suppliers;
                          34. +
                          35. implementing specific processes for managing information and communication technology component lifecycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements.
                          -

                          XXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX XXXX XXXXXXXXXX XXXXXXXXX XXX XXXXX XX XXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX, XXXXXXX, XXXXXXX XXXXXXXXXX XXX XXXXXX XXXXXXXXXXX XXXXXXXXX XXX XX XXX XXXXXXX XXXX.

                          -

                          XXXXXXXXXXXXX XXX XXXXXXX XX XXXX XXXX XXXXXXXXX XX XXXXXXXXXX XXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX XXX XXX XXXXXXX XXXX XXXX XX XXXXXXXXX XXXXXX XX XXX XXXXXXXX XXX XXXXXXXX XXXXX XXXXXXXX. XXXXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XX XXXXXX XXXXX XX XXXXXXXXXX XXXX XXXXX XXXXXXXXX XXX XXXXXXX XXXX XXXXXX XX XXXXXXXXX XX XXXXX XXXXXXXXX XX XXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX.

                          -

                          XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXX XXXXX XX XXXXXXXXX XXXX XXXXXXXX XXXXX XXXXXXXXX XXXXXXXX.

                          +

                          The specific information and communication technology supply chain risk management practices are built on top of general information security, quality, project management and system engineering practices but do not replace them.

                          +

                          Organizations are advised to work with suppliers to understand the information and communication technology supply chain and any matters that have an important impact on the products and services being provided. Organizations can influence information and communication technology supply chain information security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the information and communication technology supply chain.

                          +

                          Information and communication technology supply chain as addressed here includes cloud computing services.

                          @@ -2396,56 +2394,56 @@ Supplier service delivery management 15.2 -

                          XX XXXXXXXX XX XXXXXX XXXXX XX XXXXXXXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXX XX XXXX XXXX XXXXXXXX XXXXXXXXXX.

                          +

                          Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

                          Monitoring and review of supplier services 15.2.1 -

                          XXXXXXXXXXXXX XXXXXX XXXXXXXXX XXXXXXX, XXXXXX XXX XXXXX XXXXXXXX XXXXXXX XXXXXXXX.

                          +

                          Organizations should regularly monitor, review and audit supplier service delivery.

                          -

                          XXXXXXXXXX XXX XXXXXX XX XXXXXXXX XXXXXXXX XXXXXX XXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXXX XXX XXXXXXXXXX XX XXX XXXXXXXXXX XXX XXXXX XXXXXXX XX XXX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXX XXXXXXX XXXXXXXX.

                          -

                          XXXX XXXXXX XXXXXXX X XXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXX XXX XXXXXXXX XX:

                          +

                          Monitoring and review of supplier services should ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly.

                          +

                          This should involve a service management relationship process between the organization and the supplier to:

                            -
                          1. XXXXXXX XXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXX XXXXXXXXX XX XXX XXXXXXXXXX;
                          2. -
                          3. XXXXXX XXXXXXX XXXXXXX XXXXXXXX XX XXX XXXXXXXX XXX XXXXXXX XXXXXXX XXXXXXXX XXXXXXXX XX XXXXXXXX XX XXX XXXXXXXXXX;
                          4. -
                          5. XXXXXXX XXXXXX XX XXXXXXXXX, XX XXXXXXXXXXX XXXX XXXXXX XX XXXXXXXXXXX XXXXXXX’X XXXXXXX, XX XXXXXXXXX, XXX XXXXXX-XX XX XXXXXX XXXXXXXXXX;
                          6. -
                          7. XXXXXXX XXXXXXXXXXX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXX XXXX XXXXXXXXXXX XX XXXXXXXX XX XXX XXXXXXXXXX XXX XXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX;
                          8. -
                          9. XXXXXX XXXXXXXX XXXXX XXXXXX XXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXX, XXXXXXXXXXX XXXXXXXX, XXXXXXXX, XXXXXXX XX XXXXXX XXX XXXXXXXXXXX XXXXXXX XX XXX XXXXXXX XXXXXXXXX;
                          10. -
                          11. XXXXXXX XXX XXXXXX XXX XXXXXXXXXX XXXXXXXX;
                          12. -
                          13. XXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXX XX XXX XXXXXXXX’X XXXXXXXXXXXXX XXXX XXX XXX XXXXXXXXX;
                          14. -
                          15. XXXXXX XXXX XXX XXXXXXXX XXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXXXXX XXXXXXXX XXXX XXXXXXXX XXXXX XXXXXXXX XX XXXXXX XXXX XXXXXX XXXXXXX XXXXXXXXXX XXXXXX XXX XXXXXXXXXX XXXXXXXXX XXXXX XXXXXXX XXXXXXXX XX XXXXXXXX (XXX Clause 17).
                          16. +
                          17. monitor service performance levels to verify adherence to the agreements;
                          18. +
                          19. review service reports produced by the supplier and arrange regular progress meetings as required by the agreements;
                          20. +
                          21. conduct audits of suppliers, in conjunction with review of independent auditor’s reports, if available, and follow-up on issues identified;
                          22. +
                          23. provide information about information security incidents and review this information as required by the agreements and any supporting guidelines and procedures;
                          24. +
                          25. review supplier audit trails and records of information security events, operational problems, failures, tracing of faults and disruptions related to the service delivered;
                          26. +
                          27. resolve and manage any identified problems;
                          28. +
                          29. review information security aspects of the supplier’s relationships with its own suppliers;
                          30. +
                          31. ensure that the supplier maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster (see Clause 17).
                          -

                          XXX XXXXXXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXXXXXXX XXXXXX XX XXXXXXXX XX X XXXXXXXXXX XXXXXXXXXX XX XXXXXXX XXXXXXXXXX XXXX. XX XXXXXXXX, XXX XXXXXXXXXXXX XXXXXX XXXXXX XXXX XXXXXXXXX XXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXX XXXXXXXXXX XXX XXXXXXXXX XXX XXXXXXXXXXXX XX XXX XXXXXXXXXX. XXXXXXXXXX XXXXXXXXX XXXXXX XXX XXXXXXXXX XXXXXX XX XXXX XXXXXXXXX XX XXXXXXX XXXX XXX XXXXXXXXXXXX XX XXX XXXXXXXXX, XX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX, XXX XXXXX XXX. XXXXXXXXXXX XXXXXX XXXXXX XX XXXXX XXXX XXXXXXXXXXXX XX XXX XXXXXXX XXXXXXXX XXX XXXXXXXX.

                          -

                          XXX XXXXXXXXXXXX XXXXXX XXXXXX XXXXXXXXXX XXXXXXX XXXXXXX XXX XXXXXXXXXX XXXX XXX XXXXXXXX XXXXXXX XXX XXXXXXXXX XX XXXXXXXX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXXX, XXXXXXXXX XX XXXXXXX XX X XXXXXXXX. XXX XXXXXXXXXXXX XXXXXX XXXXXX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXXXX XXXX XX XXXXXX XXXXXXXXXX, XXXXXXXXXXXXXX XX XXXXXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXXX X XXXXXXX XXXXXXXXX XXXXXXX.

                          +

                          The responsibility for managing supplier relationships should be assigned to a designated individual or service management team. In addition, the organization should ensure that suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Sufficient technical skills and resources should be made available to monitor that the requirements of the agreement, in particular the information security requirements, are being met. Appropriate action should be taken when deficiencies in the service delivery are observed.

                          +

                          The organization should retain sufficient overall control and visibility into all security aspects for sensitive or critical information or information processing facilities accessed, processed or managed by a supplier. The organization should retain visibility into security activities such as change management, identification of vulnerabilities and information security incident reporting and response through a defined reporting process.

                          Managing changes to supplier services 15.2.2 -

                          XXXXXXX XX XXX XXXXXXXXX XX XXXXXXXX XX XXXXXXXXX, XXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXX, XXXXXXXXXX XXX XXXXXXXX, XXXXXX XX XXXXXXX, XXXXXX XXXXXXX XX XXX XXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXX, XXXXXXX XXX XXXXXXXXX XXXXXXXX XXX XX-XXXXXXXXXX XX XXXXX.

                          +

                          Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

                          -

                          XXX XXXXXXXXX XXXXXXX XXXXXX XX XXXXX XXXX XXXXXXXXXXXXX:

                          +

                          The following aspects should be taken into consideration:

                            -
                          1. XXXXXXX XX XXXXXXXX XXXXXXXXXX;
                          2. -
                          3. XXXXXXX XXXX XX XXX XXXXXXXXXXXX XX XXXXXXXXX:
                              -
                            1. XXXXXXXXXXXX XX XXX XXXXXXX XXXXXXXX XXXXXXX;
                            2. -
                            3. XXXXXXXXXXX XX XXX XXX XXXXXXXXXXXX XXX XXXXXXX;
                            4. -
                            5. XXXXXXXXXXXXX XX XXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXX XXX XXXXXXXXXX;
                            6. -
                            7. XXX XX XXXXXXX XXXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XX XXXXXXX XXXXXXXX;.
                            8. +
                            9. changes to supplier agreements;
                            10. +
                            11. changes made by the organization to implement:
                                +
                              1. enhancements to the current services offered;
                              2. +
                              3. development of any new applications and systems;
                              4. +
                              5. modifications or updates of the organization’s policies and procedures;
                              6. +
                              7. new or changed controls to resolve information security incidents and to improve security;.
                            12. -
                            13. XXXXXXX XX XXXXXXXX XXXXXXXX XX XXXXXXXXX:
                                -
                              1. XXXXXXX XXX XXXXXXXXXXX XX XXXXXXXX;
                              2. -
                              3. XXX XX XXX XXXXXXXXXXXX;
                              4. -
                              5. XXXXXXXX XX XXX XXXXXXXX XX XXXXX XXXXXXXX/XXXXXXXX;
                              6. -
                              7. XXX XXXXXXXXXXX XXXXX XXX XXXXXXXXXXXX;
                              8. -
                              9. XXXXXXX XX XXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXXXXX;
                              10. -
                              11. XXXXXX XX XXXXXXXXX;
                              12. -
                              13. XXX-XXXXXXXXXXX XX XXXXXXX XXXXXXXX.
                              14. +
                              15. changes in supplier services to implement:
                                  +
                                1. changes and enhancement to networks;
                                2. +
                                3. use of new technologies;
                                4. +
                                5. adoption of new products or newer versions/releases;
                                6. +
                                7. new development tools and environments;
                                8. +
                                9. changes to physical location of service facilities;
                                10. +
                                11. change of suppliers;
                                12. +
                                13. sub-contracting to another supplier.
                              @@ -2460,159 +2458,159 @@ Management of information security incidents and improvements 16.1 -

                              XX XXXXXX X XXXXXXXXXX XXX XXXXXXXXX XXXXXXXX XX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX, XXXXXXXXX XXXXXXXXXXXXX XX XXXXXXXX XXXXXX XXX XXXXXXXXXX.

                              +

                              Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

                              Responsibilities and procedures 16.1.1 -

                              XXXXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX X XXXXX, XXXXXXXXX XXX XXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX.

                              +

                              Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents.

                              -

                              XXX XXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXXXXXX XXX XXXXXXXXXX XXXX XXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX:

                              +

                              The following guidelines for management responsibilities and procedures with regard to information security incident management should be considered:

                                -
                              1. XXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXX XXX XXXXXXXXX XXX XXXXXXXXXXXX XXXXXXXXXX XXXXXX XXX XXXXXXXXXXXX:
                                  -
                                1. XXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXXXXXX;
                                2. -
                                3. XXXXXXXXXX XXX XXXXXXXXXX, XXXXXXXXX, XXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXX;
                                4. -
                                5. XXXXXXXXXX XXX XXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX;
                                6. -
                                7. XXXXXXXXXX XXX XXXXXXXX XX XXXXXXXX XXXXXXXX;
                                8. -
                                9. XXXXXXXXXX XXX XXXXXXXXXX XX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX;
                                10. -
                                11. XXXXXXXXXX XXX XXXXXXXX XXXXXXXXX XXXXX XXX XXXXXXXXXX, XXXXXXXXXX XXXXXXXX XXXX XX XXXXXXXX XXX XXXXXXXXXXXXX XX XXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXXXXXXX;
                                12. +
                                13. management responsibilities should be established to ensure that the following procedures are developed and communicated adequately within the organization:
                                    +
                                  1. procedures for incident response planning and preparation;
                                  2. +
                                  3. procedures for monitoring, detecting, analysing and reporting of information security events and incidents;
                                  4. +
                                  5. procedures for logging incident management activities;
                                  6. +
                                  7. procedures for handling of forensic evidence;
                                  8. +
                                  9. procedures for assessment of and decision on information security events and assessment of information security weaknesses;
                                  10. +
                                  11. procedures for response including those for escalation, controlled recovery from an incident and communication to internal and external people or organizations;
                                14. -
                                15. XXXXXXXXXX XXXXXXXXXXX XXXXXX XXXXXX XXXX:
                                    -
                                  1. XXXXXXXXX XXXXXXXXX XXXXXX XXX XXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XXX XXXXXXXXXXXX;
                                  2. -
                                  3. X XXXXX XX XXXXXXX XXX XXXXXXXX XXXXXXXXX’ XXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXX;
                                  4. -
                                  5. XXXXXXXXXXX XXXXXXXX XXXX XXXXXXXXXXX, XXXXXXXX XXXXXXXX XXXXXX XX XXXXXX XXXX XXXXXX XXX XXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXXXX;
                                  6. +
                                  7. procedures established should ensure that:
                                      +
                                    1. competent personnel handle the issues related to information security incidents within the organization;
                                    2. +
                                    3. a point of contact for security incidents’ detection and reporting is implemented;
                                    4. +
                                    5. appropriate contacts with authorities, external interest groups or forums that handle the issues related to information security incidents are maintained;
                                  8. -
                                  9. XXXXXXXXX XXXXXXXXXX XXXXXX XXXXXXX:
                                      -
                                    1. XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXX XXXXXXXXX XXXXX XX XXXXXXX XXX XXXXXXXXX XXXXXX XXX XX XXXX XXX XXXXXX XXXXXXXXX XX XXXXXXXX XXX XXXXXXXXX XXXXXXX XX XXXX XX XX XXXXXXXXXXX XXXXXXXX XXXXX;
                                    2. -
                                    3. XXX XXXXXXXXX XX XX XXXXXXXXXX XX XXXX XX XX XXXXXXXXXXX XXXXXXXX XXXXX, X.X. XXXXXX XXX XXXXXXX XXXXXXXXXXX, XXXX XX XXXX XX XXX-XXXXXXXXXX XX XXXXXX, XXXXXXXXX XXXXXXXXXXX, XXXXXXXX XX XXX XXXXXX XXX XXXXXXXXXXX XXXXXXXXX XX XXX XXXXX XX XXXXXXX XXX XXXXXX XXXX XXXXXXXXXXX XXXXXXX;
                                    4. -
                                    5. XXXXXXXXX XX XX XXXXXXXXXXX XXXXXX XXXXXXXXXXXX XXXXXXX XXX XXXXXXX XXXX XXXXXXXXX XXX XXXXXX XXXXXXXX XXXXXXXX;
                                    6. -
                                    7. XXXXXXXX XXXXXXXX XXXXXXXXX XX XXXXXX XXXX XXXXX XXXXXXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXXXX XX XXXXXXX XXXXX XXX XXXXX XXX XXXX XXXXX XXXX XXX XXXXXX.
                                    8. +
                                    9. reporting procedures should include:
                                        +
                                      1. preparing information security event reporting forms to support the reporting action and to help the person reporting to remember all necessary actions in case of an information security event;
                                      2. +
                                      3. the procedure to be undertaken in case of an information security event, e.g. noting all details immediately, such as type of non-compliance or breach, occurring malfunction, messages on the screen and immediately reporting to the point of contact and taking only coordinated actions;
                                      4. +
                                      5. reference to an established formal disciplinary process for dealing with employees who commit security breaches;
                                      6. +
                                      7. suitable feedback processes to ensure that those persons reporting information security events are notified of results after the issue has been dealt with and closed.
                                    -

                                    XXX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXX XXXX XXXXXXXXXX, XXX XX XXXXXX XX XXXXXXX XXXX XXXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX.

                                    +

                                    The objectives for information security incident management should be agreed with management, and it should be ensured that those responsible for information security incident management understand the organization’s priorities for handling information security incidents.

                                    -

                                    XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXX XXXXXXXXX XXXXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX. XX XXXXXXX XX XXXX XXXXXXXXX XXXXX XX XX XXXXXXXXXX XXXX XX XXXXXXXXXX XXXXXXXX XXX XXXXX XXXXXXXXXXX XXXXX XXXXX XXXXXXXXX XXXX XXXXXXXX XXXXXXXXXXXXX XX XXXXXXXXXXX.

                                    -

                                    XXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXX XX XXXXXXXX XX XXX/XXX XXXXX.[20]

                                    +

                                    Information security incidents might transcend organizational and national boundaries. To respond to such incidents there is an increasing need to coordinate response and share information about these incidents with external organizations as appropriate.

                                    +

                                    Detailed guidance on information security incident management is provided in ISO/IEC 27035.[20]

                                    Reporting information security events 16.1.2 -

                                    XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXX XX XXXXXXXX XXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXX XX XXXXXXX XX XXXXXXXX.

                                    +

                                    Information security events should be reported through appropriate management channels as quickly as possible.

                                    -

                                    XXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXX XX XXXX XXXXX XX XXXXX XXXXXXXXXXXXXX XX XXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXX. XXXX XXXXXX XXXX XX XXXXX XX XXX XXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXX XXX XXX XXXXX XX XXXXXXX XX XXXXX XXX XXXXXX XXXXXX XX XXXXXXXX.

                                    -

                                    XXXXXXXXXX XX XX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXX XXXXXXXXX XXXXXXX:

                                    +

                                    All employees and contractors should be made aware of their responsibility to report information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact to which the events should be reported.

                                    +

                                    Situations to be considered for information security event reporting include:

                                      -
                                    1. XXXXXXXXXXX XXXXXXXX XXXXXXX;
                                    2. -
                                    3. XXXXXX XX XXXXXXXXXXX XXXXXXXXX, XXXXXXXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXXXXXX;
                                    4. -
                                    5. XXXXX XXXXXX;
                                    6. -
                                    7. XXX-XXXXXXXXXXX XXXX XXXXXXXX XX XXXXXXXXXX;
                                    8. -
                                    9. XXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXXXXX;
                                    10. -
                                    11. XXXXXXXXXXXX XXXXXX XXXXXXX;
                                    12. -
                                    13. XXXXXXXXXXXX XX XXXXXXXX XX XXXXXXXX;
                                    14. -
                                    15. XXXXXX XXXXXXXXXX.
                                    16. +
                                    17. ineffective security control;
                                    18. +
                                    19. breach of information integrity, confidentiality or availability expectations;
                                    20. +
                                    21. human errors;
                                    22. +
                                    23. non-compliances with policies or guidelines;
                                    24. +
                                    25. breaches of physical security arrangements;
                                    26. +
                                    27. uncontrolled system changes;
                                    28. +
                                    29. malfunctions of software or hardware;
                                    30. +
                                    31. access violations.
                                    -

                                    XXXXXXXXXXXX XX XXXXX XXXXXXXXX XXXXXX XXXXXXXXX XXX XX XX XXXXXXXXX XX X XXXXXXXX XXXXXX XX XXXXXX XXXXXXXX XXXXXX XXX XXXXXX XXXXXXXXX XXXXXX XX XXXXXXXX XX XX XXXXXXXXXXX XXXXXXXX XXXXX.

                                    +

                                    Malfunctions or other anomalous system behaviour may be an indicator of a security attack or actual security breach and should therefore always be reported as an information security event.

                                    Reporting information security weaknesses 16.1.3 -

                                    XXXXXXXXX XXX XXXXXXXXXXX XXXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXX XX XXXX XXX XXXXXX XXX XXXXXXXX XX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XX XXXXXXX XX XXXXXXXX.

                                    +

                                    Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services.

                                    -

                                    XXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXX XXXXXX XXXXX XXXXXXX XX XXX XXXXX XX XXXXXXX XX XXXXXXX XX XXXXXXXX XX XXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX. XXX XXXXXXXXX XXXXXXXXX XXXXXX XX XX XXXX, XXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXX.

                                    +

                                    All employees and contractors should report these matters to the point of contact as quickly as possible in order to prevent information security incidents. The reporting mechanism should be as easy, accessible and available as possible.

                                    -

                                    XXXXXXXXX XXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXX XX XXXXXXX XX XXXXX XXXXXXXXX XXXXXXXX XXXXXXXXXX. XXXXXXX XXXXXXXXXX XXXXX XX XXXXXXXXXXX XX X XXXXXXXXX XXXXXX XX XXX XXXXXX XXX XXXXX XXXX XXXXX XXXXXX XX XXX XXXXXXXXXXX XXXXXX XX XXXXXXX XXX XXXXXX XX XXXXX XXXXXXXXX XXX XXX XXXXXXXXXX XXXXXXXXXX XXX XXXXXXX.

                                    +

                                    Employees and contractors should be advised not to attempt to prove suspected security weaknesses. Testing weaknesses might be interpreted as a potential misuse of the system and could also cause damage to the information system or service and result in legal liability for the individual performing the testing.

                                    Assessment of and decision on information security events 16.1.4 -

                                    XXXXXXXXXXX XXXXXXXX XXXXXX XXXXXX XX XXXXXXXX XXX XX XXXXXX XX XXXXXXX XX XXXX XXX XX XX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX.

                                    +

                                    Information security events should be assessed and it should be decided if they are to be classified as information security incidents.

                                    -

                                    XXX XXXXX XX XXXXXXX XXXXXX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXX XXXXX XXX XXXXXX XXXXXXXXXXX XXXXXXXX XXXXX XXX XXXXXXXX XXXXXXXXXXXXXX XXXXX XXX XXXXXX XXXXXXX XXX XXXXX XXXXXX XX XXXXXXXXXX XX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX. XXXXXXXXXXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXXX XXX XXXX XX XXXXXXXX XXX XXXXXX XXX XXXXXX XX XX XXXXXXXX.

                                    -

                                    XX XXXXX XXXXX XXX XXXXXXXXXXXX XXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXX (XXXXX), XXX XXXXXXXXXX XXX XXXXXXXX XXX XX XXXXXXXXX XX XXX XXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXXXX.

                                    -

                                    XXXXXXX XX XXX XXXXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXX XX XXXXXX XXX XXX XXXXXXX XX XXXXXX XXXXXXXXX XXX XXXXXXXXXXXX.

                                    +

                                    The point of contact should assess each information security event using the agreed information security event and incident classification scale and decide whether the event should be classified as an information security incident. Classification and prioritization of incidents can help to identify the impact and extent of an incident.

                                    +

                                    In cases where the organization has an information security incident response team (ISIRT), the assessment and decision can be forwarded to the ISIRT for confirmation or reassessment.

                                    +

                                    Results of the assessment and decision should be recorded in detail for the purpose of future reference and verification.

                                    Response to information security incidents 16.1.5 -

                                    XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXX XX XX XXXXXXXXXX XXXX XXX XXXXXXXXXX XXXXXXXXXX.

                                    +

                                    Information security incidents should be responded to in accordance with the documented procedures.

                                    -

                                    XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXXXXXXX XX XX X XXXXXXXXX XXXXX XX XXXXXXX XXX XXXXX XXXXXXXX XXXXXXX XX XXX XXXXXXXXXXXX XX XXXXXXXX XXXXXXX (XXX 16.1.1).

                                    -

                                    XXX XXXXXXXX XXXXXX XXXXXXX XXX XXXXXXXXX:

                                    +

                                    Information security incidents should be responded to by a nominated point of contact and other relevant persons of the organization or external parties (see 16.1.1).

                                    +

                                    The response should include the following:

                                      -
                                    1. XXXXXXXXXX XXXXXXXX XX XXXX XX XXXXXXXX XXXXX XXX XXXXXXXXXX;
                                    2. -
                                    3. XXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXX, XX XXXXXXXX (XXX 16.1.7);
                                    4. -
                                    5. XXXXXXXXXX, XX XXXXXXXX;
                                    6. -
                                    7. XXXXXXXX XXXX XXX XXXXXXXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXX XXX XXXXX XXXXXXXX;
                                    8. -
                                    9. XXXXXXXXXXXXX XXX XXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XX XXX XXXXXXXX XXXXXXX XXXXXXX XX XXXXX XXXXXXXX XXX XXXXXXXX XXXXXX XX XXXXXXXXXXXXX XXXX X XXXX-XX-XXXX;
                                    10. -
                                    11. XXXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXX(XX) XXXXX XX XXXXX XX XXXXXXXXXX XX XXX XXXXXXXX;
                                    12. -
                                    13. XXXX XXX XXXXXXXX XXX XXXX XXXXXXXXXXXX XXXXX XXXX, XXXXXXXX XXXXXXX XXX XXXXXXXXX XX.
                                    14. +
                                    15. collecting evidence as soon as possible after the occurrence;
                                    16. +
                                    17. conducting information security forensics analysis, as required (see 16.1.7);
                                    18. +
                                    19. escalation, as required;
                                    20. +
                                    21. ensuring that all involved response activities are properly logged for later analysis;
                                    22. +
                                    23. communicating the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;
                                    24. +
                                    25. dealing with information security weakness(es) found to cause or contribute to the incident;
                                    26. +
                                    27. once the incident has been successfully dealt with, formally closing and recording it.
                                    -

                                    XXXX-XXXXXXXX XXXXXXXX XXXXXX XXXX XXXXX, XX XXXXXXXXX, XX XXXXXXXX XXX XXXXXX XX XXX XXXXXXXX.

                                    +

                                    Post-incident analysis should take place, as necessary, to identify the source of the incident.

                                    -

                                    XXX XXXXX XXXX XX XXXXXXXX XXXXXXXX XX XX XXXXXX ‘XXXXXX XXXXXXXX XXXXX’ XXX XXXX XXXXXXXX XXX XXXXXXXXX XXXXXXXX.

                                    +

                                    The first goal of incident response is to resume ‘normal security level’ and then initiate the necessary recovery.

                                    Learning from information security incidents 16.1.6 -

                                    XXXXXXXXX XXXXXX XXXX XXXXXXXXX XXX XXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXX XX XXXXXX XXX XXXXXXXXXX XX XXXXXX XX XXXXXX XXXXXXXXX.

                                    +

                                    Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents.

                                    -

                                    XXXXX XXXXXX XX XXXXXXXXXX XX XXXXX XX XXXXXX XXX XXXXX, XXXXXXX XXX XXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XX XX XXXXXXXXXX XXX XXXXXXXXX. XXX XXXXXXXXXXX XXXXXX XXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXX XX XXXX XX XXXXXXXX XXXXXXXXX XX XXXX XXXXXX XXXXXXXXX.

                                    +

                                    There should be mechanisms in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. The information gained from the evaluation of information security incidents should be used to identify recurring or high impact incidents.

                                    -

                                    XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXX XXX XXXX XXX XXXXXXXX XX XXXXXXXXXX XXXXXXXX XX XXXXX XXX XXXXXXXXX, XXXXXX XXX XXXX XX XXXXXX XXXXXXXXXXX, XX XX XX XXXXX XXXX XXXXXXX XX XXX XXXXXXXX XXXXXX XXXXXX XXXXXXX (XXX 5.1.2).

                                    -

                                    XXXX XXX XXXX XX XXXXXXXXXXXXXXX XXXXXXX, XXXXXXXXX XXXX XXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXX XXX XX XXXX XX XXXX XXXXXXXXX XXXXXXXX (XXX 7.2.2) XX XXXXXXXX XX XXXX XXXXX XXXXXX, XXX XX XXXXXXX XX XXXX XXXXXXXXX XXX XXX XX XXXXX XXXX XX XXX XXXXXX.

                                    +

                                    The evaluation of information security incidents may indicate the need for enhanced or additional controls to limit the frequency, damage and cost of future occurrences, or to be taken into account in the security policy review process (see 5.1.2).

                                    +

                                    With due care of confidentiality aspects, anecdotes from actual information security incidents can be used in user awareness training (see 7.2.2) as examples of what could happen, how to respond to such incidents and how to avoid them in the future.

                                    Collection of evidence 16.1.7 -

                                    XXX XXXXXXXXXXXX XXXXXX XXXXXX XXX XXXXX XXXXXXXXXX XXX XXX XXXXXXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXXX, XXXXX XXX XXXXX XX XXXXXXXX.

                                    +

                                    The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

                                    -

                                    XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXX XXXX XXXXXXX XXXX XXXXXXXX XXX XXX XXXXXXXX XX XXXXXXXXXXXX XXX XXXXX XXXXXX.

                                    -

                                    XX XXXXXXX, XXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXX XXXXXXX XXXXXXXXX XX XXXXXXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXX XX XXXXXXXXXX XXXX XXXXXXXXX XXXXX XX XXXXX, XXXXXXX XXX XXXXXX XX XXXXXXX, X.X. XXXXXXX XX XX XXX. XXX XXXXXXXXXX XXXXXX XXXX XXXXXXX XX:

                                    +

                                    Internal procedures should be developed and followed when dealing with evidence for the purposes of disciplinary and legal action.

                                    +

                                    In general, these procedures for evidence should provide processes of identification, collection, acquisition and preservation of evidence in accordance with different types of media, devices and status of devices, e.g. powered on or off. The procedures should take account of:

                                      -
                                    1. XXXXX XX XXXXXXX;
                                    2. -
                                    3. XXXXXX XX XXXXXXXX;
                                    4. -
                                    5. XXXXXX XX XXXXXXXXX;
                                    6. -
                                    7. XXXXX XXX XXXXXXXXXXXXXXXX XX XXXXXXXXX XXXXXXXX;
                                    8. -
                                    9. XXXXXXXXXX XX XXXXXXXXX;
                                    10. -
                                    11. XXXXXXXXXXXXX;
                                    12. -
                                    13. XXXXXXXX.
                                    14. +
                                    15. chain of custody;
                                    16. +
                                    17. safety of evidence;
                                    18. +
                                    19. safety of personnel;
                                    20. +
                                    21. roles and responsibilities of personnel involved;
                                    22. +
                                    23. competency of personnel;
                                    24. +
                                    25. documentation;
                                    26. +
                                    27. briefing.
                                    -

                                    XXXXX XXXXXXXXX, XXXXXXXXXXXXX XX XXXXX XXXXXXXX XXXXX XX XXXXXXXXXXXXX XX XXXXXXXXX XXX XXXXX XXXXXX XX XXXXXX, XX XX XX XXXXXXXXXX XXX XXXXX XX XXX XXXXXXXXX XXXXXXXX.

                                    -

                                    XXXXXXXX XXXXXXXX XXX XXXXXXXXX XXXXXXXXXXXXXX XX XXXXXXXXXXXXXX XXXXXXXXXX. XX XXXX XXXXX, XX XXXXXX XX XXXXXXX XXXX XXX XXXXXXXXXXXX XX XXXXXXXX XX XXXXXXX XXX XXXXXXXX XXXXXXXXXXX XX XXXXXXXX XXXXXXXX. XXX XXXXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXXX XXXXXX XXXX XX XXXXXXXXXX XX XXXXXXXX XXXXXXX XX XXXXXXXXX XXXXXX XXX XXXXXXXX XXXXXXXXXXXXX.

                                    +

                                    Where available, certification or other relevant means of qualification of personnel and tools should be sought, so as to strengthen the value of the preserved evidence.

                                    +

                                    Forensic evidence may transcend organizational or jurisdictional boundaries. In such cases, it should be ensured that the organization is entitled to collect the required information as forensic evidence. The requirements of different jurisdictions should also be considered to maximize chances of admission across the relevant jurisdictions.

                                    -

                                    XXXXXXXXXXXXXX XX XXX XXXXXXX XXXXXXXXX XXX XXXXXX XXX, XXXXXXXXXXX XXX XXXXXXXXXXXXX XX XXXXXXXXX XXXXXXXX. XXXXXXXXXX XX XXX XXXXXXX XX XXXXXXXXX XXX XXXXXXXX XXXXX XXXX XXX XXXXXXX XXXXXXXXX XXXXXXXX. XXXXXXXXXXX XX XXX XXXXXXX XX XXXXXXXX X XXXX XX XXXX XXXXXX X XXXXXXX XXX. XXXXXXXXXXXX XX XXX XXXXXXX XX XXXXXXXX XXX XXXXXXXXX XXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXX XX XXX XXXXXXXXX XXXXXXXX.

                                    -

                                    XXXX XX XXXXXXXXXXX XXXXXXXX XXXXX XX XXXXX XXXXXXXX, XX XXX XXX XX XXXXXXX XXXXXXX XX XXX XXX XXXXX XXXX XXXXXX XX XXXXX XXXXXX. XXXXXXXXX, XXX XXXXXX XXXXXX XXXX XXXXXXXXX XXXXXXXX XX XXXXXXXXX XXXXXXXXXXXXX XX XXXXXXXXXXXX XXXXXX XXX XXXXXXXXXXX XX XXX XXXXXXXX XX XXXXXXXX. XX XX XXXXXXXXX XX XXXXXXX X XXXXXX XX XXX XXXXXX XXXXX XX XXX XXXXXXXXXXXX XXXXX XXXXXX XXX XXXX XXXXXX XX XXX XXXXXXXX XXXXXXXX.

                                    -

                                    XXX/XXX XXXXX[24] XXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXX XXXXXXXX.

                                    +

                                    Identification is the process involving the search for, recognition and documentation of potential evidence. Collection is the process of gathering the physical items that can contain potential evidence. Acquisition is the process of creating a copy of data within a defined set. Preservation is the process to maintain and safeguard the integrity and original condition of the potential evidence.

                                    +

                                    When an information security event is first detected, it may not be obvious whether or not the event will result in court action. Therefore, the danger exists that necessary evidence is destroyed intentionally or accidentally before the seriousness of the incident is realized. It is advisable to involve a lawyer or the police early in any contemplated legal action and take advice on the evidence required.

                                    +

                                    ISO/IEC 27037[24] provides guidelines for identification, collection, acquisition and preservation of digital evidence.

                                    @@ -2624,64 +2622,64 @@ Information security continuity 17.1 -

                                    XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXX.

                                    +

                                    Objective: Information security continuity should be embedded in the organization’s business continuity management systems.

                                    Planning information security continuity 17.1.1 -

                                    XXX XXXXXXXXXXXX XXXXXX XXXXXXXXX XXX XXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XX XXXXXXX XXXXXXXXXX, X.X. XXXXXX X XXXXXX XX XXXXXXXX.

                                    +

                                    The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

                                    -

                                    XX XXXXXXXXXXXX XXXXXX XXXXXXXXX XXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XX XXXXXXXX XXXXXX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXX XX XXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXX. XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXX.

                                    -

                                    XX XXX XXXXXXX XX XXXXXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXX XXXXXXXX XXXXXXXX, XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXX XXX XXXX XX XXXXXXX XXXXXXXXXX, XXXXXXXX XX XXXXXX XXXXXXXXXXX XXXXXXXXXX. XXXXXXXXXXXXX, XX XXXXXXXXXXXX XXXXX XXXXXXX X XXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXXXXXX XX XXXXXXX XXXXXXXXXX.

                                    +

                                    An organization should determine whether the continuity of information security is captured within the business continuity management process or within the disaster recovery management process. Information security requirements should be determined when planning for business continuity and disaster recovery.

                                    +

                                    In the absence of formal business continuity and disaster recovery planning, information security management should assume that information security requirements remain the same in adverse situations, compared to normal operational conditions. Alternatively, an organization could perform a business impact analysis for information security aspects to determine the information security requirements applicable to adverse situations.

                                    -

                                    XX XXXXX XX XXXXXX XXX XXXX XXX XXXXXX XX XX ‘XXXXXXXXXX’ XXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX, XX XX XXXXXXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXX XXXXXX XXX XXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXX. XXXX XXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXX XXXXXXXXXX XXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXX.

                                    -

                                    XXXXXXXXXXX XX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XXX XX XXXXX XX XXX/XXX XXXXX,[14] XXX XXXXX[9] XXX XXX XXXXX.[8]

                                    +

                                    In order to reduce the time and effort of an ‘additional’ business impact analysis for information security, it is recommended to capture information security aspects within the normal business continuity management or disaster recovery management business impact analysis. This implies that the information security continuity requirements are explicitly formulated in the business continuity management or disaster recovery management processes.

                                    +

                                    Information on business continuity management can be found in ISO/IEC 27031,[14] ISO 22313[9] and ISO 22301.[8]

                                    Implementing information security continuity 17.1.2 -

                                    XXX XXXXXXXXXXXX XXXXXX XXXXXXXXX, XXXXXXXX, XXXXXXXXX XXX XXXXXXXX XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XX XXXXXX XXX XXXXXXXX XXXXX XX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX.

                                    +

                                    The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

                                    -

                                    XX XXXXXXXXXXXX XXXXXX XXXXXX XXXX:

                                    +

                                    An organization should ensure that:

                                      -
                                    1. XX XXXXXXXX XXXXXXXXXX XXXXXXXXX XX XX XXXXX XX XXXXXXX XXX, XXXXXXXX XXX XXXXXXX XX X XXXXXXXXXX XXXXX XXXXX XXXXXXXXX XXXX XXX XXXXXXXXX XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXX;
                                    2. -
                                    3. XXXXXXXX XXXXXXXX XXXXXXXXX XXXX XXX XXXXXXXXX XXXXXXXXXXXXXX, XXXXXXXXX XXX XXXXXXXXXX XX XXXXXX XX XXXXXXXX XXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXX XXXXXXXXX;
                                    4. -
                                    5. XXXXXXXXXX XXXXX, XXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXX XXXXXXXXX XXX XXXXXXXX, XXXXXXXXX XXX XXX XXXXXXXXXXXX XXXX XXXXXX X XXXXXXXXXX XXXXX XXX XXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XX X XXXXXXXXXXXXX XXXXX, XXXXX XX XXXXXXXXXX-XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX (XXX 17.1.1).
                                    6. +
                                    7. an adequate management structure is in place to prepare for, mitigate and respond to a disruptive event using personnel with the necessary authority, experience and competence;
                                    8. +
                                    9. incident response personnel with the necessary responsibility, authority and competence to manage an incident and maintain information security are nominated;
                                    10. +
                                    11. documented plans, response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event and will maintain its information security to a predetermined level, based on management-approved information security continuity objectives (see 17.1.1).
                                    -

                                    XXXXXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX, XXX XXXXXXXXXXXX XXXXXX XXXXXXXXX, XXXXXXXX, XXXXXXXXX XXX XXXXXXXX:

                                    +

                                    According to the information security continuity requirements, the organization should establish, document, implement and maintain:

                                      -
                                    1. XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXX XXXXXXX XXX XXXXX;
                                    2. -
                                    3. XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXXXXXX XXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX;
                                    4. -
                                    5. XXXXXXXXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXX XXXXXX XX XXXXXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX.
                                    6. +
                                    7. information security controls within business continuity or disaster recovery processes, procedures and supporting systems and tools;
                                    8. +
                                    9. processes, procedures and implementation changes to maintain existing information security controls during an adverse situation;
                                    10. +
                                    11. compensating controls for information security controls that cannot be maintained during an adverse situation.
                                    -

                                    XXXXXX XXX XXXXXXX XX XXXXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX, XXXXXXXX XXXXXXXXX XXX XXXXXXXXXX XXX XXXX XXXX XXXXXXX. XXXXXXXXXXX XXXX XX XXXXXXX XXXXXX XXXXX XXXXXXXXX XXX XXXXXXXXXX XX XXXXXX XXXXXXXXX XXXXXXXXXXX XXXXXXX XX XXXXXXX XXXX XXXXXX XX XXXXXXXXX. XXXXXXXXX XX XXXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXX XXXX XXXXXXXXXXXX, XXXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXXXXXX XXX XXXXXXXXXX.

                                    -

                                    XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXX XXXX XXXX XXXXXXXXXXX XXXXXX XXXXXXXX XX XXXXXXX XXXXXX XX XXXXXXX XXXXXXXXX. XX XXXXXXXX XXXXXXXX XXX XXX XXXX XX XXXXXXXX XX XXXXXX XXXXXXXXXXX, XXXXX XXXXXXXX XXXXXX XX XXXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXXX XX XXXXXXXX XX XXXXXXXXXX XXXXX XX XXXXXXXXXXX XXXXXXXX.

                                    +

                                    Within the context of business continuity or disaster recovery, specific processes and procedures may have been defined. Information that is handled within these processes and procedures or within dedicated information systems to support them should be protected. Therefore an organization should involve information security specialists when establishing, implementing and maintaining business continuity or disaster recovery processes and procedures.

                                    +

                                    Information security controls that have been implemented should continue to operate during an adverse situation. If security controls are not able to continue to secure information, other controls should be established, implemented and maintained to maintain an acceptable level of information security.

                                    Verify, review and evaluate information security continuity 17.1.3 -

                                    XXX XXXXXXXXXXXX XXXXXX XXXXXX XXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXXXX XX XXXXX XX XXXXXX XXXX XXXX XXX XXXXX XXX XXXXXXXXX XXXXXX XXXXXXX XXXXXXXXXX.

                                    -

                                    “XXXXXXXXXXXXXX XXXXXXXX”

                                    -

                                    XXXXXXXXXXXXXX, XXXXXXXXX, XXXXXXXXXX XXX XXXXXXX XXXXXXX, XXXXXXX XX XX XXXXXXXXXXX XX XXXXXXXXXX XXXXXXX, XXX XXXX XX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX. XX XXXX XXXXX, XXX XXXXXXXXXX XX XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXXXXXXX XXXXXXX XXXXX XXXXXXX XXXXXXXXXXXX.

                                    -

                                    XXXXXXXXXXXXX XXXXXX XXXXXX XXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX XX:

                                    +

                                    The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

                                    +

                                    “Implementation guidance”

                                    +

                                    Organizational, technical, procedural and process changes, whether in an operational or continuity context, can lead to changes in information security continuity requirements. In such cases, the continuity of processes, procedures and controls for information security should be reviewed against these changed requirements.

                                    +

                                    Organizations should verify their information security management continuity by:

                                      -
                                    1. XXXXXXXXXX XXX XXXXXXX XXX XXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XX XXXXXX XXXX XXXX XXX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX;
                                    2. -
                                    3. XXXXXXXXXX XXX XXXXXXX XXX XXXXXXXXX XXX XXXXXXX XX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XX XXXXXX XXXX XXXXX XXXXXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXXX;
                                    4. -
                                    5. XXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXX XXXX XXXXXXXXXXX XXXXXXX, XXXXXXXXXXX XXXXXXXX XXXXXXXXX, XXXXXXXXXX XXX XXXXXXXX XX XXXXXXXX XXXXXXXXXX XXXXXXXXXX/XXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXXXXX XXXXXX.
                                    6. +
                                    7. exercising and testing the functionality of information security continuity processes, procedures and controls to ensure that they are consistent with the information security continuity objectives;
                                    8. +
                                    9. exercising and testing the knowledge and routine to operate information security continuity processes, procedures and controls to ensure that their performance is consistent with the information security continuity objectives;
                                    10. +
                                    11. reviewing the validity and effectiveness of information security continuity measures when information systems, information security processes, procedures and controls or business continuity management/disaster recovery management processes and solutions change.
                                    -

                                    XXX XXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXX XX XXXXXXXXX XXXX XXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXX XXX XXXXXXXXXXXX XXX XXXXXX XX XXXXXXXXX XXXXXXX XXX XXXXXXX XX XXXXXXX. XX XXXXXXXX, XX XX XXXXXXXXXX XX XXXXXXXXX XXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXX XXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXX XXXXX.

                                    +

                                    The verification of information security continuity controls is different from general information security testing and verification and should be performed outside the testing of changes. If possible, it is preferable to integrate verification of information security continuity controls with the organization’s business continuity or disaster recovery tests.

                                    @@ -2689,20 +2687,20 @@ Redundancies 17.2 -

                                    XX XXXXXX XXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX.

                                    +

                                    Objective: To ensure availability of information processing facilities.

                                    Availability of information processing facilities 17.2.1 -

                                    XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XXXX XXXXXXXXXX XXXXXXXXXX XX XXXX XXXXXXXXXXXX XXXXXXXXXXXX.

                                    +

                                    Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

                                    -

                                    XXXXXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXXXX XXX XXX XXXXXXXXXXXX XX XXXXXXXXXXX XXXXXXX. XXXXX XXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXX XXX XXXXXXXX XXXXXXX XXXXXXXXXXXX, XXXXXXXXX XXXXXXXXXX XX XXXXXXXXXXXXX XXXXXX XX XXXXXXXXXX.

                                    -

                                    XXXXX XXXXXXXXXX, XXXXXXXXX XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXX XX XXXXXX XXX XXXXXXXX XXXX XXX XXXXXXXXX XX XXXXXXX XXXXXXXXX XXXXX XX XXXXXXXX.

                                    +

                                    Organizations should identify business requirements for the availability of information systems. Where the availability cannot be guaranteed using the existing systems architecture, redundant components or architectures should be considered.

                                    +

                                    Where applicable, redundant information systems should be tested to ensure the failover from one component to another component works as intended.

                                    -

                                    XXX XXXXXXXXXXXXXX XX XXXXXXXXXXXX XXX XXXXXXXXX XXXXX XX XXX XXXXXXXXX XX XXXXXXXXXXXXXXX XX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXX, XXXXX XXXX XX XX XXXXXXXXXX XXXX XXXXXXXXX XXXXXXXXXXX XXXXXXX.

                                    +

                                    The implementation of redundancies can introduce risks to the integrity or confidentiality of information and information systems, which need to be considered when designing information systems.

                                    @@ -2714,101 +2712,101 @@ Compliance with legal and contractual requirements 18.1 -

                                    XX XXXXX XXXXXXXX XX XXXXX, XXXXXXXXX, XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX XXX XX XXX XXXXXXXX XXXXXXXXXXXX.

                                    +

                                    Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

                                    Identification of applicable legislation and contractual requirements 18.1.1 -

                                    XXX XXXXXXXX XXXXXXXXXXX XXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXX XXXXXXXXXXXX XXX XXX XXXXXXXXXXXX’X XXXXXXXX XX XXXX XXXXX XXXXXXXXXXXX XXXXXX XX XXXXXXXXXX XXXXXXXXXX, XXXXXXXXXX XXX XXXX XX XX XXXX XXX XXXX XXXXXXXXXXX XXXXXX XXX XXX XXXXXXXXXXXX.

                                    +

                                    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization.

                                    -

                                    XXX XXXXXXXX XXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXXXXXX XX XXXX XXXXX XXXXXXXXXXXX XXXXXX XXXX XX XXXXXXX XXX XXXXXXXXXX.

                                    -

                                    XXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XX XXXXX XXXXXXXXXXXX XX XXXXX XX XXXX XXX XXXXXXXXXXXX XXX XXXXX XXXX XX XXXXXXXX. XX XXX XXXXXXXXXXXX XXXXXXXX XXXXXXXX XX XXXXX XXXXXXXXX, XXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXX XX XXX XXXXXXXX XXXXXXXXX.

                                    +

                                    The specific controls and individual responsibilities to meet these requirements should also be defined and documented.

                                    +

                                    Managers should identify all legislation applicable to their organization in order to meet the requirements for their type of business. If the organization conducts business in other countries, managers should consider compliance in all relevant countries.

                                    Intellectual property rights 18.1.2 -

                                    XXXXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXX XXXXXXXXXX XXXX XXXXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXX XXXXXXX XX XXXXXXXXXXXX XXXXXXXX XXXXXX XXX XXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX.

                                    +

                                    Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

                                    -

                                    XXX XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXX XX XXXXXXX XXX XXXXXXXX XXXX XXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXX:

                                    +

                                    The following guidelines should be considered to protect any material that may be considered intellectual property:

                                      -
                                    1. XXXXXXXXXX XX XXXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXXXX XXXXXX XXXXX XXXXXXX XXX XXXXX XXX XX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX;
                                    2. -
                                    3. XXXXXXXXX XXXXXXXX XXXX XXXXXXX XXXXX XXX XXXXXXXXX XXXXXXX, XX XXXXXX XXXX XXXXXXXXX XX XXX XXXXXXXX;
                                    4. -
                                    5. XXXXXXXXXXX XXXXXXXXX XX XXXXXXXX XX XXXXXXX XXXXXXXXXXXX XXXXXXXX XXXXXX XXX XXXXXX XXXXXX XX XXX XXXXXX XX XXXX XXXXXXXXXXXX XXXXXX XXXXXXX XXXXXXXXX XXXXXXXXX XXXX;
                                    6. -
                                    7. XXXXXXXXXXX XXXXXXXXXXX XXXXX XXXXXXXXX XXX XXXXXXXXXXX XXX XXXXXX XXXX XXXXXXXXXXXX XX XXXXXXX XXXXXXXXXXXX XXXXXXXX XXXXXX;
                                    8. -
                                    9. XXXXXXXXXXX XXXXX XXX XXXXXXXX XX XXXXXXXXX XX XXXXXXXX, XXXXXX XXXXX, XXXXXXX, XXX.;
                                    10. -
                                    11. XXXXXXXXXXXX XXXXXXXX XX XXXXXX XXXX XXX XXXXXXX XXXXXX XX XXXXX XXXXXXXXX XXXXXX XXX XXXXXXX XX XXX XXXXXXXX;
                                    12. -
                                    13. XXXXXXXX XXX XXXXXXX XXXX XXXX XXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXX XXX XXXXXXXXX;
                                    14. -
                                    15. XXXXXXXXX X XXXXXX XXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXX XXXXXXXXXX;
                                    16. -
                                    17. XXXXXXXXX X XXXXXX XXX XXXXXXXXX XX XX XXXXXXXXXXXX XXXXXXXX XX XXXXXX;
                                    18. -
                                    19. XXXXXXXXX XXXX XXXXX XXX XXXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXX XXXXXX XXXXXXXX;
                                    20. -
                                    21. XXX XXXXXXXXXXX, XXXXXXXXXX XX XXXXXXX XXXXXX XX XXXXXXXXXX XXXX XXXXXXXXXX XXXXXXXXXX (XXXX, XXXXX) XXXXX XXXX XXXXXXXXX XX XXXXXXXXX XXX;
                                    22. -
                                    23. XXX XXXXXXX XX XXXX XX XX XXXX, XXXXX, XXXXXXXX, XXXXXXX XX XXXXX XXXXXXXXX, XXXXX XXXX XXXXXXXXX XX XXXXXXXXX XXX.
                                    24. +
                                    25. publishing an intellectual property rights compliance policy which defines the legal use of software and information products;
                                    26. +
                                    27. acquiring software only through known and reputable sources, to ensure that copyright is not violated;
                                    28. +
                                    29. maintaining awareness of policies to protect intellectual property rights and giving notice of the intent to take disciplinary action against personnel breaching them;
                                    30. +
                                    31. maintaining appropriate asset registers and identifying all assets with requirements to protect intellectual property rights;
                                    32. +
                                    33. maintaining proof and evidence of ownership of licences, master disks, manuals, etc.;
                                    34. +
                                    35. implementing controls to ensure that any maximum number of users permitted within the licence is not exceeded;
                                    36. +
                                    37. carrying out reviews that only authorized software and licensed products are installed;
                                    38. +
                                    39. providing a policy for maintaining appropriate licence conditions;
                                    40. +
                                    41. providing a policy for disposing of or transferring software to others;
                                    42. +
                                    43. complying with terms and conditions for software and information obtained from public networks;
                                    44. +
                                    45. not duplicating, converting to another format or extracting from commercial recordings (film, audio) other than permitted by copyright law;
                                    46. +
                                    47. not copying in full or in part, books, articles, reports or other documents, other than permitted by copyright law.
                                    -

                                    XXXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXX XXXXXXXX XX XXXXXXXX XXXXXXXXX, XXXXXX XXXXXX, XXXXXXXXXX, XXXXXXX XXX XXXXXX XXXX XXXXXXXX.

                                    -

                                    XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXX XXXXXXXX XXXXX X XXXXXXX XXXXXXXXX XXXX XXXXXXXXX XXXXXXX XXXXX XXX XXXXXXXXXX, XXX XXXXXXX, XXXXXXXX XXX XXX XX XXX XXXXXXXX XX XXXXXXXXX XXXXXXXX XX XXXXXXXX XXXXXXX XX XXX XXXXXXXX XX XXXXXX XXXXXX XXXX. XXX XXXXXXXXXX XXX XXXXXXXXX XX XXXXXXXXXXXX XXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXXXX XX XXXXX XXX XXXXXXXX XXXXXXXXX XX XXX XXXXXXXXXXXX.

                                    -

                                    XXXXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXXXX XXX XXXXX XXXXXXXXXXXX XX XXX XXXXXXX XX XXXXXXXXXXX XXXXXXXX. XX XXXXXXXXXX, XXXX XXX XXXXXXX XXXX XXXX XXXXXXXX XXXX XX XXXXXXXXX XX XXX XXXXXXXXXXXX XX XXXX XX XXXXXXXX XX XXXXXXXX XX XXX XXXXXXXXX XX XXX XXXXXXXXXXXX, XXX XX XXXX. XXXXXXXXX XXXXXXXXXXXX XXX XXXX XX XXXXX XXXXXX, XXXXX XXX XXXXXXX XXXXX XXX XXXXXXXX XXXXXXXXXXX.

                                    +

                                    Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences.

                                    +

                                    Proprietary software products are usually supplied under a licence agreement that specifies licence terms and conditions, for example, limiting the use of the products to specified machines or limiting copying to the creation of backup copies only. The importance and awareness of intellectual property rights should be communicated to staff for software developed by the organization.

                                    +

                                    Legislative, regulatory and contractual requirements may place restrictions on the copying of proprietary material. In particular, they may require that only material that is developed by the organization or that is licensed or provided by the developer to the organization, can be used. Copyright infringement can lead to legal action, which may involve fines and criminal proceedings.

                                    Protection of records 18.1.3 -

                                    XXXXXXX XXXXXX XX XXXXXXXXX XXXX XXXX, XXXXXXXXXXX, XXXXXXXXXXXXX, XXXXXXXXXXXX XXXXXX XXX XXXXXXXXXXXX XXXXXXX, XX XXXXXXXXXX XXXX XXXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXXXX.

                                    +

                                    Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

                                    -

                                    XXXX XXXXXXXX XXXX XXXXXXXXXX XX XXXXXXXX XXXXXXXXXXXXXX XXXXXXX, XXXXX XXXXXXXXXXXXX XXXXXXXXXXXXXX XXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXXXXXXXX XXXXXX, XXXXXX XX XXXXXXXXXX. XXXXXXX XXXXXX XX XXXXXXXXXXX XXXX XXXXXX XXXXX, X.X. XXXXXXXXXX XXXXXXX, XXXXXXXX XXXXXXX, XXXXXXXXXXX XXXX, XXXXX XXXX XXX XXXXXXXXXXX XXXXXXXXXX, XXXX XXXX XXXXXXX XX XXXXXXXXX XXXXXXX XXX XXXX XX XXXXXXXXX XXXXXXX XXXXX, X.X. XXXXX, XXXXXXXXXX, XXXXXXXX, XXXXXXX. XXX XXXXXXX XXXXXXXXXXXXX XXXX XXX XXXXXXXX XXXXXXXXXX XXXX XXXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXXXXX (XXX Clause 10), XXXXXX XXXX XX XXXXXX XX XXXXXX XXXXXXXXXX XX XXX XXXXXXX XXX XXX XXXXXX XX XXXX XXX XXXXXXX XXX XXXXXXXX.

                                    -

                                    XXXXXXXXXXXXX XXXXXX XX XXXXX XX XXX XXXXXXXXXXX XX XXXXXXXXXXXXX XX XXXXX XXXX XXX XXXXXXX XX XXXXXXX. XXXXXXX XXX XXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXXXXX XXXX XXXXXXXXXXXX’X XXXXXXXXXXXXXXX.

                                    -

                                    XXXXX XXXXXXXXXX XXXXXXX XXXXX XXX XXXXXX, XXXXXXXXXX XX XXXXXX XXX XXXXXXX XX XXXXXX XXXX (XXXX XXXXX XXX XXXXXX XXXXXXXXXXX) XXXXXXXXXX XXX XXXXXXXXX XXXXXX XXXXXX XX XXXXXXXXXXX XX XXXXXXXXX XXXXXXX XXXX XXX XX XXXXXX XXXXXXXXXX XXXXXX.

                                    -

                                    XXXX XXXXXXX XXXXXXX XXXXXX XX XXXXXX XXXX XXXX XXXXXXXX XXXX XXX XX XXXXXXXXX XX XX XXXXXXXXXX XXXXXXXXX XXX XXXXXX, XXXXXXXXX XX XXX XXXXXXXXXXXX XX XX XXXXXXXXX.

                                    -

                                    XXX XXXXXX XX XXXXXXX XXX XXXXXXXX XXXXXX XXXXXX XXXXXXXXXXXXXX XX XXXXXXX XXX XX XXXXX XXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXX XX XXXXXXXX XXXXXXXXXXX XX XXXXXXXXXXX, XX XXXXXXXXXX. XXXX XXXXXX XXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXXXX XX XXXXXXX XXXXX XXXX XXXXXX XX XXXX XXX XXX XXXXXX XX XXX XXXXXXXXXXXX.

                                    -

                                    XX XXXX XXXXX XXXXXX XXXXXXXXXXXX XXXXXXXXXX, XXX XXXXXXXXX XXXXX XXXXXX XX XXXXX XXXXXX XX XXXXXXXXXXXX:

                                    +

                                    When deciding upon protection of specific organizational records, their corresponding classification based on the organization’s classification scheme, should be considered. Records should be categorised into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details of retention periods and type of allowable storage media, e.g. paper, microfiche, magnetic, optical. Any related cryptographic keys and programs associated with encrypted archives or digital signatures (see Clause 10), should also be stored to enable decryption of the records for the length of time the records are retained.

                                    +

                                    Consideration should be given to the possibility of deterioration of media used for storage of records. Storage and handling procedures should be implemented in accordance with manufacturer’s recommendations.

                                    +

                                    Where electronic storage media are chosen, procedures to ensure the ability to access data (both media and format readability) throughout the retention period should be established to safeguard against loss due to future technology change.

                                    +

                                    Data storage systems should be chosen such that required data can be retrieved in an acceptable timeframe and format, depending on the requirements to be fulfilled.

                                    +

                                    The system of storage and handling should ensure identification of records and of their retention period as defined by national or regional legislation or regulations, if applicable. This system should permit appropriate destruction of records after that period if they are not needed by the organization.

                                    +

                                    To meet these record safeguarding objectives, the following steps should be taken within an organization:

                                      -
                                    1. XXXXXXXXXX XXXXXX XX XXXXXX XX XXX XXXXXXXXX, XXXXXXX, XXXXXXXX XXX XXXXXXXX XX XXXXXXX XXX XXXXXXXXXXX;
                                    2. -
                                    3. X XXXXXXXXX XXXXXXXX XXXXXX XX XXXXX XX XXXXXXXXXXX XXXXXXX XXX XXX XXXXXX XX XXXX XXX XXXXX XXXX XXXXXX XX XXXXXXXX;
                                    4. -
                                    5. XX XXXXXXXXX XX XXXXXXX XX XXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXX.
                                    6. +
                                    7. guidelines should be issued on the retention, storage, handling and disposal of records and information;
                                    8. +
                                    9. a retention schedule should be drawn up identifying records and the period of time for which they should be retained;
                                    10. +
                                    11. an inventory of sources of key information should be maintained.
                                    -

                                    XXXX XXXXXXX XXX XXXX XX XX XXXXXXXX XXXXXXXX XX XXXX XXXXXXXXX, XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXXXX, XX XXXX XX XX XXXXXXX XXXXXXXXX XXXXXXXX XXXXXXXXXX. XXXXXXXX XXXXXXX XXXXXXX XXXX XXX XX XXXXXXXX XX XXXXXXXX XXXX XX XXXXXXXXXXXX XXXXXXXX XXXXXX XXXXXXXXX XX XXXXXXXXXX XXXXX, XX XXXXXX XXXXXXX XXXXXXX XXXXXXXXX XXXXX XX XXXXXXXX XXXXXX XX XX XXXXXXX XXX XXXXXXXXX XXXXXX XX XX XXXXXXXXXXXX XX XXXXXXXXXXXX, XXXXXXXX XXXXXXX XXX XXXXXXXX. XXXXXXXX XXX XX XXXXXXXXXX XXX XXX XXX XXXX XXXXXX XXX XXXX XXXXXXX XXX XXXXXXXXXXX XXXXXXXXX.

                                    -

                                    XXXXXXX XXXXXXXXXXX XXXXX XXXXXXXX XXXXXXXXXXXXXX XXXXXXX XXX XX XXXXX XX XXX XXXXX-X.[5]

                                    +

                                    Some records may need to be securely retained to meet statutory, regulatory or contractual requirements, as well as to support essential business activities. Examples include records that may be required as evidence that an organization operates within statutory or regulatory rules, to ensure defence against potential civil or criminal action or to confirm the financial status of an organization to shareholders, external parties and auditors. National law or regulation may set the time period and data content for information retention.

                                    +

                                    Further information about managing organizational records can be found in ISO 15489-1.[5]

                                    Privacy and protection of personally identifiable information 18.1.4 -

                                    XXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXX XX XXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXX XXXXX XXXXXXXXXX.

                                    +

                                    Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.

                                    -

                                    XX XXXXXXXXXXXX’X XXXX XXXXXX XXX XXXXXXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXX XXX XXXXXXXXXXX. XXXX XXXXXX XXXXXX XX XXXXXXXXXXXX XX XXX XXXXXXX XXXXXXXX XX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX.

                                    -

                                    XXXXXXXXXX XXXX XXXX XXXXXX XXX XXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XX XXX XXXXXXX XX XXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXXX. XXXXX XXXX XX XXXX XXXXXXXX XX XXX XXXXXXXXXXX XX X XXXXXX XXXXXXXXXXX, XXXX XX X XXXXXXX XXXXXXX, XXX XXXXXX XXXXXXX XXXXXXXX XX XXXXXXXX, XXXXX XXX XXXXXXX XXXXXXXXX XX XXXXX XXXXXXXXXX XXXXXXXXXXXXXXXX XXX XXX XXXXXXXX XXXXXXXXXX XXXX XXXXXX XX XXXXXXXX. XXXXXXXXXXXXXX XXX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXX XXXXXXXX XXXXXXXXX XX XXX XXXXXXX XXXXXXXXXX XXXXXX XX XXXXX XXXX XX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXX. XXXXXXXXXXX XXXXXXXXX XXX XXXXXXXXXXXXXX XXXXXXXX XX XXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XX XXXXXXXXXXX.

                                    +

                                    An organization’s data policy for privacy and protection of personally identifiable information should be developed and implemented. This policy should be communicated to all persons involved in the processing of personally identifiable information.

                                    +

                                    Compliance with this policy and all relevant legislation and regulations concerning the protection of the privacy of people and the protection of personally identifiable information requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a privacy officer, who should provide guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personally identifiable information and ensuring awareness of the privacy principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personally identifiable information should be implemented.

                                    -

                                    XXX/XXX XXXXX[25] XXXXXXXX X XXXX-XXXXX XXXXXXXXX XXX XXX XXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXX. X XXXXXX XX XXXXXXXXX XXXX XXXXXXXXXX XXXXXXXXXXX XXXXXXX XXXXXXXX XX XXX XXXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX (XXXXXXXXX XXXXXXXXXXX XX XXXXXX XXXXXXXXXXX XXX XXX XX XXXXXXXXXX XXXX XXXX XXXXXXXXXXX). XXXXXXXXX XX XXX XXXXXXXXXX XXXXXXXX XXXXXXXXXXX, XXXX XXXXXXXX XXX XXXXXX XXXXXX XX XXXXX XXXXXXXXXX, XXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX, XXX XXX XXXX XXXXXXXX XXX XXXXXXX XX XXXXXXXX XXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XX XXXXX XXXXXXXXX.

                                    +

                                    ISO/IEC 29100[25] provides a high-level framework for the protection of personally identifiable information within information and communication technology systems. A number of countries have introduced legislation placing controls on the collection, processing and transmission of personally identifiable information (generally information on living individuals who can be identified from that information). Depending on the respective national legislation, such controls may impose duties on those collecting, processing and disseminating personally identifiable information, and may also restrict the ability to transfer personally identifiable information to other countries.

                                    Regulation of cryptographic controls 18.1.5 -

                                    XXXXXXXXXXXXX XXXXXXXX XXXXXX XX XXXX XX XXXXXXXXXX XXXX XXX XXXXXXXX XXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXXXX.

                                    +

                                    Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations.

                                    -

                                    XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXXX XXXX XXX XXXXXXXX XXXXXXXXXX, XXXX XXX XXXXXXXXXXX:

                                    +

                                    The following items should be considered for compliance with the relevant agreements, laws and regulations:

                                      -
                                    1. XXXXXXXXXXXX XX XXXXXX XX XXXXXX XX XXXXXXXX XXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXXX XXXXXXXXX;
                                    2. -
                                    3. XXXXXXXXXXXX XX XXXXXX XX XXXXXX XX XXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXX XX XXXXXXXX XX XXXX XXXXXXXXXXXXX XXXXXXXXX XXXXX XX XX;
                                    4. -
                                    5. XXXXXXXXXXXX XX XXX XXXXX XX XXXXXXXXXX;
                                    6. -
                                    7. XXXXXXXXX XX XXXXXXXXXXXXX XXXXXXX XX XXXXXX XX XXX XXXXXXXXX’ XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXX XX XXXXXXXX XX XXXXXXXX XX XXXXXXX XXXXXXXXXXXXXXX XX XXXXXXX.
                                    8. +
                                    9. restrictions on import or export of computer hardware and software for performing cryptographic functions;
                                    10. +
                                    11. restrictions on import or export of computer hardware and software which is designed to have cryptographic functions added to it;
                                    12. +
                                    13. restrictions on the usage of encryption;
                                    14. +
                                    15. mandatory or discretionary methods of access by the countries’ authorities to information encrypted by hardware or software to provide confidentiality of content.
                                    -

                                    XXXXX XXXXXX XXXXXX XX XXXXXX XX XXXXXX XXXXXXXXXX XXXX XXXXXXXX XXXXXXXXXXX XXX XXXXXXXXXXX. XXXXXX XXXXXXXXX XXXXXXXXXXX XX XXXXXXXXXXXXX XXXXXXXX XXX XXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXX, XXXXX XXXXXX XXXXXX XXXX XX XXXXX.

                                    +

                                    Legal advice should be sought to ensure compliance with relevant legislation and regulations. Before encrypted information or cryptographic controls are moved across jurisdictional borders, legal advice should also be taken.

                                    @@ -2816,149 +2814,149 @@ Information security reviews 18.2 -

                                    XX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXXX XXX XXXXXXXX XX XXXXXXXXXX XXXX XXX XXXXXXXXXXXXXX XXXXXXXX XXX XXXXXXXXXX.

                                    +

                                    Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

                                    Independent review of information security 18.2.1 -

                                    XXX XXXXXXXXXXXX’X XXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXXX XXX XXX XXXXXXXXXXXXXX (X.X. XXXXXXX XXXXXXXXXX, XXXXXXXX, XXXXXXXX, XXXXXXXXX XXX XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX) XXXXXX XX XXXXXXXX XXXXXXXXXXXXX XX XXXXXXX XXXXXXXXX XX XXXX XXXXXXXXXXX XXXXXXX XXXXX.

                                    +

                                    The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur.

                                    -

                                    XXXXXXXXXX XXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXX. XXXX XX XXXXXXXXXXX XXXXXX XX XXXXXXXXX XX XXXXXX XXX XXXXXXXXXX XXXXXXXXXXX, XXXXXXXX XXX XXXXXXXXXXXXX XX XXX XXXXXXXXXXXX’X XXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXXX. XXX XXXXXX XXXXXX XXXXXXX XXXXXXXXX XXXXXXXXXXXXX XXX XXXXXXXXXXX XXX XXX XXXX XXX XXXXXXX XX XXX XXXXXXXX XX XXXXXXXX, XXXXXXXXX XXX XXXXXX XXX XXXXXXX XXXXXXXXXX.

                                    -

                                    XXXX X XXXXXX XXXXXX XX XXXXXXX XXX XX XXXXXXXXXXX XXXXXXXXXXX XX XXX XXXX XXXXX XXXXXX, X.X. XXX XXXXXXXX XXXXX XXXXXXXX, XX XXXXXXXXXXX XXXXXXX XX XX XXXXXXXX XXXXX XXXXXXXXXXXX XXXXXXXXXXXX XX XXXX XXXXXXX. XXXXXXXXXXX XXXXXXXX XXX XXXXX XXXXXXX XXXXXX XXXX XXX XXXXXXXXXXX XXXXXX XXX XXXXXXXXXX.

                                    -

                                    XXX XXXXXXX XX XXX XXXXXXXXXXX XXXXXX XXXXXX XX XXXXXXXX XXX XXXXXXXX XX XXX XXXXXXXXXX XXX XXXXXXXXX XXX XXXXXX. XXXXX XXXXXXX XXXXXX XX XXXXXXXXXX.

                                    -

                                    XX XXX XXXXXXXXXXX XXXXXX XXXXXXXXXX XXXX XXX XXXXXXXXXXXX’X XXXXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXXX XXXXXXXXXXX XXXXXXXX XX XXXXXXXXXX, X.X. XXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXXXX XXX XXX XXX XX XXX XXXXXXXXX XXXX XXX XXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXX XX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX (XXX 5.1.1), XXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXX XXXXXXX.

                                    +

                                    Management should initiate the independent review. Such an independent review is necessary to ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security. The review should include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives.

                                    +

                                    Such a review should be carried out by individuals independent of the area under review, e.g. the internal audit function, an independent manager or an external party organization specializing in such reviews. Individuals carrying out these reviews should have the appropriate skills and experience.

                                    +

                                    The results of the independent review should be recorded and reported to the management who initiated the review. These records should be maintained.

                                    +

                                    If the independent review identifies that the organization’s approach and implementation to managing information security is inadequate, e.g. documented objectives and requirements are not met or not compliant with the direction for information security stated in the information security policies (see 5.1.1), management should consider corrective actions.

                                    -

                                    XXX/XXX XXXXX[12], “XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXXX” XXX XXX/XXX XX XXXXX[13], “XXXXXXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX” XXXX XXXXXXX XXXXXXXX XXX XXXXXXXX XXX XXX XXXXXXXXXXX XXXXXX.

                                    +

                                    ISO/IEC 27007[12], “Guidelines for information security management systems auditing” and ISO/IEC TR 27008[13], “Guidelines for auditors on information security controls” also provide guidance for carrying out the independent review.

                                    Compliance with security policies and standards 18.2.2 -

                                    XXXXXXXX XXXXXX XXXXXXXXX XXXXXX XXX XXXXXXXXXX XX XXXXXXXXXXX XXXXXXXXXX XXX XXXXXXXXXX XXXXXX XXXXX XXXX XX XXXXXXXXXXXXXX XXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXX, XXXXXXXXX XXX XXX XXXXX XXXXXXXX XXXXXXXXXXXX.

                                    +

                                    Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

                                    -

                                    XXXXXXXX XXXXXX XXXXXXXX XXX XX XXXXXX XXXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXXXX XXXXXXX XX XXXXXXXX, XXXXXXXXX XXX XXXXX XXXXXXXXXX XXXXXXXXXXX XXX XXX. XXXXXXXXX XXXXXXXXXXX XXX XXXXXXXXX XXXXX XXXXXX XX XXXXXXXXXX XXX XXXXXXXXX XXXXXXX XXXXXX.

                                    -

                                    XX XXX XXX-XXXXXXXXXX XX XXXXX XX X XXXXXX XX XXX XXXXXX, XXXXXXXX XXXXXX:

                                    +

                                    Managers should identify how to review that information security requirements defined in policies, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review.

                                    +

                                    If any non-compliance is found as a result of the review, managers should:

                                      -
                                    1. XXXXXXXX XXX XXXXXX XX XXX XXX-XXXXXXXXXX;
                                    2. -
                                    3. XXXXXXXX XXX XXXX XXX XXXXXXX XX XXXXXXX XXXXXXXXXX;
                                    4. -
                                    5. XXXXXXXXX XXXXXXXXXXX XXXXXXXXXX XXXXXX;
                                    6. -
                                    7. XXXXXX XXX XXXXXXXXXX XXXXXX XXXXX XX XXXXXX XXX XXXXXXXXXXXXX XXX XXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXXXXX.
                                    8. +
                                    9. identify the causes of the non-compliance;
                                    10. +
                                    11. evaluate the need for actions to achieve compliance;
                                    12. +
                                    13. implement appropriate corrective action;
                                    14. +
                                    15. review the corrective action taken to verify its effectiveness and identify any deficiencies or weaknesses.
                                    -

                                    XXXXXXX XX XXXXXXX XXX XXXXXXXXXX XXXXXXX XXXXXXX XXX XX XXXXXXXX XXXXXX XX XXXXXXXX XXX XXXXX XXXXXXX XXXXXX XX XXXXXXXXXX. XXXXXXXX XXXXXX XXXXXX XXX XXXXXXX XX XXX XXXXXXX XXXXXXXX XXX XXXXXXXXXXX XXXXXXX (XXX 18.2.1) XXXX XX XXXXXXXXXXX XXXXXX XXXXX XXXXX XX XXX XXXX XX XXXXX XXXXXXXXXXXXXX.

                                    +

                                    Results of reviews and corrective actions carried out by managers should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews (see 18.2.1) when an independent review takes place in the area of their responsibility.

                                    -

                                    XXXXXXXXXXX XXXXXXXXXX XX XXXXXX XXX XX XXXXXXX XX 12.4.

                                    +

                                    Operational monitoring of system use is covered in 12.4.

                                    Technical compliance review 18.2.3 -

                                    XXXXXXXXXXX XXXXXXX XXXXXX XX XXXXXXXXX XXXXXXXX XXX XXXXXXXXXX XXXX XXX XXXXXXXXXXXX’X XXXXXXXXXXX XXXXXXXX XXXXXXXX XXX XXXXXXXXX.

                                    +

                                    Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards.

                                    -

                                    XXXXXXXXX XXXXXXXXXX XXXXXX XX XXXXXXXX XXXXXXXXXX XXXX XXX XXXXXXXXXX XX XXXXXXXXX XXXXX, XXXXX XXXXXXXX XXXXXXXXX XXXXXXX XXX XXXXXXXXXX XXXXXXXXXXXXXX XX X XXXXXXXXX XXXXXXXXXX. XXXXXXXXXXXXX, XXXXXX XXXXXXX (XXXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXX, XX XXXXXXXXX) XX XX XXXXXXXXXXX XXXXXX XXXXXXXX XXXXX XX XXXXXXXXX.

                                    -

                                    XX XXXXXXXXXXX XXXXX XX XXXXXXXXXXXXX XXXXXXXXXXX XXX XXXX, XXXXXXX XXXXXX XX XXXXXXXXX XX XXXX XXXXXXXXXX XXXXX XXXX XX X XXXXXXXXXX XX XXX XXXXXXXX XX XXX XXXXXX. XXXX XXXXX XXXXXX XX XXXXXXX, XXXXXXXXXX XXX XXXXXXXXXX.

                                    -

                                    XXX XXXXXXXXX XXXXXXXXXX XXXXXX XXXXXX XXXX XX XXXXXXX XXX XX XXXXXXXXX, XXXXXXXXXX XXXXXXX XX XXXXX XXX XXXXXXXXXXX XX XXXX XXXXXXX.

                                    +

                                    Technical compliance should be reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by an experienced system engineer could be performed.

                                    +

                                    If penetration tests or vulnerability assessments are used, caution should be exercised as such activities could lead to a compromise of the security of the system. Such tests should be planned, documented and repeatable.

                                    +

                                    Any technical compliance review should only be carried out by competent, authorized persons or under the supervision of such persons.

                                    -

                                    XXXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXX XXX XXXXXXXXXXX XX XXXXXXXXXXX XXXXXXX XX XXXXXX XXXX XXXXXXXX XXX XXXXXXXX XXXXXXXX XXXX XXXX XXXXXXXXX XXXXXXXXXXX. XXXX XXXX XX XXXXXXXXXX XXXXXX XXXXXXXX XXXXXXXXXX XXXXXXXXX XXXXXXXXX.

                                    -

                                    XXXXXXXXXX XXXXXXX XXXX XXXXX, XXX XXXXXXX, XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXXX, XXXXX XXXXX XX XXXXXXX XXX XX XXXXXXXXXXX XXXXXXX XXXXXXXXXXXX XXXXXXXXXX XXX XXXX XXXXXXX. XXXX XXX XX XXXXXX XX XXXXXXXXX XXXXXXXXXXXXXXX XX XXX XXXXXX XXX XXX XXXXXXXXXX XXX XXXXXXXXX XXX XXXXXXXX XXX XX XXXXXXXXXX XXXXXXXXXXXX XXXXXX XXX XX XXXXX XXXXXXXXXXXXXXX.

                                    -

                                    XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXXX XXXXXXX X XXXXXXXX XX X XXXXXX XX X XXXXXXXX XXXXX XX X XXXXXXXX XXXX. XXX XXXXXXXX XX XXXXXXX XX XXXXX XXXXXXXX XX XXX XXXXXX XXXXXXXX XXXXXX XXXXXX XXX XXXXXXXXXXX XXXXXXX(X). XXXXXXXXXXX XXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXXX XXX XXX X XXXXXXXXXX XXX XXXX XXXXXXXXXX.

                                    -

                                    XXX/XXX XX XXXXX[13] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXX XXXXXXXXXX XXXXXXX.

                                    +

                                    Technical compliance reviews involve the examination of operational systems to ensure that hardware and software controls have been correctly implemented. This type of compliance review requires specialist technical expertise.

                                    +

                                    Compliance reviews also cover, for example, penetration testing and vulnerability assessments, which might be carried out by independent experts specifically contracted for this purpose. This can be useful in detecting vulnerabilities in the system and for inspecting how effective the controls are in preventing unauthorized access due to these vulnerabilities.

                                    +

                                    Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. The snapshot is limited to those portions of the system actually tested during the penetration attempt(s). Penetration testing and vulnerability assessments are not a substitute for risk assessment.

                                    +

                                    ISO/IEC TR 27008[13] provides specific guidance regarding technical compliance reviews.

                                    - ISO/IEC Directives, Part 2[X] XXX/XXX XXXXXXXXXX, XXXX X + ISO/IEC Directives, Part 2[1] ISO/IEC Directives, Part 2 - ISO/IEC 11770-1, Information technology Security techniques — Key management — Part 1: Framework[X] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX XXXXXXXX XXXXXXXXXX — XXX XXXXXXXXXX — XXXX X: XXXXXXXXX + ISO/IEC 11770-1, Information technology Security techniques — Key management — Part 1: Framework[2] ISO/IEC 11770-1, Information technology Security techniques — Key management — Part 1: Framework - ISO/IEC 11770-2, Information technology — Security techniques — Key management — Part 2: Mechanisms using symmetric techniques[X] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXX XXXXXXXXXX — XXXX X: XXXXXXXXXX XXXXX XXXXXXXXX XXXXXXXXXX + ISO/IEC 11770-2, Information technology — Security techniques — Key management — Part 2: Mechanisms using symmetric techniques[3] ISO/IEC 11770-2, Information technology — Security techniques — Key management — Part 2: Mechanisms using symmetric techniques - ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3: Mechanisms using asymmetric techniques[X] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXX XXXXXXXXXX — XXXX X: XXXXXXXXXX XXXXX XXXXXXXXXX XXXXXXXXXX + ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3: Mechanisms using asymmetric techniques[4] ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3: Mechanisms using asymmetric techniques - ISO 15489-1, Information and documentation — Records management — Part 1: General[X] XXX XXXXX-X, XXXXXXXXXXX XXX XXXXXXXXXXXXX — XXXXXXX XXXXXXXXXX — XXXX X: XXXXXXX + ISO 15489-1, Information and documentation — Records management — Part 1: General[5] ISO 15489-1, Information and documentation — Records management — Part 1: General - ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements[X] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXXXX — XXXX X: XXXXXXX XXXXXXXXXX XXXXXX XXXXXXXXXXXX + ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements[6] ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements - ISO/IEC 20000-2,1Information technology — Service management — Part 2: Guidance on the application of service management systems[X] XXX/XXX XXXXX-X,1XXXXXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXXXX — XXXX X: XXXXXXXX XX XXX XXXXXXXXXXX XX XXXXXXX XXXXXXXXXX XXXXXXX + ISO/IEC 20000-2,1Information technology — Service management — Part 2: Guidance on the application of service management systems[7] ISO/IEC 20000-2,1Information technology — Service management — Part 2: Guidance on the application of service management systems - ISO 22301, Societal security — Business continuity management systems — Requirements[X] XXX XXXXX, XXXXXXXX XXXXXXXX — XXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXX — XXXXXXXXXXXX + ISO 22301, Societal security — Business continuity management systems — Requirements[8] ISO 22301, Societal security — Business continuity management systems — Requirements - ISO 22313, Societal security — Business continuity management systems — Guidance[X] XXX XXXXX, XXXXXXXX XXXXXXXX — XXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXX — XXXXXXXX + ISO 22313, Societal security — Business continuity management systems — Guidance[9] ISO 22313, Societal security — Business continuity management systems — Guidance - ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXX — XXXXXXXXXXXX + ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements[10] ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements - ISO/IEC 27005, Information technology — Security techniques — Information security risk management[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXXX XXXXXXXX XXXX XXXXXXXXXX + ISO/IEC 27005, Information technology — Security techniques — Information security risk management[11] ISO/IEC 27005, Information technology — Security techniques — Information security risk management - ISO/IEC 27007, Information technology — Security techniques — Guidelines for information security management systems auditing[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXX XXX XXXXXXXXXXX XXXXXXXX XXXXXXXXXX XXXXXXX XXXXXXXX + ISO/IEC 27007, Information technology — Security techniques — Guidelines for information security management systems auditing[12] ISO/IEC 27007, Information technology — Security techniques — Guidelines for information security management systems auditing - ISO/IEC TR 27008, Information technology — Security techniques — Guidelines for auditors on information security controls[XX] XXX/XXX XX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXX XXX XXXXXXXX XX XXXXXXXXXXX XXXXXXXX XXXXXXXX + ISO/IEC TR 27008, Information technology — Security techniques — Guidelines for auditors on information security controls[13] ISO/IEC TR 27008, Information technology — Security techniques — Guidelines for auditors on information security controls - ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXX XXX XXXXXXXXXXX XXX XXXXXXXXXXXXX XXXXXXXXXX XXXXXXXXX XXX XXXXXXXX XXXXXXXXXX + ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity[14] ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity - ISO/IEC 27033-1, Information technology — Security techniques — Network security — Part 1: Overview and concepts[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXX — XXXX X: XXXXXXXX XXX XXXXXXXX + ISO/IEC 27033-1, Information technology — Security techniques — Network security — Part 1: Overview and concepts[15] ISO/IEC 27033-1, Information technology — Security techniques — Network security — Part 1: Overview and concepts - ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXX — XXXX X: XXXXXXXXXX XXX XXX XXXXXX XXX XXXXXXXXXXXXXX XX XXXXXXX XXXXXXXX + ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security[16] ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security - ISO/IEC 27033-3, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXX — XXXX X: XXXXXXXXX XXXXXXXXXX XXXXXXXXX — XXXXXXX, XXXXXX XXXXXXXXXX XXX XXXXXXX XXXXXX + ISO/IEC 27033-3, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues[17] ISO/IEC 27033-3, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues - ISO/IEC 27033-4, Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXX — XXXX X: XXXXXXXX XXXXXXXXXXXXXX XXXXXXX XXXXXXXX XXXXX XXXXXXXX XXXXXXXX + ISO/IEC 27033-4, Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways[18] ISO/IEC 27033-4, Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways - ISO/IEC 27033-5, Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Network (VPNs)[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXX — XXXX X: XXXXXXXX XXXXXXXXXXXXXX XXXXXX XXXXXXXX XXXXX XXXXXXX XXXXXXX XXXXXXX (XXXX) + ISO/IEC 27033-5, Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Network (VPNs)[19] ISO/IEC 27033-5, Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Network (VPNs) - ISO/IEC 27035, Information technology — Security techniques — Information security incident management[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXXX + ISO/IEC 27035, Information technology — Security techniques — Information security incident management[20] ISO/IEC 27035, Information technology — Security techniques — Information security incident management - ISO/IEC 27036-1, Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXXXXX — XXXX X: XXXXXXXX XXX XXXXXXXX + ISO/IEC 27036-1, Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts[21] ISO/IEC 27036-1, Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts - ISO/IEC 27036-2, Information technology — Security techniques — Information security for supplier relationships — Part 2: Common requirements[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXXXXX — XXXX X: XXXXXX XXXXXXXXXXXX + ISO/IEC 27036-2, Information technology — Security techniques — Information security for supplier relationships — Part 2: Common requirements[22] ISO/IEC 27036-2, Information technology — Security techniques — Information security for supplier relationships — Part 2: Common requirements - ISO/IEC 27036-3, Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for ICT supply chain security[XX] XXX/XXX XXXXX-X, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXXX XXXXXXXX XXX XXXXXXXX XXXXXXXXXXXXX — XXXX X: XXXXXXXXXX XXX XXX XXXXXX XXXXX XXXXXXXX + ISO/IEC 27036-3, Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for ICT supply chain security[23] ISO/IEC 27036-3, Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for ICT supply chain security - ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXXXXX XXX XXXXXXXXXXXXXX, XXXXXXXXXX, XXXXXXXXXXX XXX XXXXXXXXXXXX XX XXXXXXX XXXXXXXX + ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence[24] ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence - ISO/IEC 29100, Information technology — Security techniques — Privacy framework[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXXX + ISO/IEC 29100, Information technology — Security techniques — Privacy framework[25] ISO/IEC 29100, Information technology — Security techniques — Privacy framework - ISO/IEC 29101, Information technology — Security techniques — Privacy architecture framework[XX] XXX/XXX XXXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXXXXXX XXXXXXXXX + ISO/IEC 29101, Information technology — Security techniques — Privacy architecture framework[26] ISO/IEC 29101, Information technology — Security techniques — Privacy architecture framework - ISO 31000, Risk management — Principles and guidelines[XX] XXX XXXXX, XXXX XXXXXXXXXX — XXXXXXXXXX XXX XXXXXXXXXX + ISO 31000, Risk management — Principles and guidelines[27] ISO 31000, Risk management — Principles and guidelines - 1) ISO/IEC 20000-2:2005 has been cancelled and replaced by ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems.1) XXX/XXX XXXXX-X:XXXX XXX XXXX XXXXXXXXX XXX XXXXXXXX XX XXX/XXX XXXXX-X:XXXX, XXXXXXXXXXX XXXXXXXXXX — XXXXXXX XXXXXXXXXX — XXXX X: XXXXXXXX XX XXX XXXXXXXXXXX XX XXXXXXX XXXXXXXXXX XXXXXXX. + 1) ISO/IEC 20000-2:2005 has been cancelled and replaced by ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems.1) ISO/IEC 20000-2:2005 has been cancelled and replaced by ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems. diff --git a/working/JSON-mapping/acquire-JSON.xpl b/working/JSON-mapping/acquire-JSON.xpl new file mode 100644 index 0000000000..c6026136df --- /dev/null +++ b/working/JSON-mapping/acquire-JSON.xpl @@ -0,0 +1,165 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/JSON-mapping/analysis.xsl b/working/JSON-mapping/analysis.xsl new file mode 100644 index 0000000000..ed57e3dc35 --- /dev/null +++ b/working/JSON-mapping/analysis.xsl @@ -0,0 +1,33 @@ + + + + + + + + + + + +

                                    Source file

                                    +
                                    + +
                                    +

                                    + +

                                    +

                                    Counting

                                    +

                                    +
                                    +
                                    + + +
                                    + +
                                    \ No newline at end of file diff --git a/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-ENRICHED-FedRAMP.xml b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-ENRICHED-FedRAMP.xml new file mode 100644 index 0000000000..bf31481eb2 --- /dev/null +++ b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-ENRICHED-FedRAMP.xml @@ -0,0 +1,7849 @@ + + Moderate SSP for Docker Enterprise Edition Deployment ATO +

                                    Moderate SSP for Docker Enterprise Edition Deployment ATO

                                    + securitylead@agency.gov + + NIST SP800-53 rev 4 + + + + Access Control Policy for [Agency_Here] +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION OF DUTIES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LEAST PRIVILEGE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM USE NOTIFICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONCURRENT SESSION CONTROL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION LOCK +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PATTERN-HIDING DISPLAYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION TERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATION AND ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FULL DEVICE / CONTAINER-BASED ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR MOBILE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PORTABLE STORAGE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LIMITS ON AUTHORIZED USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SHARING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLICLY ACCESSIBLE CONTENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Awareness Training Policy for [Agency_Here] +

                                    +

                                    + + ROLE-BASED SECURITY TRAINING +

                                    [Agency's control implementation here] +

                                    + none + + + SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AWARENESS TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSIDER THREAT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY TRAINING RECORDS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Audit and Accountability Policy for [Agency_Here] +

                                    +

                                    + + AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete + + + AUDIT EVENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT STORAGE CAPACITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT REVIEW, ANALYSIS, AND REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS INTEGRATION +

                                    [Agency's control implementation here] +

                                    +
                                    + + CORRELATE AUDIT REPOSITORIES +

                                    [Agency's control implementation here] +

                                    +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC PROCESSING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME STAMPS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS BY SUBSET OF PRIVILEGED USERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT RECORD RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Assessment and Authorization Policy for [Agency_Here] +

                                    +

                                    + + SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM INTERCONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PLAN OF ACTION AND MILESTONES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AUTHORIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PENETRATION TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Configuration Management Policy for [Agency_Here] +

                                    +

                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + BASELINE CONFIGURATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION SETTINGS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM COMPONENT INVENTORY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Contingency Planning Policy for [Agency_Here] +

                                    +

                                    + + CONTINGENCY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTINGENCY PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY CRITICAL ASSETS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY PLAN TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE STORAGE SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE PROCESSING SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE PROVISIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM BACKUP +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TESTING FOR RELIABILITY / INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM RECOVERY AND RECONSTITUTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSACTION RECOVERY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Docker Security Scanning (DSS) +

                                    +

                                    + + UPDATE TOOL CAPABILITY +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning (DSS) component of Docker +Trusted Registry (DTR) that is included with the Docker Enterprise +Edition Advanced tier can be used to scan Docker images for +vulnerabilities against known vulnerability databases. Scans can be +triggered either manually or when Docker images are pushed to DTR.' +

                                    + service provider hybrid + complete + + + UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier compiles a bill of materials (BOM) for each Docker image +that it scans. DSS is also synchronized to an aggregate listing of +known vulnerabilities that is compiled from both the MITRE and NVD CVE +databases. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier identifies vulnerabilities in a Docker image and marks +them against predefined criticality levels; critical major and minor.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCESS +

                                    'Only the appropriate users that the organization has provided Docker +Trusted Registry access to are able to view and interpret +vulnerability scan results.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'For each Docker image pushed to Docker Trusted Registry at a given +time, Docker Security Scaninng retains a list of vulnerabilities +detected. The DTR API can be queried to retrieve the vulnerability +scan results over a period of time for a given Docker image such that +the results can be compared per the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Security Scanning maintains a historical bill-of-materials +(BOM) for all Docker images that are scanned. Results of previous +vulnerability scans can be reviewed and audited per the requirements +of this control.' +

                                    + service provider hybrid + complete +
                                    + + + DSS Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ + + + + Docker Trusted Registry (DTR) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + shared + complete +
                                    + + +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + service provider hybrid + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Docker Trusted Registry resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Docker Trusted Registry.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Trusted Registry can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Trusted Registry logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the DTR user interface and for +command-line based connections to the registry. In addition to this, +all communication to DTR is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Trusted Registry replicas is routed through +managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Docker Trusted Registry's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP slave nodes running Docker +Trusted Registry replicas can be paused or drained, which subsequently +stops sessions to the DTR replica.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Docker +Trusted Registry to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by a +combination of the backend ucp-controller service within Universal +Control Plane and the backend services that make up Docker Trusted +Registry. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Trusted Registry generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to alert individuals in +the event of log processing failures. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when the allocated log storage is full. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to facilitate the audit +reduction and report generation requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Docker Trusted +Registry should be certified to ensure that logs are not altered +during generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Trusted Registry uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Docker Trusted Registry is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the ''docker'' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Trusted +Registry resides as an Application on a Universal Control Plane +cluster, and as such, can be configured to send logs to a remote +logging stack. This logging stack can subsequently be configured to +retain logs for the duration required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by a +combination of the backend services within Universal Control Plane and +Docker Trusted Registry. The underlying Linux operating system +supporting DTR can be configured to audit Docker-specific events with +the auditd daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/' +

                                    +

                                    'Using auditd on the Linux operating system supporting DTR, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +compile audit records in to a system-wide audit trail that is +time-correlated per the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +meet the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'Role-based access control can be configured within Docker Trusted +Registry to meet the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Docker Trusted +Registry Docker images are officially signed and verified by Docker, +Inc. + +When installing Docker Trusted Registry, you should enable Docker +Content Trust and subsequently pull the the signed DTR image tag. +Additional information can be found at teh following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Docker Trusted Registry''s +configuration can also be backed up and stored an appropriate location +per the requirements of this control. Additional documenation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry. The organization can +also prevent users from being able to pull Docker images from +untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images are +stored in Docker Trusted Registry. This can be accomplished by using +Docker Content Trust to sign Docker images which can subsequently be +stored in Docker Trusted Registry.' +

                                    + service provider hybrid + shared + complete +
                                    + + USER-INSTALLED SOFTWARE +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry to meet the +requirements of this contorl. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Docker Trusted Registry maintains its cluster state via an internal +key-value store. This, and other DTR transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Trusted +Registry requires individual users to be authenticated in order to +gain access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'Docker Trusted Registry replicas reside on Universal Control Plane +worker nodes. In order for UCP worker nodes to join a Universal +Control Plane cluster, they must be identified and authenticated via a +worker token. Additional Docker Trusted Registry replicas can only be +added after a UCP administrator user has authenticated in to the UCP +cluster and when mutual TLS authentication between the UCP worker and +manager nodes has been established. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Docker Trusted Registry includes a Docker volume which holds the root +key material for the DTR root CA that issues certificats. In addition +Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server. When adding DTR replicas, the UCP nodes on +which they're installed are authenticated to the cluster via the +appropriate built-in CA.' +

                                    +

                                    'Access to Docker Trusted Registry is only granted when a user has a +valid certificate bundle. This is enforced with the public/private key +pair included with the user's certificate bundle in Universal Control +Plane.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against Docker Trusted Registry. This bundle maps the +authenticated identity to that of the user's profile in Universal +Control Plane.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user which +subsequently grants that user access to Docker Trusted Registry, it is +attached to that user''s Universal Control Plane profile. Bundles/keys +can be revoked by an Administrator or the user themselves. The +cluster''s internal certificates can also be revoked and updated. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Docker Trusted Registry obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Docker Trusted Registry is protected with Transport +Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Docker Trusted Registry can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + UPDATE TOOL CAPABILITY +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE) dictionary.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE).' dictionary. +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags. Docker Trusted Registry includes an integrated imaging +signing service.' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Docker Trusted Registry is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Docker Trusted Registry are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + Docker Trusted Registry Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/ + + + + Docker Enterprise Edition Engine +

                                    +

                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to aggregate +container and daemon events via a number of logging drivers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/view_container_logs/ +- https://docs.docker.com/engine/admin/logging/overview/ +- https://docs.docker.com/engine/admin/logging/log_tags/' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers +per organization-defined security policy filters. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks + +There are also third-party behavioral activity monitoring tools (e.g. +Sysdig Falco <http://www.sysdig.org/falco/>) that can be used +alongside Docker Enterprise Edition to satisfy this control''s +requirements.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to separate the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, one +can restrict membership to the 'docker' group on underlying Linux +hosts or the local "Administrators" group (and any other groups +defined within 'daemon.json') on underlying Windows Server 2016 hosts +to only authorized users.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Enterprise Edition can be configured to allow/prohibit remote +access to the Engine.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2. In addition to this, all +communication to Docker Enterprise Edition is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Enterprise Edition is routed through managed +network access control points.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Docker Enterprise Edition's +underlying operating system can be used to force the disconnection of +remote connections to the host. In addition, Docker Enterprise Edition +provides the option to pause or drain a node in the cluster, which +subsequently stops and/or removes sessions to the node. Individual +services and/or applications running on Docker Enterprise Edition can +also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AUDIT EVENTS +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this control (as explained by +their component narratives). These and other application containers +that reside on Docker Enterprise Edition can be configured to log data +via an appropriate Docker logging driver. Instructions for configuring +logging drivers can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Both Universal Control Plane and Docker Trusted Registry are +pre-configured to take advantage of Docker Enterprise Edition''s +built-in logging mechanisms. A sample audit event recorded by Docker +Enterprise Edition has been provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"} + +Additional documentation can be referenced at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can be used to interpolate the information defined by this +control and also be configured to alert on any audit processing +failures. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to warn the organization when the +allocated log storage is full. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to facilitate the audit reduction and +report generation requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'The underlying operating system chosen to support Docker Enterprise +Edition should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Enterprise Edition uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Enterprise Edition runs should +be configured such that its system clock compares itself with an +authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock synchronizes +itself to an authoritative time source as defined by part (a) of this +control any time the time difference exceeds that of the +organization-defined time period. This can be accomplished by +utilizing the Network Time Protocol (NTP). Refer to the operating +system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'On the underlying Linux operating system supporting Docker Enterprise +Edition, only root and sudo users and users that have been added to +the "docker" group have the ability to access the logs generated by +UCP backend service containers. Should the organization decide to +configure Docker Enterprise Edition to use a logging driver other than +the default json-file driver, the organization is subsequently +responsible for configuring the chosen logging stack per the +provisions of this control. In addition, for Linux operating systems +supporting Docker Enterprise Edition that use the systemd daemon, it +is imperative that the Journal is secured per the requirements of this +control. The same applies for Linux operating systems supporting +Docker Enterprise Edition that instead use upstart. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the backup requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the encryption mechanisms required by this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition includes functionality known as Docker +Content Trust which allows one to cryptographically sign Docker +images. It enforces client-side signing and verification of image tags +and provides the ability to use digital signatures for data sent to +and received from Docker Trusted Registry. This ultimately provides +one with the ability to verify both the integrity and the publisher of +all data received from DTR over any channel. With Docker Content +Trust, an organization can enforce signature verification of all +content and prohibit unsigned and unapproved content from being +manipulated; thus supproting the non-repudiation requirements of this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + Docker EE system + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Enterprise +Edition can be configured to use a logging driver that stores data in +a location for the duration specified by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this AU-2 a. These and other +application containers that reside on Docker Enterprise Edition can be +configured to log data via an appropriate Docker logging driver. The +underlying Linux operating system supporting Docker Enterprise Edition +can be configured to audit Docker-specific events with the auditd +daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'Using auditd on the Linux operating system supporting CS Docker +Engine, the organization can configure audit rules to select which +Docker-specific events are to be audited. Refer to the specific Linux +distribution in use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to compile audit records in to +a system-wide audit trail that is time-correlated per the requirements +of this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to meet the requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + BASELINE CONFIGURATION +

                                    'The CIS Docker Benchmark can be used as a baseline for securing Docker +Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + REVIEWS AND UPDATES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion and can be +rolled back as required by this control. Additional information can be +found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Additional information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +cryptography management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +system change requirements of this control. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Before installing Docker Enterprise Edition, ensure that your +supporting Linux operating system''s packager manager supports package +signature verification and that it is enabled. It is also required +that you import the Docker public key for EE packages so as to +retrieve the validated and signed package from Docker, Inc. Refer to +your Linux OS documentation for instructions on completing the above +steps. + +In addition, Docker Content Trust is a capability provided by Docker +Engine that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. When enabling Docker +Content Trust in Docker Enterprise Edition you can enforce the use of +signed Docker images. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization can incorporate the use of an external configuration +management system to meet the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + LEAST FUNCTIONALITY +

                                    'To help the organization meet the requirements of this control, the +latest CIS Docker Benchmark can be used as a secure configuration +baseline. Additional information can be found at the following +resources: + +- https://www.cisecurity.org/benchmark/docker/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Docker Enterprise Edition, the organization can define +a list of allowed base Docker images and make them available via +Docker Trusted Registry. The organization can also prevent users from +being able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Docker EE +Engine, the organization must define a list of allowed base Docker +images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT PLAN +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management plan requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for other Docker EE engine nodes to be able to join a +cluster managed by Universal Control Plane, they must be identified +and authenticated via either a manager or worker token. Use of the +token includes trust on first use mutual TLS.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition is designed to run application containers +whose content can be completely isolated/segregated from other +application containers within the same node/cluster. This is +accomplished by way of Linux kernel primitives and various security +profiles that can be applied to the underlying host OS. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/security/security/ +- https://docs.docker.com/engine/userguide/networking/overlay-security-model/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to/from and between Docker +Enterprise Edition nodes is enforced by way of two-way mutual TLS +authentication. All Swarm Mode manager nodes in a Docker Enterprise +Edition cluster store state metadata and user secrets encrypted at +rest using the AES GCM cipher.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATIC UPDATES +

                                    'Docker Enterprise Edition packages for supported underlying operating +systems can only be obtained from Docker, Inc. The Docker EE +repositories from which Docker EE packages are obtained are protected +with official GPG keys. Each Docker package is also validated with a +signature definition.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the logging mechanisms of the Docker +Enterprise Edition engine are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + MEMORY PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's security documentation for information regarding the +protection of memory from unauthorized code execution.' +

                                    + service provider hybrid + complete +
                                    + + + Docker Enterprise Edition Engine Installation Documentation +

                                    + https://docs.docker.com/engine/installation/ + + + + Docker Engine Release Notes +

                                    + https://docs.docker.com/release-notes/ + + + + Configuring and Running Docker on Various Distributions +

                                    + https://docs.docker.com/engine/admin/ + + + + Docker Engine Security +

                                    + https://docs.docker.com/engine/security/security/ + + + + Securing Docker Datacenter and Security Best Practices +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices + + + + Identification and Authentication Policy for [Agency_Here] +

                                    +

                                    + + IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LOCAL ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS - SEPARATE DEVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFIER MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PKI-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HARDWARE TOKEN-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Incident Response for [Agency_Here] +

                                    +

                                    + + INCIDENT RESPONSE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INCIDENT RESPONSE TRAINING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED INCIDENT HANDLING PROCESSES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT MONITORING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED REPORTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE ASSISTANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SPILLAGE RESPONSE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSIBLE PERSONNEL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POST-SPILL OPERATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXPOSURE TO UNAUTHORIZED PERSONNEL +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System Maintenance Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM MAINTENANCE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTROLLED MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT MEDIA +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DOCUMENT NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE PERSONNEL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIMELY MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Media Protection Policy for [Agency_Here] +

                                    +

                                    + + MEDIA PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MEDIA ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA MARKING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA STORAGE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA TRANSPORT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA SANITIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT USE WITHOUT OWNER +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Physical and Environmental Protection Policy for [Agency_Here] +

                                    +

                                    + + PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PHYSICAL ACCESS AUTHORIZATIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PHYSICAL ACCESS CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR TRANSMISSION MEDIUM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR OUTPUT DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING PHYSICAL ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTRUSION ALARMS / SURVEILLANCE EQUIPMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VISITOR ACCESS RECORDS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POWER EQUIPMENT AND CABLING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY SHUTOFF +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY POWER +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY LIGHTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FIRE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC FIRE SUPPRESSION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TEMPERATURE AND HUMIDITY CONTROLS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WATER DAMAGE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DELIVERY AND REMOVAL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE WORK SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Planning Policy for [Agency_Here] +

                                    +

                                    + + SECURITY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INFORMATION SECURITY ARCHITECTURE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Personnel Security Policy for [Agency_Here] +

                                    +

                                    + + PERSONNEL SECURITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + POSITION RISK DESIGNATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SCREENING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TERMINATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TRANSFER +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS AGREEMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + THIRD-PARTY PERSONNEL SECURITY +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SANCTIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Risk Assessment Policy for [Agency_Here] +

                                    +

                                    + + RISK ASSESSMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + VULNERABILITY SCANNING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Services Acquisition Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + ALLOCATION OF RESOURCES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM DEVELOPMENT LIFE CYCLE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACQUISITION PROCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONAL PROPERTIES OF SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF APPROVED PIV PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM DOCUMENTATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ENGINEERING PRINCIPLES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL INFORMATION SYSTEM SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVELOPER CONFIGURATION MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + DEVELOPER SECURITY TESTING AND EVALUATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Communications Protection Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + APPLICATION PARTITIONING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION IN SHARED RESOURCES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENIAL OF SERVICE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESOURCE AVAILABILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + BOUNDARY PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS POINTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENY BY DEFAULT / ALLOW BY EXCEPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT SPLIT TUNNELING FOR REMOTE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSMISSION CONFIDENTIALITY AND INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK DISCONNECT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COLLABORATIVE COMPUTING DEVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLIC KEY INFRASTRUCTURE CERTIFICATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MOBILE CODE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VOICE OVER INTERNET PROTOCOL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION AUTHENTICITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS ISOLATION +

                                    [Agency's control implementation here] +

                                    + complete +
                                    +
                                    + + System and Information Integrity Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + FLAW REMEDIATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED FLAW REMEDIATION STATUS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MALICIOUS CODE PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED TOOLS FOR REAL-TIME ANALYSIS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-GENERATED ALERTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ALERTS, ADVISORIES, AND DIRECTIVES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY FUNCTION VERIFICATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRITY CHECKS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRATION OF DETECTION AND RESPONSE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPAM PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION INPUT VALIDATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ERROR HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION HANDLING AND RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEMORY PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Universal Control Plane (UCP) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/' +

                                    + service provider hybrid + complete + + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Universal Control Plane can be configured to send system +account log data to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack. Supporting documentation can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + LEAST PRIVILEGE +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and employ principles of +least privilege. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and explicitly authorize +access as necessary. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources, including Docker +networking components. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCOUNTS +

                                    'To assist the organization in meeting the requirements of this +control, one can restrict privileged accounts within Universal Control +Plane to custom-defined roles. By default, no one can make changes to +the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, one can review all implemented grants, accounts and roles +within Universal Control Plane and reassign/revoke privileges as +necessary. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane users can be assigned to one of a number of +different permission levels. The permission level assigned to a +specific user determines that user''s ability to execute certain +Docker functions within UCP. Only users mapped to either the "Full +Control" or "Admin" roles can execute Docker commands without any +restrictions. Users mapped to either the "View Only" or "No Access" +roles cannot execute any Docker commands. Users assigned to the +"Restricted Control" role can only run Docker commands under their own +purview and cannot see other users UCP resources nor run commands that +required privileged access to the host. Furthermore, custom roles can +be created for fine-grained access to specific UCP resources and +functionality. Additional documentation regarding the various +permission levels within UCP can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Universal Control Plane includes a logout capability that allows a +user to terminate his/her current session.' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Universal Control Plane.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Universal Control Plane logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the UCP user interface and for +command-line based connections to the cluster. In addition to this, +all communication to UCP is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Universal Control Plane managers and worker nodes is +routed through managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to authorize certain +privileged functions via remote access.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Universal Control Plane's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP provides the option to pause +or drain a node in the cluster, which subsequently stops and/or +removes sessions to the node. Individual services and/or applications +running on a UCP cluster can also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete + partial +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Universal +Control Plane to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by the +backend ucp-controller service within Universal Control Plane. In +addition, each container created on a Universal Control Plane cluster +logs event data. Supporting documentation for configuring UCP logging +can be referenced at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Universal Control Plane generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +alert individuals in the event of log processing failures. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider system specific + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when the allocated log storage is full. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when audit log failures occur. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The organization can subsequently centrally review and +analyze all of the Docker EE audit records. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +facilitate the audit reduction and report generation requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Universal Control +Plane should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +parse information by organization-defined audit fields. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Universal Control Plane uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Universal Control Plane is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the 'docker' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Universal Control +Plane can be configured to send logs to a remote logging stack. This +logging stack can subsequently be configured retain logs for the +duration required by this control. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by the backend +ucp-controller service within Universal Control Plane. In addition, +each container created on a Universal Control Plane cluster logs event +data. The underlying Linux operating system supporting UCP can be +configured to audit Docker-specific events with the auditd daemon. +Refer to the specific Linux distribution in use for instructions on +configuring this service. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'Using auditd on the Linux operating system supporting UCP, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to compile +audit records in to a system-wide audit trail that is time-correlated +per the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to meet the +requirements of this control. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'Role-based access control can be configured within Universal Control +Plane to meet the requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Universal Control +Plane Docker images are officially signed and verified by Docker, Inc. + +When configuring Universal Control Plane, you should enforce +applications to only use Docker images signed by trusted UCP users +within your organization. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Universal Control Plane''s +configuration can also be managed, backed up and stored in another +location per the requirements of this control. Additional documentation +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PERIODIC REVIEW +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane includes a robust access control model to +disable any functionality as mandated by this control.' +

                                    + service provider corporate + Docker EE system + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Universal Control Plane, the organization can define a +list of allowed base Docker images and make them available via Docker +Trusted Registry. The organization can also prevent users from being +able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Universal +Control Plane, the organization must define a list of allowed base +Docker images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images +stored in Docker Trusted Registry can be run on Universal Control +Plane. This can be accomplished by using Docker Content Trust to sign +Docker images, and configure UCP to enforce only signed images from +specific Teams at runtime. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Universal Control Plane maintains its cluster state via an internal +key-value store. This, and other UCP transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Universal Control +Plane requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for nodes to join a Universal Control Plane cluster, they +must be identified and authenticated via either a manager or worker +token. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server.' +

                                    +

                                    'Access to a Universal Control Plane cluster is only granted when a +user has a valid certificate bundle. This is enforced with the +public/private key pair included with the user's certificate bundle.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against the Universal Control Plane cluster. This bundle maps +the authenticated identity to that of the user.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user, it is +attached to that user''s profile. Bundles/keys can be revoked by an +Administrator or the user themselves. The cluster''s internal +certificates can also be revoked and updated. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Universal Control Plane obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Universal Control Plane is protected with Transport +Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Universal Control Plane can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, Docker Content Trust gives +you the ability to verify both the integrity and the publisher of all +the data received from a Docker Trusted Registry over any channel. It +allows operations with a remote DTR instance to enforce client-side +signing and verification of image tags. It provides for the ability to +use digital signatures for data sent to and receive from remote DTR +instances. These signatures allow client-side verification of the +integrity and publisher of specific image tags. Universal Control +Plane can be configured to only run trusted and signed images. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Universal Control Plane is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Universal Control Plane are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://docs.docker.com/datacenter/ucp/2.2/guides/ + + + + Authentication and Authorization Service (eNZi) +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams are allowed to create +and manipulate Docker Enterprise Edition resources. By default, no one +can make changes to the cluster. Permissions can be granted and +managed to enforce fine-grained access control. Supporting +documentation can found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can disable and/or remove temporary and emergency accounts in a +connected directory service (such as Active Directory) after an +organization-defined time period. When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can automatically disable inactive accounts in a connected directory +service (such as Active Directory). When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED AUDIT ACTIONS +

                                    'Docker Enterprise Edition logs various authentication and +authorization events to standard log files. One can configure Docker +Enterprise Edition to direct these event logs to a remote logging +service such as an Elasticsearch, Logstash and Kibana (ELK) stack and +subsequently alert on specific event types. When integrating Docker +Enterprise Edition with LDAP, one can refer the the directory +service''s logging mechanisms for auditing the events defined by this +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to enforce automated +session termination of users after an organization-defined time period +of inactivity. By default, the initial lifetime of a user''s session +is set to 72 hours and the renewal session for a user''s session is +set to 24 hours. These values can both be changed in the "Auth" +section of the "Admin Settings" in Universal Control Plane.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition supports various levels of user +permissions and role-based access control enforcements. Administrator +users have permissions to: manage other Docker Enterprise Edition +users, manage Docker Trusted Registry repositories and settings, and +manage the Universal Control Plane and underlying Docker Swarm Mode +cluster. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Users and/or groups synchronized to Docker Enterprise Edition via +LDAP can be configured at the directory service to ensure shared/group +account credentials are terminated when members leave the group.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Information system accounts synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service to meet this +requirement as necessary.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, when Docker Enterprise Edition is configured for LDAP +integration, one can refer to the directory service''s existing +monitoring tools.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be managed at the directory service and disabled if +posing a significant risk.' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Enterprise Edition resources. By default, no one can make +changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. The eNZi component facilitates +authorizations as dictated by the system''s administrators. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    'Docker Enterprise Edition logs privileged user events to standard log +files. One can configure Docker Enterprise Edition to direct these +event logs to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack and subsequently alert on specific +event types. When integrating Docker Enterprise Edition with LDAP, one +can refer the the directory service''s logging mechanisms for auditing +the events defined by this control. Supporting documentation regarding +logging and monitoring can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + complete +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure the enforcement of a limit to the number of conesecutive +invalid logon attempts by a user during a specified time period.' +

                                    +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure he ability to automatically lock/disable an account for a +specified period of time after a consecutive invalid logon attempt +limit is reached.' +

                                    + service provider hybrid + complete +
                                    + + SYSTEM USE NOTIFICATION +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    + Docker EE system + planned +
                                    + + CONCURRENT SESSION CONTROL +

                                    'Docker Enterprise Edition can be configured to limit the number of +concurrent sessions for each account. These options can be found +within the Universal Control Plane Admin Settings under the +"Authentication & Authorization" section. ' +

                                    + Docker EE system + complete +
                                    + + SESSION LOCK +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours).' +

                                    + Docker EE system + complete +
                                    + + PATTERN-HIDING DISPLAYS +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session per the requirements of +this controls.' +

                                    + Docker EE system + complete +
                                    + + SESSION TERMINATION +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Enterprise Edition generates all of the audit record +information indicated by this control. A sample audit event has been +provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    'Docker Enterprise Edition can be configured to identify and +authenticate users via it''s integrated support for LDAP. Users and +groups managed within the organization''s LDAP directory service (e.g. +Active Directory) can be synchronized to UCP and DTR on a regular +interval. When a user is removed from the LDAP-backed directory, that +user becomes inactive within UCP and DTR. In addition, UCP and DTR +teams can be mapped to groups synchronized via LDAP. When a user is +added/removed to/from the LDAP group, that same user is automatically +added/removed to/from the UCP and DTR team. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Enterprise +Edition requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFIER MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to uniquely identify each individual according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to establish initial authenticator content according +to the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to enforce strength requirements for authenticators +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to distribute, redistribute, and revoke +authenticators according to the requirements of this control. Refer to +your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change default authenticator content according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to set minimum and maximum lifetime restrictions and +reuse conditions for authenticators according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to refresh authenticators at a regular cadence +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticator content from unauthorized +disclosure or modification according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to implement specific security safeguards to protect +authentications according to the requirements of this control. Refer +to your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change authenticators for group or role accounts +when membership to those groups or roles changes according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce minimum password +complexity requirements. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change at least one character when changing passwords according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to store and transmit +cryptographically protected passwords according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required minimum and +maximum lifetime restrictions according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required number of +generations before password reuse according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change initial/temporary passwords upon first login according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system validates the certificates per the +requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system enforces authorized access to the +corresponding private key per the requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system maps the authenticated identity to the +account of the individual or group per the requirements of this +control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, it is up to the underlying operating system +hosting Docker Enterprise Edition to ensure that it implements a local +cache of revocation data per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP can be +configured with automation to ensure that password authenticators meet +strength requirements as defined by this control. Refer to your +directory service's documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticators as required by this +control. Refer to your directory service's documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to meet the FICAM requirements as +indicated by this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition invalidates session identifiers upon user +logout per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management + + + + + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined account and/or account type + organization-defined account and/or account type + + + organization-defined number + organization-defined number + + + AC-10 + "customer-defined account and/or account type; FedRAMP requirement: +three sessions for privileged access and two sessions for +non-privileged access" + + + + organization-defined time period + organization-defined time period + + + AC-11(a) + "FedRAMP requirement: fifteen minutes" + + + + organization-defined conditions or trigger events requiring session disconnect + organization-defined conditions or trigger events requiring session disconnect + + + AC-12 + "customer-defined conditions or trigger events" + + + + AC-12(1)(a) + "customer-defined information resources" + + + + organization-defined user actions + organization-defined user actions + + + AC-14(a) + "customer-defined user actions" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-14(a) + "customer-defined user actions" + + + + organization-defined number + organization-defined number + + + organization-defined needs + organization-defined needs + + + AC-17(3) + "customer-defined" + + + + AC-17(3) + "customer-defined" + + + + AC-17(3) + "customer-defined" + + + + AC-17(4)(a) + "customer-defined needs" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + organization-defined mobile devices + organization-defined mobile devices + + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period for each type of account + organization-defined time period for each type of account + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + AC-2(11)-1 + "customer-defined circumstances or usage conditions" + + + + AC-2(11)-2 + "customer-defined accounts" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(13) + "one hour" + + + + AC-2(2)-1 + Selection (removes or disables) + + + AC-2(2)-2 + "FedRAMP requirement: no more than 30 days for temporary and emergency +account types" + + + + AC-2(3) + "FedRAMP requirement: thirty-five (35) days for user accounts" + + + + AC-2(4) + "organization and/or service provider system owner" + + + + AC-2(5) + "inactivity is anticipated to exceed fifteen (15) minutes" + + + + AC-2(7)(c) + "FedRAMP assignment: disables/revokes access within an +organization-specified timeframe" + + + + AC-2(9) + "FedRAMP assignment: organization-defined need with justificatino +statement that explains why such accounts are necessary" + + + + organization-defined information sharing circumstances where user discretion is required + organization-defined information sharing circumstances where user discretion is required + + + organization-defined automated mechanisms or manual processes + organization-defined automated mechanisms or manual processes + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined information flow control policies + organization-defined information flow control policies + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + organization-defined duties of individuals + organization-defined duties of individuals + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + + + organization-defined security functions or security-relevant information + organization-defined security functions or security-relevant information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + AC-6(1) + "FedRAMP assignment: all functions not publiclly accessible and all +security-relevant information not publicly available" + + + + AC-6(2) + "FedRAMP requirement: all security functions" + + + + AC-6(3)-1 + "privileged commands used to change/configure network devices" + + + + AC-6(3)-2 + "customer-defined operational needs" + + + + AC-6(5) + "customer-defined personnel or roles" + + + + AC-6(7)(a)-1 + "at least annually" + + + + AC-6(7)(a)-2 + "all users" + + + + AC-6(8) + "FedRAMP assignment: any software except software explicitly +documented" + + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + + AC-7(a)-1 + "FedRAMP requirement: not more than three" + + + + AC-7(a)-2 + "FedRAMP requirement: fifteen minutes" + + + + AC-7(b)-1 + "FedRAMP requirement: locks the account/node for three hours" + + + + AC-7(b)-2 + "customer-defined additional actions" + + + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + + AC-8(a) + "customer-defined system use notification banner" + + + + AC-8(c)(1) + "customer-defined conditions" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + AU-10 + "actions including the addition, modification, deletion, approval, +sending, or receiving of data" + + + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + + organization-defined frequency + organization-defined frequency + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + organization-defined additional, more detailed information + organization-defined additional, more detailed information + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined audit fields within audit records + organization-defined audit fields within audit records + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + + organization-defined frequency + organization-defined frequency + + + organization-defined authoritative time source + organization-defined authoritative time source + + + organization-defined time period + organization-defined time period + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(b) + "millisecond precision" + + + + organization-defined subset of privileged users + organization-defined subset of privileged users + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems + organization-defined information systems + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + CM-1(a) + "customer-defined personnel or roles" + + + + CM-1(b)(1) + "FedRAMP requirement: at least every 3 years" + + + + CM-1(b)(2) + "FedRAMP requirement: at least annually or whenever a significant +change occurs" + + + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + + CM-11(1) + "organization-defined personnel or roles" + + + + CM-11(a) + "customer-defined policies" + + + + CM-11(b) + "customer-defined methods" + + + + CM-11(c) + "FedRAMP requirement: continuously (via CM-7(5))" + + + + organization-defined frequency + organization-defined frequency + + + Assignment organization-defined circumstances + Assignment organization-defined circumstances + + + organization-defined previous versions of baseline configurations of the information system + organization-defined previous versions of baseline configurations of the information system + + + organization-defined information systems, system components, or devices + organization-defined information systems, system components, or devices + + + organization-defined configurations + organization-defined configurations + + + organization-defined security safeguards + organization-defined security safeguards + + + CM-2(1)(a) + "FedRAMP requirement: at least annually or when a significant change +occurs" + + + + CM-2(1)(b) + "FedRAMP requirement: to include when directed by the JAB" + + + + CM-2(3) + "the previously approved baseline configuration of IS components" + + + + organization-defined time period + organization-defined time period + + + organization-defined configuration change control element (e.g., committee, board) + organization-defined configuration change control element (e.g., committee, board) + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration change conditions + organization-defined configuration change conditions + + + CM-3(1)(b) + "customer-defined authorized approvers" + + + + CM-3(1)(c) + "organization-defined time period" + + + + CM-3(1)(f) + "organization-defined configuration management approval authorities" + + + + CM-3(6) + "all security safeguards that rely on cryptography" + + + + CM-3(e) + "customer-defined time period" + + + + CM-3(g)-1 + "FedRAMP requirement: CAB" + + + + CM-3(g)-2 + "customer-defined" + + + + CM-3(g)-3 + "customer-defined" + + + + CM-3(g)-4 + "customer-defined" + + + + CM-5(2)-1 + "every 30 days" + + + + CM-5(2)-2 + "organization-defined circumstance" + + + + CM-5(3) + "customer-defined software" + + + + CM-5(3) + "customer-defined software" + + + + CM-5(3) + "customer-defined software" + + + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + + CM-6(1) + "customer-defined information system components" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-6(1) + "customer-defined information system components" + + + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + + organization-defined frequency + organization-defined frequency + + + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + + + organization-defined policies regarding software program usage and restrictions + organization-defined policies regarding software program usage and restrictions + + + CM-7(1)(b) + "customer-defined functions, ports, protocols, and services within the +information system deemed to be unnecessary and/or nonsecure" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(b) + "FedRAMP assignment: the service provider shall use the Center for +Internet Security Guidelines (Level 1) to establish list of prohibited +or restricted functions, ports, protocols, and/or services or +establishes its own list of prohibited or restricted functions, ports, +protocols, and/or services if USGCB is not available" + + + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period consistent with recovery time and recovery point objectives + organization-defined time period consistent with recovery time and recovery point objectives + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period + organization-defined time period + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined strength of mechanism requirements + organization-defined strength of mechanism requirements + + + organization-defined specific and/or types of devices + organization-defined specific and/or types of devices + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + + IA-4(4) + "FedRAMP requirement: contractors, foreign nationals" + + + + IA-4(a) + "customer-defined personnel or roles" + + + + IA-4(d) + "FedRAMP requirement: at least two years" + + + + IA-4(e) + "FedRAMP requirement: thirty-five (35) days" + + + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + + organization-defined token quality requirements + organization-defined token quality requirements + + + organization-defined types of and/or specific authenticators + organization-defined types of and/or specific authenticators + + + organization-defined registration authority + organization-defined registration authority + + + organization-defined personnel or roles + organization-defined personnel or roles + + + IA-5(1)(a) + "FedRAMP requirement: case-sensitive, minimum of fourteen (14) +characters, and at least one (1) each of upper-case letters, +lower-case letters, numbers, and special characters" + + + + IA-5(1)(b) + "FedRAMP requirement: at least fifty percent (50%)" + + + + IA-5(1)(d) + "FedRAMP requirement: one day minimum, sixty day maximum" + + + + IA-5(1)(e) + "FedRAMP requirement: twenty four" + + + + IA-5(4) + "complexity as identified in IA-05 (1) Control Enhancement Part A" + + + + IA-5(g) + "FedRAMP requirement: 60 days for passwords" + + + + organization-defined information systems + organization-defined information systems + + + IA-8(3) + "N/A" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined procedures + organization-defined procedures + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + + organization-defined information system components + organization-defined information system components + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined location by information system or system component + organization-defined location by information system or system component + + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system components + organization-defined types of information system components + + + organization-defined security controls + organization-defined security controls + + + organization-defined frequency + organization-defined frequency + + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system distribution and transmission lines + organization-defined information system distribution and transmission lines + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-identified information system components + organization-identified information system components + + + organization-defined vulnerability scanning activities + organization-defined vulnerability scanning activities + + + RA-5(2) + "FedRAMP requirement: prior to a new scan" + + + + RA-5(5)-1 + "FedRAMP requirement: operating systems, databases, web applications" + + + + RA-5(5)-2 + "FedRAMP requirement: all scans" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration items under configuration management + organization-defined configuration items under configuration management + + + organization-defined personnel + organization-defined personnel + + + organization-defined depth and coverage + organization-defined depth and coverage + + + organization-defined system development life cycle + organization-defined system development life cycle + + + organization-defined design/implementation information + organization-defined design/implementation information + + + organization-defined level of detail + organization-defined level of detail + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + + organization-defined external information system services + organization-defined external information system services + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + + SC-12(2) + "FedRAMP requirement: NIST FIPTS compliance" + + + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + + SC-13 + "FedRAMP requirement: FIPS-validated or NSA-approved cryptography" + + + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + + organization-defined certificate policy + organization-defined certificate policy + + + organization-defined information at rest + organization-defined information at rest + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28-1 + "confidentiality and integrity" + + + + SC-28-2 + "customer data" + + + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined resources + organization-defined resources + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + SC-7(20 + "organization-defined information system components" + + + + organization-defined alternative physical safeguards + organization-defined alternative physical safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information inputs + organization-defined information inputs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + organization-defined security safeguards + organization-defined security safeguards + + + SI-16 + "Windows protections, including No Execute, Address Space Layout +Randomization, and Data Execution Prevention" + + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined compromise indicators + organization-defined compromise indicators + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined security functions + organization-defined security functions + + + organization-defined system transitional states + organization-defined system transitional states + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined alternative action(s) + organization-defined alternative action(s) + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined transitional states or security-relevant events + organization-defined transitional states or security-relevant events + + + organization-defined frequency + organization-defined frequency + + + organization-defined security-relevant changes to the information system + organization-defined security-relevant changes to the information system + + + diff --git a/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-ENRICHED-SP800-53.xml b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-ENRICHED-SP800-53.xml new file mode 100644 index 0000000000..a667d03435 --- /dev/null +++ b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-ENRICHED-SP800-53.xml @@ -0,0 +1,8148 @@ + + Moderate SSP for Docker Enterprise Edition Deployment ATO +

                                    Moderate SSP for Docker Enterprise Edition Deployment ATO

                                    + securitylead@agency.gov + + NIST SP800-53 rev 4 + + + + Access Control Policy for [Agency_Here] +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INACTIVITY LOGOUT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ROLE-BASED SCHEMES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION OF DUTIES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LEAST PRIVILEGE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM USE NOTIFICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONCURRENT SESSION CONTROL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION LOCK +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PATTERN-HIDING DISPLAYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION TERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATION AND ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FULL DEVICE / CONTAINER-BASED ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR MOBILE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PORTABLE STORAGE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LIMITS ON AUTHORIZED USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SHARING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLICLY ACCESSIBLE CONTENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Awareness Training Policy for [Agency_Here] +

                                    +

                                    + + ROLE-BASED SECURITY TRAINING +

                                    [Agency's control implementation here] +

                                    + none + + + SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AWARENESS TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSIDER THREAT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY TRAINING RECORDS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Audit and Accountability Policy for [Agency_Here] +

                                    +

                                    + + AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete + + + AUDIT EVENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT STORAGE CAPACITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT REVIEW, ANALYSIS, AND REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS INTEGRATION +

                                    [Agency's control implementation here] +

                                    +
                                    + + CORRELATE AUDIT REPOSITORIES +

                                    [Agency's control implementation here] +

                                    +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC PROCESSING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME STAMPS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS BY SUBSET OF PRIVILEGED USERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT RECORD RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Assessment and Authorization Policy for [Agency_Here] +

                                    +

                                    + + SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + EXTERNAL ORGANIZATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPECIALIZED ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPECIALIZED ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL ORGANIZATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM INTERCONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PLAN OF ACTION AND MILESTONES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AUTHORIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT PENETRATION AGENT OR TEAM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PENETRATION TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Configuration Management Policy for [Agency_Here] +

                                    +

                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + BASELINE CONFIGURATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR ACCURACY / CURRENCY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION SETTINGS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM COMPONENT INVENTORY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Contingency Planning Policy for [Agency_Here] +

                                    +

                                    + + CONTINGENCY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTINGENCY PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CAPACITY PLANNING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY CRITICAL ASSETS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY PLAN TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE STORAGE SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE PROCESSING SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE PROVISIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM BACKUP +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TESTING FOR RELIABILITY / INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATE STORAGE FOR CRITICAL INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM RECOVERY AND RECONSTITUTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSACTION RECOVERY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Docker Security Scanning (DSS) +

                                    +

                                    + + UPDATE TOOL CAPABILITY +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning (DSS) component of Docker +Trusted Registry (DTR) that is included with the Docker Enterprise +Edition Advanced tier can be used to scan Docker images for +vulnerabilities against known vulnerability databases. Scans can be +triggered either manually or when Docker images are pushed to DTR.' +

                                    + service provider hybrid + complete + + + UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier compiles a bill of materials (BOM) for each Docker image +that it scans. DSS is also synchronized to an aggregate listing of +known vulnerabilities that is compiled from both the MITRE and NVD CVE +databases. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning' +

                                    + service provider hybrid + complete +
                                    + + BREADTH / DEPTH OF COVERAGE +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier identifies vulnerabilities in a Docker image and marks +them against predefined criticality levels; critical major and minor.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCESS +

                                    'Only the appropriate users that the organization has provided Docker +Trusted Registry access to are able to view and interpret +vulnerability scan results.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED TREND ANALYSES +

                                    'For each Docker image pushed to Docker Trusted Registry at a given +time, Docker Security Scaninng retains a list of vulnerabilities +detected. The DTR API can be queried to retrieve the vulnerability +scan results over a period of time for a given Docker image such that +the results can be compared per the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + REVIEW HISTORIC AUDIT LOGS +

                                    'Docker Security Scanning maintains a historical bill-of-materials +(BOM) for all Docker images that are scanned. Results of previous +vulnerability scans can be reviewed and audited per the requirements +of this control.' +

                                    + service provider hybrid + complete +
                                    + + DSS Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ + + + + Docker Trusted Registry (DTR) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/' +

                                    + service provider hybrid + complete +
                                    + + ROLE-BASED SCHEMES +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + Docker EE system + complete +
                                    + + SECURITY POLICY FILTERS +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + shared + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + service provider hybrid + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Docker Trusted Registry resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Docker Trusted Registry.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Trusted Registry can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Trusted Registry logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the DTR user interface and for +command-line based connections to the registry. In addition to this, +all communication to DTR is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Trusted Registry replicas is routed through +managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS +

                                    'Built-in firewall technology in Docker Trusted Registry's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP slave nodes running Docker +Trusted Registry replicas can be paused or drained, which subsequently +stops sessions to the DTR replica.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Docker +Trusted Registry to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by a +combination of the backend ucp-controller service within Universal +Control Plane and the backend services that make up Docker Trusted +Registry. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Trusted Registry generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to alert individuals in +the event of log processing failures. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT STORAGE CAPACITY +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when the allocated log storage is full. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to facilitate the audit +reduction and report generation requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Docker Trusted +Registry should be certified to ensure that logs are not altered +during generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Trusted Registry uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Docker Trusted Registry is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the ''docker'' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Trusted +Registry resides as an Application on a Universal Control Plane +cluster, and as such, can be configured to send logs to a remote +logging stack. This logging stack can subsequently be configured to +retain logs for the duration required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by a +combination of the backend services within Universal Control Plane and +Docker Trusted Registry. The underlying Linux operating system +supporting DTR can be configured to audit Docker-specific events with +the auditd daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/' +

                                    +

                                    'Using auditd on the Linux operating system supporting DTR, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +compile audit records in to a system-wide audit trail that is +time-correlated per the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +meet the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATED ACCESS ENFORCEMENT / AUDITING +

                                    'Role-based access control can be configured within Docker Trusted +Registry to meet the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Docker Trusted +Registry Docker images are officially signed and verified by Docker, +Inc. + +When installing Docker Trusted Registry, you should enable Docker +Content Trust and subsequently pull the the signed DTR image tag. +Additional information can be found at teh following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Docker Trusted Registry''s +configuration can also be backed up and stored an appropriate location +per the requirements of this control. Additional documenation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry. The organization can +also prevent users from being able to pull Docker images from +untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images are +stored in Docker Trusted Registry. This can be accomplished by using +Docker Content Trust to sign Docker images which can subsequently be +stored in Docker Trusted Registry.' +

                                    + service provider hybrid + shared + complete +
                                    + + USER-INSTALLED SOFTWARE +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + ALERTS FOR UNAUTHORIZED INSTALLATIONS +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry to meet the +requirements of this contorl. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Docker Trusted Registry maintains its cluster state via an internal +key-value store. This, and other DTR transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup' +

                                    + Docker EE system + complete +
                                    + + GROUP AUTHENTICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Trusted +Registry requires individual users to be authenticated in order to +gain access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'Docker Trusted Registry replicas reside on Universal Control Plane +worker nodes. In order for UCP worker nodes to join a Universal +Control Plane cluster, they must be identified and authenticated via a +worker token. Additional Docker Trusted Registry replicas can only be +added after a UCP administrator user has authenticated in to the UCP +cluster and when mutual TLS authentication between the UCP worker and +manager nodes has been established. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Docker Trusted Registry includes a Docker volume which holds the root +key material for the DTR root CA that issues certificats. In addition +Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server. When adding DTR replicas, the UCP nodes on +which they're installed are authenticated to the cluster via the +appropriate built-in CA.' +

                                    +

                                    'Access to Docker Trusted Registry is only granted when a user has a +valid certificate bundle. This is enforced with the public/private key +pair included with the user's certificate bundle in Universal Control +Plane.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against Docker Trusted Registry. This bundle maps the +authenticated identity to that of the user's profile in Universal +Control Plane.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user which +subsequently grants that user access to Docker Trusted Registry, it is +attached to that user''s Universal Control Plane profile. Bundles/keys +can be revoked by an Administrator or the user themselves. The +cluster''s internal certificates can also be revoked and updated. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Docker Trusted Registry obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Docker Trusted Registry is protected with Transport +Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Docker Trusted Registry can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + UPDATE TOOL CAPABILITY +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE) dictionary.' +

                                    + service provider hybrid + complete +
                                    + + BREADTH / DEPTH OF COVERAGE +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE).' dictionary. +

                                    + service provider hybrid + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags. Docker Trusted Registry includes an integrated imaging +signing service.' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Docker Trusted Registry is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Docker Trusted Registry are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + Docker Trusted Registry Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/ + + + + Docker Enterprise Edition Engine +

                                    +

                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to aggregate +container and daemon events via a number of logging drivers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/view_container_logs/ +- https://docs.docker.com/engine/admin/logging/overview/ +- https://docs.docker.com/engine/admin/logging/log_tags/' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + SECURITY POLICY FILTERS +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers +per organization-defined security policy filters. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks + +There are also third-party behavioral activity monitoring tools (e.g. +Sysdig Falco <http://www.sysdig.org/falco/>) that can be used +alongside Docker Enterprise Edition to satisfy this control''s +requirements.' +

                                    + service provider hybrid + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS +

                                    'Docker Enterprise Edition can be configured to separate the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, one +can restrict membership to the 'docker' group on underlying Linux +hosts or the local "Administrators" group (and any other groups +defined within 'daemon.json') on underlying Windows Server 2016 hosts +to only authorized users.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Enterprise Edition can be configured to allow/prohibit remote +access to the Engine.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2. In addition to this, all +communication to Docker Enterprise Edition is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Enterprise Edition is routed through managed +network access control points.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS +

                                    'Built-in firewall technology in Docker Enterprise Edition's +underlying operating system can be used to force the disconnection of +remote connections to the host. In addition, Docker Enterprise Edition +provides the option to pause or drain a node in the cluster, which +subsequently stops and/or removes sessions to the node. Individual +services and/or applications running on Docker Enterprise Edition can +also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AUDIT EVENTS +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this control (as explained by +their component narratives). These and other application containers +that reside on Docker Enterprise Edition can be configured to log data +via an appropriate Docker logging driver. Instructions for configuring +logging drivers can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Both Universal Control Plane and Docker Trusted Registry are +pre-configured to take advantage of Docker Enterprise Edition''s +built-in logging mechanisms. A sample audit event recorded by Docker +Enterprise Edition has been provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"} + +Additional documentation can be referenced at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can be used to interpolate the information defined by this +control and also be configured to alert on any audit processing +failures. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT STORAGE CAPACITY +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to warn the organization when the +allocated log storage is full. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to facilitate the audit reduction and +report generation requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'The underlying operating system chosen to support Docker Enterprise +Edition should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Enterprise Edition uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Enterprise Edition runs should +be configured such that its system clock compares itself with an +authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock synchronizes +itself to an authoritative time source as defined by part (a) of this +control any time the time difference exceeds that of the +organization-defined time period. This can be accomplished by +utilizing the Network Time Protocol (NTP). Refer to the operating +system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'On the underlying Linux operating system supporting Docker Enterprise +Edition, only root and sudo users and users that have been added to +the "docker" group have the ability to access the logs generated by +UCP backend service containers. Should the organization decide to +configure Docker Enterprise Edition to use a logging driver other than +the default json-file driver, the organization is subsequently +responsible for configuring the chosen logging stack per the +provisions of this control. In addition, for Linux operating systems +supporting Docker Enterprise Edition that use the systemd daemon, it +is imperative that the Journal is secured per the requirements of this +control. The same applies for Linux operating systems supporting +Docker Enterprise Edition that instead use upstart. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the backup requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the encryption mechanisms required by this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + NON-REPUDIATION +

                                    'Docker Enterprise Edition includes functionality known as Docker +Content Trust which allows one to cryptographically sign Docker +images. It enforces client-side signing and verification of image tags +and provides the ability to use digital signatures for data sent to +and received from Docker Trusted Registry. This ultimately provides +one with the ability to verify both the integrity and the publisher of +all data received from DTR over any channel. With Docker Content +Trust, an organization can enforce signature verification of all +content and prohibit unsigned and unapproved content from being +manipulated; thus supproting the non-repudiation requirements of this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + Docker EE system + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Enterprise +Edition can be configured to use a logging driver that stores data in +a location for the duration specified by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this AU-2 a. These and other +application containers that reside on Docker Enterprise Edition can be +configured to log data via an appropriate Docker logging driver. The +underlying Linux operating system supporting Docker Enterprise Edition +can be configured to audit Docker-specific events with the auditd +daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'Using auditd on the Linux operating system supporting CS Docker +Engine, the organization can configure audit rules to select which +Docker-specific events are to be audited. Refer to the specific Linux +distribution in use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to compile audit records in to +a system-wide audit trail that is time-correlated per the requirements +of this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to meet the requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + BASELINE CONFIGURATION +

                                    'The CIS Docker Benchmark can be used as a baseline for securing Docker +Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + REVIEWS AND UPDATES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATION SUPPORT FOR ACCURACY / CURRENCY +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion and can be +rolled back as required by this control. Additional information can be +found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Additional information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + TEST / VALIDATE / DOCUMENT CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHY MANAGEMENT +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +cryptography management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + REVIEW SYSTEM CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +system change requirements of this control. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS +

                                    'Before installing Docker Enterprise Edition, ensure that your +supporting Linux operating system''s packager manager supports package +signature verification and that it is enabled. It is also required +that you import the Docker public key for EE packages so as to +retrieve the validated and signed package from Docker, Inc. Refer to +your Linux OS documentation for instructions on completing the above +steps. + +In addition, Docker Content Trust is a capability provided by Docker +Engine that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. When enabling Docker +Content Trust in Docker Enterprise Edition you can enforce the use of +signed Docker images. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION +

                                    'The organization can incorporate the use of an external configuration +management system to meet the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + LEAST FUNCTIONALITY +

                                    'To help the organization meet the requirements of this control, the +latest CIS Docker Benchmark can be used as a secure configuration +baseline. Additional information can be found at the following +resources: + +- https://www.cisecurity.org/benchmark/docker/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Docker Enterprise Edition, the organization can define +a list of allowed base Docker images and make them available via +Docker Trusted Registry. The organization can also prevent users from +being able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Docker EE +Engine, the organization must define a list of allowed base Docker +images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT PLAN +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management plan requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for other Docker EE engine nodes to be able to join a +cluster managed by Universal Control Plane, they must be identified +and authenticated via either a manager or worker token. Use of the +token includes trust on first use mutual TLS.' +

                                    + Docker EE system + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags.' +

                                    + service provider hybrid + complete +
                                    + + DYNAMIC ISOLATION / SEGREGATION +

                                    'Docker Enterprise Edition is designed to run application containers +whose content can be completely isolated/segregated from other +application containers within the same node/cluster. This is +accomplished by way of Linux kernel primitives and various security +profiles that can be applied to the underlying host OS. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/security/security/ +- https://docs.docker.com/engine/userguide/networking/overlay-security-model/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security' +

                                    + Docker EE system + complete +
                                    + + SYMMETRIC KEYS +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to/from and between Docker +Enterprise Edition nodes is enforced by way of two-way mutual TLS +authentication. All Swarm Mode manager nodes in a Docker Enterprise +Edition cluster store state metadata and user secrets encrypted at +rest using the AES GCM cipher.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATIC UPDATES +

                                    'Docker Enterprise Edition packages for supported underlying operating +systems can only be obtained from Docker, Inc. The Docker EE +repositories from which Docker EE packages are obtained are protected +with official GPG keys. Each Docker package is also validated with a +signature definition.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the logging mechanisms of the Docker +Enterprise Edition engine are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + MEMORY PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's security documentation for information regarding the +protection of memory from unauthorized code execution.' +

                                    + service provider hybrid + complete +
                                    + + Docker Enterprise Edition Engine Installation Documentation +

                                    + https://docs.docker.com/engine/installation/ + + + Docker Engine Release Notes +

                                    + https://docs.docker.com/release-notes/ + + + Configuring and Running Docker on Various Distributions +

                                    + https://docs.docker.com/engine/admin/ + + + Docker Engine Security +

                                    + https://docs.docker.com/engine/security/security/ + + + Securing Docker Datacenter and Security Best Practices +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices + + + + Identification and Authentication Policy for [Agency_Here] +

                                    +

                                    + + IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + GROUP AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LOCAL ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS - SEPARATE DEVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFIER MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY USER STATUS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PKI-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUTHENTICATORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HARDWARE TOKEN-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Incident Response for [Agency_Here] +

                                    +

                                    + + INCIDENT RESPONSE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INCIDENT RESPONSE TRAINING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED INCIDENT HANDLING PROCESSES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT MONITORING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED REPORTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE ASSISTANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH EXTERNAL PROVIDERS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SPILLAGE RESPONSE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSIBLE PERSONNEL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POST-SPILL OPERATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXPOSURE TO UNAUTHORIZED PERSONNEL +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System Maintenance Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM MAINTENANCE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTROLLED MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT MEDIA +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT UNAUTHORIZED REMOVAL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DOCUMENT NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE PERSONNEL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDIVIDUALS WITHOUT APPROPRIATE ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIMELY MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Media Protection Policy for [Agency_Here] +

                                    +

                                    + + MEDIA PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MEDIA ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA MARKING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA STORAGE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA TRANSPORT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA SANITIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EQUIPMENT TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT USE WITHOUT OWNER +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Physical and Environmental Protection Policy for [Agency_Here] +

                                    +

                                    + + PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PHYSICAL ACCESS AUTHORIZATIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PHYSICAL ACCESS CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR TRANSMISSION MEDIUM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR OUTPUT DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING PHYSICAL ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTRUSION ALARMS / SURVEILLANCE EQUIPMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VISITOR ACCESS RECORDS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POWER EQUIPMENT AND CABLING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY SHUTOFF +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY POWER +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY LIGHTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FIRE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SUPPRESSION DEVICES / SYSTEMS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC FIRE SUPPRESSION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TEMPERATURE AND HUMIDITY CONTROLS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING WITH ALARMS / NOTIFICATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WATER DAMAGE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DELIVERY AND REMOVAL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE WORK SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Planning Policy for [Agency_Here] +

                                    +

                                    + + SECURITY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INFORMATION SECURITY ARCHITECTURE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Personnel Security Policy for [Agency_Here] +

                                    +

                                    + + PERSONNEL SECURITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + POSITION RISK DESIGNATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SCREENING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION WITH SPECIAL PROTECTION MEASURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TERMINATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TRANSFER +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS AGREEMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + THIRD-PARTY PERSONNEL SECURITY +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SANCTIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Risk Assessment Policy for [Agency_Here] +

                                    +

                                    + + RISK ASSESSMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + VULNERABILITY SCANNING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Services Acquisition Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + ALLOCATION OF RESOURCES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM DEVELOPMENT LIFE CYCLE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACQUISITION PROCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONAL PROPERTIES OF SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING PLAN +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF APPROVED PIV PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM DOCUMENTATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ENGINEERING PRINCIPLES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL INFORMATION SYSTEM SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESSING, STORAGE, AND SERVICE LOCATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVELOPER CONFIGURATION MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    [Agency's control implementation here] +

                                    +
                                    + + DEVELOPER SECURITY TESTING AND EVALUATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +
                                    + + STATIC CODE ANALYSIS +

                                    [Agency's control implementation here] +

                                    +
                                    + + THREAT AND VULNERABILITY ANALYSES +

                                    [Agency's control implementation here] +

                                    +
                                    + + DYNAMIC CODE ANALYSIS +

                                    [Agency's control implementation here] +

                                    +
                                    + + ALTERNATIVE SOURCES FOR CONTINUED SUPPORT +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Communications Protection Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + APPLICATION PARTITIONING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION IN SHARED RESOURCES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENIAL OF SERVICE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESOURCE AVAILABILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + BOUNDARY PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS POINTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENY BY DEFAULT / ALLOW BY EXCEPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT SPLIT TUNNELING FOR REMOTE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HOST-BASED PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FAIL SECURE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSMISSION CONFIDENTIALITY AND INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK DISCONNECT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYMMETRIC KEYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ASYMMETRIC KEYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COLLABORATIVE COMPUTING DEVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLIC KEY INFRASTRUCTURE CERTIFICATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MOBILE CODE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VOICE OVER INTERNET PROTOCOL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION AUTHENTICITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS ISOLATION +

                                    [Agency's control implementation here] +

                                    + complete +
                                    +
                                    + + System and Information Integrity Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + FLAW REMEDIATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED FLAW REMEDIATION STATUS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MALICIOUS CODE PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONSIGNATURE-BASED DETECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-WIDE INTRUSION DETECTION SYSTEM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED TOOLS FOR REAL-TIME ANALYSIS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-GENERATED ALERTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS INTRUSION DETECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CORRELATE MONITORING INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HOST-BASED DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ALERTS, ADVISORIES, AND DIRECTIVES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY FUNCTION VERIFICATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRITY CHECKS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRATION OF DETECTION AND RESPONSE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPAM PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION INPUT VALIDATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ERROR HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION HANDLING AND RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEMORY PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Universal Control Plane (UCP) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/' +

                                    + service provider hybrid + complete + + + ROLE-BASED SCHEMES +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, Universal Control Plane can be configured to send system +account log data to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack. Supporting documentation can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + complete +
                                    + + SECURITY POLICY FILTERS +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + LEAST PRIVILEGE +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and employ principles of +least privilege. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and explicitly authorize +access as necessary. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED COMMANDS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources, including Docker +networking components. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCOUNTS +

                                    'To assist the organization in meeting the requirements of this +control, one can restrict privileged accounts within Universal Control +Plane to custom-defined roles. By default, no one can make changes to +the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + REVIEW OF USER PRIVILEGES +

                                    'To assist the organization in meeting the requirements of this +control, one can review all implemented grants, accounts and roles +within Universal Control Plane and reassign/revoke privileges as +necessary. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGE LEVELS FOR CODE EXECUTION +

                                    'Universal Control Plane users can be assigned to one of a number of +different permission levels. The permission level assigned to a +specific user determines that user''s ability to execute certain +Docker functions within UCP. Only users mapped to either the "Full +Control" or "Admin" roles can execute Docker commands without any +restrictions. Users mapped to either the "View Only" or "No Access" +roles cannot execute any Docker commands. Users assigned to the +"Restricted Control" role can only run Docker commands under their own +purview and cannot see other users UCP resources nor run commands that +required privileged access to the host. Furthermore, custom roles can +be created for fine-grained access to specific UCP resources and +functionality. Additional documentation regarding the various +permission levels within UCP can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + USER-INITIATED LOGOUTS / MESSAGE DISPLAYS +

                                    'Universal Control Plane includes a logout capability that allows a +user to terminate his/her current session.' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Universal Control Plane.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Universal Control Plane logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the UCP user interface and for +command-line based connections to the cluster. In addition to this, +all communication to UCP is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Universal Control Plane managers and worker nodes is +routed through managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to authorize certain +privileged functions via remote access.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS +

                                    'Built-in firewall technology in Universal Control Plane's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP provides the option to pause +or drain a node in the cluster, which subsequently stops and/or +removes sessions to the node. Individual services and/or applications +running on a UCP cluster can also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete + partial +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Universal +Control Plane to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by the +backend ucp-controller service within Universal Control Plane. In +addition, each container created on a Universal Control Plane cluster +logs event data. Supporting documentation for configuring UCP logging +can be referenced at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Universal Control Plane generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +alert individuals in the event of log processing failures. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider system specific + complete +
                                    + + AUDIT STORAGE CAPACITY +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when the allocated log storage is full. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when audit log failures occur. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The organization can subsequently centrally review and +analyze all of the Docker EE audit records. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +facilitate the audit reduction and report generation requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Universal Control +Plane should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +parse information by organization-defined audit fields. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Universal Control Plane uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Universal Control Plane is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the 'docker' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Universal Control +Plane can be configured to send logs to a remote logging stack. This +logging stack can subsequently be configured retain logs for the +duration required by this control. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by the backend +ucp-controller service within Universal Control Plane. In addition, +each container created on a Universal Control Plane cluster logs event +data. The underlying Linux operating system supporting UCP can be +configured to audit Docker-specific events with the auditd daemon. +Refer to the specific Linux distribution in use for instructions on +configuring this service. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'Using auditd on the Linux operating system supporting UCP, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to compile +audit records in to a system-wide audit trail that is time-correlated +per the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to meet the +requirements of this control. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATED ACCESS ENFORCEMENT / AUDITING +

                                    'Role-based access control can be configured within Universal Control +Plane to meet the requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Universal Control +Plane Docker images are officially signed and verified by Docker, Inc. + +When configuring Universal Control Plane, you should enforce +applications to only use Docker images signed by trusted UCP users +within your organization. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Universal Control Plane''s +configuration can also be managed, backed up and stored in another +location per the requirements of this control. Additional documentation +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PERIODIC REVIEW +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane includes a robust access control model to +disable any functionality as mandated by this control.' +

                                    + service provider corporate + Docker EE system + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Universal Control Plane, the organization can define a +list of allowed base Docker images and make them available via Docker +Trusted Registry. The organization can also prevent users from being +able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Universal +Control Plane, the organization must define a list of allowed base +Docker images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images +stored in Docker Trusted Registry can be run on Universal Control +Plane. This can be accomplished by using Docker Content Trust to sign +Docker images, and configure UCP to enforce only signed images from +specific Teams at runtime. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Universal Control Plane maintains its cluster state via an internal +key-value store. This, and other UCP transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup' +

                                    + Docker EE system + complete +
                                    + + GROUP AUTHENTICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Universal Control +Plane requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for nodes to join a Universal Control Plane cluster, they +must be identified and authenticated via either a manager or worker +token. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server.' +

                                    +

                                    'Access to a Universal Control Plane cluster is only granted when a +user has a valid certificate bundle. This is enforced with the +public/private key pair included with the user's certificate bundle.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against the Universal Control Plane cluster. This bundle maps +the authenticated identity to that of the user.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user, it is +attached to that user''s profile. Bundles/keys can be revoked by an +Administrator or the user themselves. The cluster''s internal +certificates can also be revoked and updated. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Universal Control Plane obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Universal Control Plane is protected with Transport +Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Universal Control Plane can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, Docker Content Trust gives +you the ability to verify both the integrity and the publisher of all +the data received from a Docker Trusted Registry over any channel. It +allows operations with a remote DTR instance to enforce client-side +signing and verification of image tags. It provides for the ability to +use digital signatures for data sent to and receive from remote DTR +instances. These signatures allow client-side verification of the +integrity and publisher of specific image tags. Universal Control +Plane can be configured to only run trusted and signed images. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Universal Control Plane is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Universal Control Plane are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + UCP Documentation +

                                    + https://docs.docker.com/datacenter/ucp/2.2/guides/ + + + + Authentication and Authorization Service (eNZi) +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams are allowed to create +and manipulate Docker Enterprise Edition resources. By default, no one +can make changes to the cluster. Permissions can be granted and +managed to enforce fine-grained access control. Supporting +documentation can found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can disable and/or remove temporary and emergency accounts in a +connected directory service (such as Active Directory) after an +organization-defined time period. When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can automatically disable inactive accounts in a connected directory +service (such as Active Directory). When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED AUDIT ACTIONS +

                                    'Docker Enterprise Edition logs various authentication and +authorization events to standard log files. One can configure Docker +Enterprise Edition to direct these event logs to a remote logging +service such as an Elasticsearch, Logstash and Kibana (ELK) stack and +subsequently alert on specific event types. When integrating Docker +Enterprise Edition with LDAP, one can refer the the directory +service''s logging mechanisms for auditing the events defined by this +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + INACTIVITY LOGOUT +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to enforce automated +session termination of users after an organization-defined time period +of inactivity. By default, the initial lifetime of a user''s session +is set to 72 hours and the renewal session for a user''s session is +set to 24 hours. These values can both be changed in the "Auth" +section of the "Admin Settings" in Universal Control Plane.' +

                                    + service provider hybrid + complete +
                                    + + ROLE-BASED SCHEMES +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition supports various levels of user +permissions and role-based access control enforcements. Administrator +users have permissions to: manage other Docker Enterprise Edition +users, manage Docker Trusted Registry repositories and settings, and +manage the Universal Control Plane and underlying Docker Swarm Mode +cluster. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service.' +

                                    + service provider hybrid + complete +
                                    + + SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION +

                                    'Users and/or groups synchronized to Docker Enterprise Edition via +LDAP can be configured at the directory service to ensure shared/group +account credentials are terminated when members leave the group.' +

                                    + service provider hybrid + complete +
                                    + + USAGE CONDITIONS +

                                    'Information system accounts synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service to meet this +requirement as necessary.' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, when Docker Enterprise Edition is configured for LDAP +integration, one can refer to the directory service''s existing +monitoring tools.' +

                                    + service provider hybrid + complete +
                                    + + DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be managed at the directory service and disabled if +posing a significant risk.' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Enterprise Edition resources. By default, no one can make +changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. The eNZi component facilitates +authorizations as dictated by the system''s administrators. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    'Docker Enterprise Edition logs privileged user events to standard log +files. One can configure Docker Enterprise Edition to direct these +event logs to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack and subsequently alert on specific +event types. When integrating Docker Enterprise Edition with LDAP, one +can refer the the directory service''s logging mechanisms for auditing +the events defined by this control. Supporting documentation regarding +logging and monitoring can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + complete +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure the enforcement of a limit to the number of conesecutive +invalid logon attempts by a user during a specified time period.' +

                                    +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure he ability to automatically lock/disable an account for a +specified period of time after a consecutive invalid logon attempt +limit is reached.' +

                                    + service provider hybrid + complete +
                                    + + SYSTEM USE NOTIFICATION +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    + Docker EE system + planned +
                                    + + CONCURRENT SESSION CONTROL +

                                    'Docker Enterprise Edition can be configured to limit the number of +concurrent sessions for each account. These options can be found +within the Universal Control Plane Admin Settings under the +"Authentication & Authorization" section. ' +

                                    + Docker EE system + complete +
                                    + + SESSION LOCK +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours).' +

                                    + Docker EE system + complete +
                                    + + PATTERN-HIDING DISPLAYS +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session per the requirements of +this controls.' +

                                    + Docker EE system + complete +
                                    + + SESSION TERMINATION +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Enterprise Edition generates all of the audit record +information indicated by this control. A sample audit event has been +provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    'Docker Enterprise Edition can be configured to identify and +authenticate users via it''s integrated support for LDAP. Users and +groups managed within the organization''s LDAP directory service (e.g. +Active Directory) can be synchronized to UCP and DTR on a regular +interval. When a user is removed from the LDAP-backed directory, that +user becomes inactive within UCP and DTR. In addition, UCP and DTR +teams can be mapped to groups synchronized via LDAP. When a user is +added/removed to/from the LDAP group, that same user is automatically +added/removed to/from the UCP and DTR team. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + Docker EE system + shared + complete +
                                    + + GROUP AUTHENTICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Enterprise +Edition requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFIER MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IDENTIFY USER STATUS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to uniquely identify each individual according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to establish initial authenticator content according +to the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to enforce strength requirements for authenticators +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to distribute, redistribute, and revoke +authenticators according to the requirements of this control. Refer to +your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change default authenticator content according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to set minimum and maximum lifetime restrictions and +reuse conditions for authenticators according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to refresh authenticators at a regular cadence +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticator content from unauthorized +disclosure or modification according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to implement specific security safeguards to protect +authentications according to the requirements of this control. Refer +to your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change authenticators for group or role accounts +when membership to those groups or roles changes according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce minimum password +complexity requirements. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change at least one character when changing passwords according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to store and transmit +cryptographically protected passwords according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required minimum and +maximum lifetime restrictions according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required number of +generations before password reuse according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change initial/temporary passwords upon first login according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system validates the certificates per the +requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system enforces authorized access to the +corresponding private key per the requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system maps the authenticated identity to the +account of the individual or group per the requirements of this +control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, it is up to the underlying operating system +hosting Docker Enterprise Edition to ensure that it implements a local +cache of revocation data per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP can be +configured with automation to ensure that password authenticators meet +strength requirements as defined by this control. Refer to your +directory service's documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUTHENTICATORS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticators as required by this +control. Refer to your directory service's documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to meet the FICAM requirements as +indicated by this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + INVALIDATE SESSION IDENTIFIERS AT LOGOUT +

                                    'Docker Enterprise Edition invalidates session identifiers upon user +logout per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + UCP Documentation +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management + + + + + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined account and/or account type + organization-defined account and/or account type + + + organization-defined number + organization-defined number + + + AC-10 + "customer-defined account and/or account type; FedRAMP requirement: +three sessions for privileged access and two sessions for +non-privileged access" + + + + organization-defined time period + organization-defined time period + + + AC-11(a) + "FedRAMP requirement: fifteen minutes" + + + + organization-defined conditions or trigger events requiring session disconnect + organization-defined conditions or trigger events requiring session disconnect + + + AC-12 + "customer-defined conditions or trigger events" + + + + organization-defined information resources + organization-defined information resources + + + AC-12(1)(a) + "customer-defined information resources" + + + + organization-defined user actions + organization-defined user actions + + + AC-14(a) + "customer-defined user actions" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-14(a) + "customer-defined user actions" + + + + organization-defined number + organization-defined number + + + organization-defined needs + organization-defined needs + + + organization-defined time period + organization-defined time period + + + AC-17(3) + "customer-defined" + + + + AC-17(3) + "customer-defined" + + + + AC-17(3) + "customer-defined" + + + + AC-17(4)(a) + "customer-defined needs" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + organization-defined mobile devices + organization-defined mobile devices + + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + + organization-defined circumstances and/or usage conditions + organization-defined circumstances and/or usage conditions + + + organization-defined information system accounts + organization-defined information system accounts + + + organization-defined atypical usage + organization-defined atypical usage + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period for each type of account + organization-defined time period for each type of account + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time-period of expected inactivity or description of when to log out + organization-defined time-period of expected inactivity or description of when to log out + + + organization-defined actions + organization-defined actions + + + organization-defined conditions for establishing shared/group accounts + organization-defined conditions for establishing shared/group accounts + + + AC-2(11)-1 + "customer-defined circumstances or usage conditions" + + + + AC-2(11)-2 + "customer-defined accounts" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(13) + "one hour" + + + + AC-2(2)-1 + Selection (removes or disables) + + + AC-2(2)-2 + "FedRAMP requirement: no more than 30 days for temporary and emergency +account types" + + + + AC-2(3) + "FedRAMP requirement: thirty-five (35) days for user accounts" + + + + AC-2(4) + "organization and/or service provider system owner" + + + + AC-2(5) + "inactivity is anticipated to exceed fifteen (15) minutes" + + + + AC-2(7)(c) + "FedRAMP assignment: disables/revokes access within an +organization-specified timeframe" + + + + AC-2(9) + "FedRAMP assignment: organization-defined need with justificatino +statement that explains why such accounts are necessary" + + + + organization-defined information sharing circumstances where user discretion is required + organization-defined information sharing circumstances where user discretion is required + + + organization-defined automated mechanisms or manual processes + organization-defined automated mechanisms or manual processes + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined information flow control policies + organization-defined information flow control policies + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4 + "customer-defined information flow control policies" + + + + organization-defined mechanisms and/or techniques + organization-defined mechanisms and/or techniques + + + organization-defined required separations by types of information + organization-defined required separations by types of information + + + organization-defined security policy filters + organization-defined security policy filters + + + organization-defined information flows + organization-defined information flows + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + organization-defined duties of individuals + organization-defined duties of individuals + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + + + organization-defined security functions or security-relevant information + organization-defined security functions or security-relevant information + + + organization-defined privileged commands + organization-defined privileged commands + + + organization-defined compelling operational needs + organization-defined compelling operational needs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined roles or classes of users + organization-defined roles or classes of users + + + organization-defined software + organization-defined software + + + AC-6(1) + "FedRAMP assignment: all functions not publiclly accessible and all +security-relevant information not publicly available" + + + + AC-6(2) + "FedRAMP requirement: all security functions" + + + + AC-6(3)-1 + "privileged commands used to change/configure network devices" + + + + AC-6(3)-2 + "customer-defined operational needs" + + + + AC-6(5) + "customer-defined personnel or roles" + + + + AC-6(7)(a)-1 + "at least annually" + + + + AC-6(7)(a)-2 + "all users" + + + + AC-6(8) + "FedRAMP assignment: any software except software explicitly +documented" + + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + + AC-7(a)-1 + "FedRAMP requirement: not more than three" + + + + AC-7(a)-2 + "FedRAMP requirement: fifteen minutes" + + + + AC-7(b)-1 + "FedRAMP requirement: locks the account/node for three hours" + + + + AC-7(b)-2 + "customer-defined additional actions" + + + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + + AC-8(a) + "customer-defined system use notification banner" + + + + AC-8(c)(1) + "customer-defined conditions" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined actions to be covered by non-repudiation + organization-defined actions to be covered by non-repudiation + + + AU-10 + "actions including the addition, modification, deletion, approval, +sending, or receiving of data" + + + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail + organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined selectable event criteria + organization-defined selectable event criteria + + + organization-defined time thresholds + organization-defined time thresholds + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + + organization-defined frequency + organization-defined frequency + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + organization-defined additional, more detailed information + organization-defined additional, more detailed information + + + organization-defined information system components + organization-defined information system components + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + + organization-defined personnel, roles, and/or locations + organization-defined personnel, roles, and/or locations + + + organization-defined time period + organization-defined time period + + + organization-defined percentage + organization-defined percentage + + + organization-defined real-time period + organization-defined real-time period + + + organization-defined personnel, roles, and/or locations + organization-defined personnel, roles, and/or locations + + + organization-defined audit failure events requiring real-time alerts + organization-defined audit failure events requiring real-time alerts + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined audit fields within audit records + organization-defined audit fields within audit records + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + + organization-defined frequency + organization-defined frequency + + + organization-defined authoritative time source + organization-defined authoritative time source + + + organization-defined time period + organization-defined time period + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(b) + "millisecond precision" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined subset of privileged users + organization-defined subset of privileged users + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined other forms of security assessment + organization-defined other forms of security assessment + + + organization-defined information system + organization-defined information system + + + organization-defined external organization + organization-defined external organization + + + organization-defined requirements + organization-defined requirements + + + organization-defined frequency + organization-defined frequency + + + organization-defined unclassified, non-national security system + organization-defined unclassified, non-national security system + + + Assignment; organization-defined boundary protection device + Assignment; organization-defined boundary protection device + + + organization-defined information systems + organization-defined information systems + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + CM-1(a) + "customer-defined personnel or roles" + + + + CM-1(b)(1) + "FedRAMP requirement: at least every 3 years" + + + + CM-1(b)(2) + "FedRAMP requirement: at least annually or whenever a significant +change occurs" + + + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + CM-11(1) + "organization-defined personnel or roles" + + + + CM-11(a) + "customer-defined policies" + + + + CM-11(b) + "customer-defined methods" + + + + CM-11(c) + "FedRAMP requirement: continuously (via CM-7(5))" + + + + organization-defined frequency + organization-defined frequency + + + Assignment organization-defined circumstances + Assignment organization-defined circumstances + + + organization-defined previous versions of baseline configurations of the information system + organization-defined previous versions of baseline configurations of the information system + + + organization-defined information systems, system components, or devices + organization-defined information systems, system components, or devices + + + organization-defined configurations + organization-defined configurations + + + organization-defined security safeguards + organization-defined security safeguards + + + CM-2(1)(a) + "FedRAMP requirement: at least annually or when a significant change +occurs" + + + + CM-2(1)(b) + "FedRAMP requirement: to include when directed by the JAB" + + + + CM-2(3) + "the previously approved baseline configuration of IS components" + + + + organization-defined time period + organization-defined time period + + + organization-defined configuration change control element (e.g., committee, board) + organization-defined configuration change control element (e.g., committee, board) + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration change conditions + organization-defined configuration change conditions + + + organized-defined approval authorities + organized-defined approval authorities + + + organization-defined time period + organization-defined time period + + + organization-defined personnel + organization-defined personnel + + + organization-defined security safeguards + organization-defined security safeguards + + + CM-3(1)(b) + "customer-defined authorized approvers" + + + + CM-3(1)(c) + "organization-defined time period" + + + + CM-3(1)(f) + "organization-defined configuration management approval authorities" + + + + CM-3(6) + "all security safeguards that rely on cryptography" + + + + CM-3(e) + "customer-defined time period" + + + + CM-3(g)-1 + "FedRAMP requirement: CAB" + + + + CM-3(g)-2 + "customer-defined" + + + + CM-3(g)-3 + "customer-defined" + + + + CM-3(g)-4 + "customer-defined" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined circumstances + organization-defined circumstances + + + organization-defined software and firmware components + organization-defined software and firmware components + + + CM-5(2)-1 + "every 30 days" + + + + CM-5(2)-2 + "organization-defined circumstance" + + + + CM-5(3) + "customer-defined software" + + + + CM-5(3) + "customer-defined software" + + + + CM-5(3) + "customer-defined software" + + + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + + organization-defined information system components + organization-defined information system components + + + CM-6(1) + "customer-defined information system components" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-6(1) + "customer-defined information system components" + + + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + + organization-defined frequency + organization-defined frequency + + + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + + + organization-defined policies regarding software program usage and restrictions + organization-defined policies regarding software program usage and restrictions + + + organization-defined software programs authorized to execute on the information system + organization-defined software programs authorized to execute on the information system + + + organization-defined frequency + organization-defined frequency + + + CM-7(1)(b) + "customer-defined functions, ports, protocols, and services within the +information system deemed to be unnecessary and/or nonsecure" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(b) + "FedRAMP assignment: the service provider shall use the Center for +Internet Security Guidelines (Level 1) to establish list of prohibited +or restricted functions, ports, protocols, and/or services or +establishes its own list of prohibited or restricted functions, ports, +protocols, and/or services if USGCB is not available" + + + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period consistent with recovery time and recovery point objectives + organization-defined time period consistent with recovery time and recovery point objectives + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period + organization-defined time period + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency + organization-defined frequency + + + organization-defined critical information system software and other security-related information + organization-defined critical information system software and other security-related information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined strength of mechanism requirements + organization-defined strength of mechanism requirements + + + organization-defined specific and/or types of devices + organization-defined specific and/or types of devices + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + + organization-defined characteristic identifying individual status + organization-defined characteristic identifying individual status + + + IA-4(4) + "FedRAMP requirement: contractors, foreign nationals" + + + + IA-4(a) + "customer-defined personnel or roles" + + + + IA-4(d) + "FedRAMP requirement: at least two years" + + + + IA-4(e) + "FedRAMP requirement: thirty-five (35) days" + + + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + + organization-defined token quality requirements + organization-defined token quality requirements + + + organization-defined types of and/or specific authenticators + organization-defined types of and/or specific authenticators + + + organization-defined registration authority + organization-defined registration authority + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined requirements + organization-defined requirements + + + IA-5(1)(a) + "FedRAMP requirement: case-sensitive, minimum of fourteen (14) +characters, and at least one (1) each of upper-case letters, +lower-case letters, numbers, and special characters" + + + + IA-5(1)(b) + "FedRAMP requirement: at least fifty percent (50%)" + + + + IA-5(1)(d) + "FedRAMP requirement: one day minimum, sixty day maximum" + + + + IA-5(1)(e) + "FedRAMP requirement: twenty four" + + + + IA-5(4) + "complexity as identified in IA-05 (1) Control Enhancement Part A" + + + + IA-5(g) + "FedRAMP requirement: 60 days for passwords" + + + + organization-defined information systems + organization-defined information systems + + + IA-8(3) + "N/A" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined procedures + organization-defined procedures + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined location by information system or system component + organization-defined location by information system or system component + + + organization-defined emergency responders + organization-defined emergency responders + + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system components + organization-defined types of information system components + + + organization-defined security controls + organization-defined security controls + + + organization-defined frequency + organization-defined frequency + + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system distribution and transmission lines + organization-defined information system distribution and transmission lines + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + + organization-defined additional personnel screening criteria + organization-defined additional personnel screening criteria + + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-identified information system components + organization-identified information system components + + + organization-defined vulnerability scanning activities + organization-defined vulnerability scanning activities + + + RA-5(2) + "FedRAMP requirement: prior to a new scan" + + + + RA-5(5)-1 + "FedRAMP requirement: operating systems, databases, web applications" + + + + RA-5(5)-2 + "FedRAMP requirement: all scans" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration items under configuration management + organization-defined configuration items under configuration management + + + organization-defined personnel + organization-defined personnel + + + organization-defined depth and coverage + organization-defined depth and coverage + + + organization-defined support from external providers + organization-defined support from external providers + + + organization-defined system development life cycle + organization-defined system development life cycle + + + organization-defined design/implementation information + organization-defined design/implementation information + + + organization-defined level of detail + organization-defined level of detail + + + organization-defined level of detail + organization-defined level of detail + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined external information system services + organization-defined external information system services + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined external service providers + organization-defined external service providers + + + organization-defined locations + organization-defined locations + + + organization-defined requirements or conditions + organization-defined requirements or conditions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + + SC-12(2) + "FedRAMP requirement: NIST FIPTS compliance" + + + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + + SC-13 + "FedRAMP requirement: FIPS-validated or NSA-approved cryptography" + + + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + + organization-defined certificate policy + organization-defined certificate policy + + + organization-defined information at rest + organization-defined information at rest + + + organization-defined information + organization-defined information + + + organization-defined information system components + organization-defined information system components + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28-1 + "confidentiality and integrity" + + + + SC-28-2 + "customer data" + + + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined resources + organization-defined resources + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined host-based boundary protection mechanisms + organization-defined host-based boundary protection mechanisms + + + organization-defined information system components + organization-defined information system components + + + organization-defined information security tools, mechanisms, and support components + organization-defined information security tools, mechanisms, and support components + + + organization-defined information system components + organization-defined information system components + + + organization-defined frequency + organization-defined frequency + + + organization-defined internal communications traffic + organization-defined internal communications traffic + + + organization-defined external networks + organization-defined external networks + + + SC-7(20 + "organization-defined information system components" + + + + organization-defined alternative physical safeguards + organization-defined alternative physical safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information inputs + organization-defined information inputs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + organization-defined security safeguards + organization-defined security safeguards + + + SI-16 + "Windows protections, including No Execute, Address Space Layout +Randomization, and Data Execution Prevention" + + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined benchmarks + organization-defined benchmarks + + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined host-based monitoring mechanisms + organization-defined host-based monitoring mechanisms + + + organization-defined information system components + organization-defined information system components + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined compromise indicators + organization-defined compromise indicators + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined security functions + organization-defined security functions + + + organization-defined system transitional states + organization-defined system transitional states + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined alternative action(s) + organization-defined alternative action(s) + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined transitional states or security-relevant events + organization-defined transitional states or security-relevant events + + + organization-defined frequency + organization-defined frequency + + + organization-defined security-relevant changes to the information system + organization-defined security-relevant changes to the information system + + + diff --git a/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-LINKED.xml b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-LINKED.xml new file mode 100644 index 0000000000..0c5664b331 --- /dev/null +++ b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal-LINKED.xml @@ -0,0 +1,6649 @@ + + Moderate SSP for Docker Enterprise Edition Deployment ATO +

                                    Moderate SSP for Docker Enterprise Edition Deployment ATO

                                    + securitylead@agency.gov + + SP800-53 MODERATE BASELINE IMPACT + + + + Access Control Policy for [Agency_Here] +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION OF DUTIES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LEAST PRIVILEGE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM USE NOTIFICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION LOCK +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PATTERN-HIDING DISPLAYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION TERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATION AND ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FULL DEVICE / CONTAINER-BASED ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR MOBILE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PORTABLE STORAGE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LIMITS ON AUTHORIZED USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SHARING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLICLY ACCESSIBLE CONTENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Awareness Training Policy for [Agency_Here] +

                                    +

                                    + + ROLE-BASED SECURITY TRAINING +

                                    [Agency's control implementation here] +

                                    + none + + + SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AWARENESS TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSIDER THREAT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY TRAINING RECORDS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Audit and Accountability Policy for [Agency_Here] +

                                    +

                                    + + AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete + + + AUDIT EVENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT STORAGE CAPACITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT REVIEW, ANALYSIS, AND REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS INTEGRATION +

                                    [Agency's control implementation here] +

                                    +
                                    + + CORRELATE AUDIT REPOSITORIES +

                                    [Agency's control implementation here] +

                                    +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC PROCESSING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME STAMPS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS BY SUBSET OF PRIVILEGED USERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT RECORD RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Assessment and Authorization Policy for [Agency_Here] +

                                    +

                                    + + SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM INTERCONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PLAN OF ACTION AND MILESTONES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AUTHORIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Configuration Management Policy for [Agency_Here] +

                                    +

                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + BASELINE CONFIGURATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION SETTINGS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM COMPONENT INVENTORY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Contingency Planning Policy for [Agency_Here] +

                                    +

                                    + + CONTINGENCY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTINGENCY PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY CRITICAL ASSETS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY PLAN TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE STORAGE SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE PROCESSING SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE PROVISIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM BACKUP +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TESTING FOR RELIABILITY / INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM RECOVERY AND RECONSTITUTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSACTION RECOVERY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Docker Security Scanning (DSS) +

                                    +

                                    + + UPDATE TOOL CAPABILITY +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning (DSS) component of Docker +Trusted Registry (DTR) that is included with the Docker Enterprise +Edition Advanced tier can be used to scan Docker images for +vulnerabilities against known vulnerability databases. Scans can be +triggered either manually or when Docker images are pushed to DTR.' +

                                    + service provider hybrid + complete + + + UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier compiles a bill of materials (BOM) for each Docker image +that it scans. DSS is also synchronized to an aggregate listing of +known vulnerabilities that is compiled from both the MITRE and NVD CVE +databases. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier identifies vulnerabilities in a Docker image and marks +them against predefined criticality levels; critical major and minor.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCESS +

                                    'Only the appropriate users that the organization has provided Docker +Trusted Registry access to are able to view and interpret +vulnerability scan results.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'For each Docker image pushed to Docker Trusted Registry at a given +time, Docker Security Scaninng retains a list of vulnerabilities +detected. The DTR API can be queried to retrieve the vulnerability +scan results over a period of time for a given Docker image such that +the results can be compared per the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Security Scanning maintains a historical bill-of-materials +(BOM) for all Docker images that are scanned. Results of previous +vulnerability scans can be reviewed and audited per the requirements +of this control.' +

                                    + service provider hybrid + complete +
                                    + + + DSS Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ + + + + Docker Trusted Registry (DTR) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + shared + complete +
                                    + + +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + service provider hybrid + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Docker Trusted Registry resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Docker Trusted Registry.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Trusted Registry can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Trusted Registry logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the DTR user interface and for +command-line based connections to the registry. In addition to this, +all communication to DTR is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Trusted Registry replicas is routed through +managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Docker Trusted Registry's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP slave nodes running Docker +Trusted Registry replicas can be paused or drained, which subsequently +stops sessions to the DTR replica.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Docker +Trusted Registry to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by a +combination of the backend ucp-controller service within Universal +Control Plane and the backend services that make up Docker Trusted +Registry. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Trusted Registry generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to alert individuals in +the event of log processing failures. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when the allocated log storage is full. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to facilitate the audit +reduction and report generation requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Docker Trusted +Registry should be certified to ensure that logs are not altered +during generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Trusted Registry uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Docker Trusted Registry is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the ''docker'' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Trusted +Registry resides as an Application on a Universal Control Plane +cluster, and as such, can be configured to send logs to a remote +logging stack. This logging stack can subsequently be configured to +retain logs for the duration required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by a +combination of the backend services within Universal Control Plane and +Docker Trusted Registry. The underlying Linux operating system +supporting DTR can be configured to audit Docker-specific events with +the auditd daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/' +

                                    +

                                    'Using auditd on the Linux operating system supporting DTR, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +compile audit records in to a system-wide audit trail that is +time-correlated per the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +meet the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'Role-based access control can be configured within Docker Trusted +Registry to meet the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Docker Trusted +Registry Docker images are officially signed and verified by Docker, +Inc. + +When installing Docker Trusted Registry, you should enable Docker +Content Trust and subsequently pull the the signed DTR image tag. +Additional information can be found at teh following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Docker Trusted Registry''s +configuration can also be backed up and stored an appropriate location +per the requirements of this control. Additional documenation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry. The organization can +also prevent users from being able to pull Docker images from +untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images are +stored in Docker Trusted Registry. This can be accomplished by using +Docker Content Trust to sign Docker images which can subsequently be +stored in Docker Trusted Registry.' +

                                    + service provider hybrid + shared + complete +
                                    + + USER-INSTALLED SOFTWARE +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry to meet the +requirements of this contorl. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Docker Trusted Registry maintains its cluster state via an internal +key-value store. This, and other DTR transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Trusted +Registry requires individual users to be authenticated in order to +gain access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'Docker Trusted Registry replicas reside on Universal Control Plane +worker nodes. In order for UCP worker nodes to join a Universal +Control Plane cluster, they must be identified and authenticated via a +worker token. Additional Docker Trusted Registry replicas can only be +added after a UCP administrator user has authenticated in to the UCP +cluster and when mutual TLS authentication between the UCP worker and +manager nodes has been established. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Docker Trusted Registry includes a Docker volume which holds the root +key material for the DTR root CA that issues certificats. In addition +Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server. When adding DTR replicas, the UCP nodes on +which they're installed are authenticated to the cluster via the +appropriate built-in CA.' +

                                    +

                                    'Access to Docker Trusted Registry is only granted when a user has a +valid certificate bundle. This is enforced with the public/private key +pair included with the user's certificate bundle in Universal Control +Plane.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against Docker Trusted Registry. This bundle maps the +authenticated identity to that of the user's profile in Universal +Control Plane.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user which +subsequently grants that user access to Docker Trusted Registry, it is +attached to that user''s Universal Control Plane profile. Bundles/keys +can be revoked by an Administrator or the user themselves. The +cluster''s internal certificates can also be revoked and updated. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Docker Trusted Registry obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Docker Trusted Registry is protected with Transport +Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Docker Trusted Registry can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + UPDATE TOOL CAPABILITY +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE) dictionary.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE).' dictionary. +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags. Docker Trusted Registry includes an integrated imaging +signing service.' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Docker Trusted Registry is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Docker Trusted Registry are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + Docker Trusted Registry Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/ + + + + Docker Enterprise Edition Engine +

                                    +

                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to aggregate +container and daemon events via a number of logging drivers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/view_container_logs/ +- https://docs.docker.com/engine/admin/logging/overview/ +- https://docs.docker.com/engine/admin/logging/log_tags/' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers +per organization-defined security policy filters. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks + +There are also third-party behavioral activity monitoring tools (e.g. +Sysdig Falco <http://www.sysdig.org/falco/>) that can be used +alongside Docker Enterprise Edition to satisfy this control''s +requirements.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to separate the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, one +can restrict membership to the 'docker' group on underlying Linux +hosts or the local "Administrators" group (and any other groups +defined within 'daemon.json') on underlying Windows Server 2016 hosts +to only authorized users.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Enterprise Edition can be configured to allow/prohibit remote +access to the Engine.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2. In addition to this, all +communication to Docker Enterprise Edition is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Enterprise Edition is routed through managed +network access control points.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Docker Enterprise Edition's +underlying operating system can be used to force the disconnection of +remote connections to the host. In addition, Docker Enterprise Edition +provides the option to pause or drain a node in the cluster, which +subsequently stops and/or removes sessions to the node. Individual +services and/or applications running on Docker Enterprise Edition can +also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AUDIT EVENTS +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this control (as explained by +their component narratives). These and other application containers +that reside on Docker Enterprise Edition can be configured to log data +via an appropriate Docker logging driver. Instructions for configuring +logging drivers can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Both Universal Control Plane and Docker Trusted Registry are +pre-configured to take advantage of Docker Enterprise Edition''s +built-in logging mechanisms. A sample audit event recorded by Docker +Enterprise Edition has been provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"} + +Additional documentation can be referenced at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can be used to interpolate the information defined by this +control and also be configured to alert on any audit processing +failures. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to warn the organization when the +allocated log storage is full. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to facilitate the audit reduction and +report generation requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'The underlying operating system chosen to support Docker Enterprise +Edition should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Enterprise Edition uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Enterprise Edition runs should +be configured such that its system clock compares itself with an +authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock synchronizes +itself to an authoritative time source as defined by part (a) of this +control any time the time difference exceeds that of the +organization-defined time period. This can be accomplished by +utilizing the Network Time Protocol (NTP). Refer to the operating +system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'On the underlying Linux operating system supporting Docker Enterprise +Edition, only root and sudo users and users that have been added to +the "docker" group have the ability to access the logs generated by +UCP backend service containers. Should the organization decide to +configure Docker Enterprise Edition to use a logging driver other than +the default json-file driver, the organization is subsequently +responsible for configuring the chosen logging stack per the +provisions of this control. In addition, for Linux operating systems +supporting Docker Enterprise Edition that use the systemd daemon, it +is imperative that the Journal is secured per the requirements of this +control. The same applies for Linux operating systems supporting +Docker Enterprise Edition that instead use upstart. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the backup requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the encryption mechanisms required by this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition includes functionality known as Docker +Content Trust which allows one to cryptographically sign Docker +images. It enforces client-side signing and verification of image tags +and provides the ability to use digital signatures for data sent to +and received from Docker Trusted Registry. This ultimately provides +one with the ability to verify both the integrity and the publisher of +all data received from DTR over any channel. With Docker Content +Trust, an organization can enforce signature verification of all +content and prohibit unsigned and unapproved content from being +manipulated; thus supproting the non-repudiation requirements of this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + Docker EE system + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Enterprise +Edition can be configured to use a logging driver that stores data in +a location for the duration specified by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this AU-2 a. These and other +application containers that reside on Docker Enterprise Edition can be +configured to log data via an appropriate Docker logging driver. The +underlying Linux operating system supporting Docker Enterprise Edition +can be configured to audit Docker-specific events with the auditd +daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'Using auditd on the Linux operating system supporting CS Docker +Engine, the organization can configure audit rules to select which +Docker-specific events are to be audited. Refer to the specific Linux +distribution in use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to compile audit records in to +a system-wide audit trail that is time-correlated per the requirements +of this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to meet the requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + BASELINE CONFIGURATION +

                                    'The CIS Docker Benchmark can be used as a baseline for securing Docker +Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + REVIEWS AND UPDATES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion and can be +rolled back as required by this control. Additional information can be +found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Additional information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + TEST / VALIDATE / DOCUMENT CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +cryptography management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +system change requirements of this control. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Before installing Docker Enterprise Edition, ensure that your +supporting Linux operating system''s packager manager supports package +signature verification and that it is enabled. It is also required +that you import the Docker public key for EE packages so as to +retrieve the validated and signed package from Docker, Inc. Refer to +your Linux OS documentation for instructions on completing the above +steps. + +In addition, Docker Content Trust is a capability provided by Docker +Engine that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. When enabling Docker +Content Trust in Docker Enterprise Edition you can enforce the use of +signed Docker images. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization can incorporate the use of an external configuration +management system to meet the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + LEAST FUNCTIONALITY +

                                    'To help the organization meet the requirements of this control, the +latest CIS Docker Benchmark can be used as a secure configuration +baseline. Additional information can be found at the following +resources: + +- https://www.cisecurity.org/benchmark/docker/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Docker Enterprise Edition, the organization can define +a list of allowed base Docker images and make them available via +Docker Trusted Registry. The organization can also prevent users from +being able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Docker EE +Engine, the organization must define a list of allowed base Docker +images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT PLAN +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management plan requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for other Docker EE engine nodes to be able to join a +cluster managed by Universal Control Plane, they must be identified +and authenticated via either a manager or worker token. Use of the +token includes trust on first use mutual TLS.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition is designed to run application containers +whose content can be completely isolated/segregated from other +application containers within the same node/cluster. This is +accomplished by way of Linux kernel primitives and various security +profiles that can be applied to the underlying host OS. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/security/security/ +- https://docs.docker.com/engine/userguide/networking/overlay-security-model/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to/from and between Docker +Enterprise Edition nodes is enforced by way of two-way mutual TLS +authentication. All Swarm Mode manager nodes in a Docker Enterprise +Edition cluster store state metadata and user secrets encrypted at +rest using the AES GCM cipher.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATIC UPDATES +

                                    'Docker Enterprise Edition packages for supported underlying operating +systems can only be obtained from Docker, Inc. The Docker EE +repositories from which Docker EE packages are obtained are protected +with official GPG keys. Each Docker package is also validated with a +signature definition.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the logging mechanisms of the Docker +Enterprise Edition engine are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + MEMORY PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's security documentation for information regarding the +protection of memory from unauthorized code execution.' +

                                    + service provider hybrid + complete +
                                    + + + Docker Enterprise Edition Engine Installation Documentation +

                                    + https://docs.docker.com/engine/installation/ + + + + Docker Engine Release Notes +

                                    + https://docs.docker.com/release-notes/ + + + + Configuring and Running Docker on Various Distributions +

                                    + https://docs.docker.com/engine/admin/ + + + + Docker Engine Security +

                                    + https://docs.docker.com/engine/security/security/ + + + + Securing Docker Datacenter and Security Best Practices +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices + + + + Identification and Authentication Policy for [Agency_Here] +

                                    +

                                    + + IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LOCAL ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS - SEPARATE DEVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFIER MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PKI-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HARDWARE TOKEN-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Incident Response for [Agency_Here] +

                                    +

                                    + + INCIDENT RESPONSE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INCIDENT RESPONSE TRAINING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED INCIDENT HANDLING PROCESSES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT MONITORING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED REPORTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE ASSISTANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System Maintenance Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM MAINTENANCE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTROLLED MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT MEDIA +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DOCUMENT NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE PERSONNEL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIMELY MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Media Protection Policy for [Agency_Here] +

                                    +

                                    + + MEDIA PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MEDIA ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA MARKING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA STORAGE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA TRANSPORT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA SANITIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT USE WITHOUT OWNER +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Physical and Environmental Protection Policy for [Agency_Here] +

                                    +

                                    + + PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PHYSICAL ACCESS AUTHORIZATIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PHYSICAL ACCESS CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR TRANSMISSION MEDIUM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR OUTPUT DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING PHYSICAL ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTRUSION ALARMS / SURVEILLANCE EQUIPMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VISITOR ACCESS RECORDS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POWER EQUIPMENT AND CABLING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY SHUTOFF +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY POWER +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY LIGHTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FIRE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC FIRE SUPPRESSION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TEMPERATURE AND HUMIDITY CONTROLS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WATER DAMAGE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DELIVERY AND REMOVAL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE WORK SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Planning Policy for [Agency_Here] +

                                    +

                                    + + SECURITY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INFORMATION SECURITY ARCHITECTURE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Personnel Security Policy for [Agency_Here] +

                                    +

                                    + + PERSONNEL SECURITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + POSITION RISK DESIGNATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SCREENING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TERMINATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TRANSFER +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS AGREEMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + THIRD-PARTY PERSONNEL SECURITY +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SANCTIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Risk Assessment Policy for [Agency_Here] +

                                    +

                                    + + RISK ASSESSMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + VULNERABILITY SCANNING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Services Acquisition Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + ALLOCATION OF RESOURCES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM DEVELOPMENT LIFE CYCLE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACQUISITION PROCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONAL PROPERTIES OF SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF APPROVED PIV PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM DOCUMENTATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ENGINEERING PRINCIPLES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL INFORMATION SYSTEM SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVELOPER CONFIGURATION MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + DEVELOPER SECURITY TESTING AND EVALUATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Communications Protection Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + APPLICATION PARTITIONING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION IN SHARED RESOURCES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENIAL OF SERVICE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + BOUNDARY PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS POINTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENY BY DEFAULT / ALLOW BY EXCEPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT SPLIT TUNNELING FOR REMOTE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSMISSION CONFIDENTIALITY AND INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK DISCONNECT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COLLABORATIVE COMPUTING DEVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLIC KEY INFRASTRUCTURE CERTIFICATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MOBILE CODE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VOICE OVER INTERNET PROTOCOL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION AUTHENTICITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS ISOLATION +

                                    [Agency's control implementation here] +

                                    + complete +
                                    +
                                    + + System and Information Integrity Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + FLAW REMEDIATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED FLAW REMEDIATION STATUS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MALICIOUS CODE PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED TOOLS FOR REAL-TIME ANALYSIS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-GENERATED ALERTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ALERTS, ADVISORIES, AND DIRECTIVES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRITY CHECKS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRATION OF DETECTION AND RESPONSE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPAM PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION INPUT VALIDATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ERROR HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION HANDLING AND RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEMORY PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Universal Control Plane (UCP) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/' +

                                    + service provider hybrid + complete + + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Universal Control Plane can be configured to send system +account log data to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack. Supporting documentation can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + LEAST PRIVILEGE +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and employ principles of +least privilege. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and explicitly authorize +access as necessary. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources, including Docker +networking components. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCOUNTS +

                                    'To assist the organization in meeting the requirements of this +control, one can restrict privileged accounts within Universal Control +Plane to custom-defined roles. By default, no one can make changes to +the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, one can review all implemented grants, accounts and roles +within Universal Control Plane and reassign/revoke privileges as +necessary. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane users can be assigned to one of a number of +different permission levels. The permission level assigned to a +specific user determines that user''s ability to execute certain +Docker functions within UCP. Only users mapped to either the "Full +Control" or "Admin" roles can execute Docker commands without any +restrictions. Users mapped to either the "View Only" or "No Access" +roles cannot execute any Docker commands. Users assigned to the +"Restricted Control" role can only run Docker commands under their own +purview and cannot see other users UCP resources nor run commands that +required privileged access to the host. Furthermore, custom roles can +be created for fine-grained access to specific UCP resources and +functionality. Additional documentation regarding the various +permission levels within UCP can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Universal Control Plane includes a logout capability that allows a +user to terminate his/her current session.' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Universal Control Plane.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Universal Control Plane logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the UCP user interface and for +command-line based connections to the cluster. In addition to this, +all communication to UCP is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Universal Control Plane managers and worker nodes is +routed through managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to authorize certain +privileged functions via remote access.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Universal Control Plane's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP provides the option to pause +or drain a node in the cluster, which subsequently stops and/or +removes sessions to the node. Individual services and/or applications +running on a UCP cluster can also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete + partial +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Universal +Control Plane to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by the +backend ucp-controller service within Universal Control Plane. In +addition, each container created on a Universal Control Plane cluster +logs event data. Supporting documentation for configuring UCP logging +can be referenced at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Universal Control Plane generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +alert individuals in the event of log processing failures. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider system specific + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when the allocated log storage is full. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when audit log failures occur. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The organization can subsequently centrally review and +analyze all of the Docker EE audit records. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +facilitate the audit reduction and report generation requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Universal Control +Plane should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +parse information by organization-defined audit fields. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Universal Control Plane uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Universal Control Plane is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the 'docker' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Universal Control +Plane can be configured to send logs to a remote logging stack. This +logging stack can subsequently be configured retain logs for the +duration required by this control. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by the backend +ucp-controller service within Universal Control Plane. In addition, +each container created on a Universal Control Plane cluster logs event +data. The underlying Linux operating system supporting UCP can be +configured to audit Docker-specific events with the auditd daemon. +Refer to the specific Linux distribution in use for instructions on +configuring this service. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'Using auditd on the Linux operating system supporting UCP, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to compile +audit records in to a system-wide audit trail that is time-correlated +per the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to meet the +requirements of this control. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'Role-based access control can be configured within Universal Control +Plane to meet the requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Universal Control +Plane Docker images are officially signed and verified by Docker, Inc. + +When configuring Universal Control Plane, you should enforce +applications to only use Docker images signed by trusted UCP users +within your organization. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Universal Control Plane''s +configuration can also be managed, backed up and stored in another +location per the requirements of this control. Additional documentation +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PERIODIC REVIEW +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane includes a robust access control model to +disable any functionality as mandated by this control.' +

                                    + service provider corporate + Docker EE system + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Universal Control Plane, the organization can define a +list of allowed base Docker images and make them available via Docker +Trusted Registry. The organization can also prevent users from being +able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Universal +Control Plane, the organization must define a list of allowed base +Docker images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images +stored in Docker Trusted Registry can be run on Universal Control +Plane. This can be accomplished by using Docker Content Trust to sign +Docker images, and configure UCP to enforce only signed images from +specific Teams at runtime. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Universal Control Plane maintains its cluster state via an internal +key-value store. This, and other UCP transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Universal Control +Plane requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for nodes to join a Universal Control Plane cluster, they +must be identified and authenticated via either a manager or worker +token. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server.' +

                                    +

                                    'Access to a Universal Control Plane cluster is only granted when a +user has a valid certificate bundle. This is enforced with the +public/private key pair included with the user's certificate bundle.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against the Universal Control Plane cluster. This bundle maps +the authenticated identity to that of the user.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user, it is +attached to that user''s profile. Bundles/keys can be revoked by an +Administrator or the user themselves. The cluster''s internal +certificates can also be revoked and updated. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Universal Control Plane obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Universal Control Plane is protected with Transport +Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Universal Control Plane can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, Docker Content Trust gives +you the ability to verify both the integrity and the publisher of all +the data received from a Docker Trusted Registry over any channel. It +allows operations with a remote DTR instance to enforce client-side +signing and verification of image tags. It provides for the ability to +use digital signatures for data sent to and receive from remote DTR +instances. These signatures allow client-side verification of the +integrity and publisher of specific image tags. Universal Control +Plane can be configured to only run trusted and signed images. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Universal Control Plane is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Universal Control Plane are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://docs.docker.com/datacenter/ucp/2.2/guides/ + + + + Authentication and Authorization Service (eNZi) +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams are allowed to create +and manipulate Docker Enterprise Edition resources. By default, no one +can make changes to the cluster. Permissions can be granted and +managed to enforce fine-grained access control. Supporting +documentation can found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can disable and/or remove temporary and emergency accounts in a +connected directory service (such as Active Directory) after an +organization-defined time period. When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can automatically disable inactive accounts in a connected directory +service (such as Active Directory). When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED AUDIT ACTIONS +

                                    'Docker Enterprise Edition logs various authentication and +authorization events to standard log files. One can configure Docker +Enterprise Edition to direct these event logs to a remote logging +service such as an Elasticsearch, Logstash and Kibana (ELK) stack and +subsequently alert on specific event types. When integrating Docker +Enterprise Edition with LDAP, one can refer the the directory +service''s logging mechanisms for auditing the events defined by this +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to enforce automated +session termination of users after an organization-defined time period +of inactivity. By default, the initial lifetime of a user''s session +is set to 72 hours and the renewal session for a user''s session is +set to 24 hours. These values can both be changed in the "Auth" +section of the "Admin Settings" in Universal Control Plane.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition supports various levels of user +permissions and role-based access control enforcements. Administrator +users have permissions to: manage other Docker Enterprise Edition +users, manage Docker Trusted Registry repositories and settings, and +manage the Universal Control Plane and underlying Docker Swarm Mode +cluster. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Users and/or groups synchronized to Docker Enterprise Edition via +LDAP can be configured at the directory service to ensure shared/group +account credentials are terminated when members leave the group.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Information system accounts synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service to meet this +requirement as necessary.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, when Docker Enterprise Edition is configured for LDAP +integration, one can refer to the directory service''s existing +monitoring tools.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be managed at the directory service and disabled if +posing a significant risk.' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Enterprise Edition resources. By default, no one can make +changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. The eNZi component facilitates +authorizations as dictated by the system''s administrators. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    'Docker Enterprise Edition logs privileged user events to standard log +files. One can configure Docker Enterprise Edition to direct these +event logs to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack and subsequently alert on specific +event types. When integrating Docker Enterprise Edition with LDAP, one +can refer the the directory service''s logging mechanisms for auditing +the events defined by this control. Supporting documentation regarding +logging and monitoring can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + complete +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure the enforcement of a limit to the number of conesecutive +invalid logon attempts by a user during a specified time period.' +

                                    +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure he ability to automatically lock/disable an account for a +specified period of time after a consecutive invalid logon attempt +limit is reached.' +

                                    + service provider hybrid + complete +
                                    + + SYSTEM USE NOTIFICATION +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    + Docker EE system + planned +
                                    + + +

                                    'Docker Enterprise Edition can be configured to limit the number of +concurrent sessions for each account. These options can be found +within the Universal Control Plane Admin Settings under the +"Authentication & Authorization" section. ' +

                                    + Docker EE system + complete +
                                    + + SESSION LOCK +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours).' +

                                    + Docker EE system + complete +
                                    + + PATTERN-HIDING DISPLAYS +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session per the requirements of +this controls.' +

                                    + Docker EE system + complete +
                                    + + SESSION TERMINATION +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Enterprise Edition generates all of the audit record +information indicated by this control. A sample audit event has been +provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    'Docker Enterprise Edition can be configured to identify and +authenticate users via it''s integrated support for LDAP. Users and +groups managed within the organization''s LDAP directory service (e.g. +Active Directory) can be synchronized to UCP and DTR on a regular +interval. When a user is removed from the LDAP-backed directory, that +user becomes inactive within UCP and DTR. In addition, UCP and DTR +teams can be mapped to groups synchronized via LDAP. When a user is +added/removed to/from the LDAP group, that same user is automatically +added/removed to/from the UCP and DTR team. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Enterprise +Edition requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFIER MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to uniquely identify each individual according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to establish initial authenticator content according +to the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to enforce strength requirements for authenticators +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to distribute, redistribute, and revoke +authenticators according to the requirements of this control. Refer to +your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change default authenticator content according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to set minimum and maximum lifetime restrictions and +reuse conditions for authenticators according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to refresh authenticators at a regular cadence +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticator content from unauthorized +disclosure or modification according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to implement specific security safeguards to protect +authentications according to the requirements of this control. Refer +to your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change authenticators for group or role accounts +when membership to those groups or roles changes according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce minimum password +complexity requirements. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change at least one character when changing passwords according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to store and transmit +cryptographically protected passwords according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required minimum and +maximum lifetime restrictions according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required number of +generations before password reuse according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change initial/temporary passwords upon first login according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system validates the certificates per the +requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system enforces authorized access to the +corresponding private key per the requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system maps the authenticated identity to the +account of the individual or group per the requirements of this +control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, it is up to the underlying operating system +hosting Docker Enterprise Edition to ensure that it implements a local +cache of revocation data per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP can be +configured with automation to ensure that password authenticators meet +strength requirements as defined by this control. Refer to your +directory service's documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticators as required by this +control. Refer to your directory service's documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to meet the FICAM requirements as +indicated by this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition invalidates session identifiers upon user +logout per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management + + + + + + + + RA-5(2) + "FedRAMP requirement: prior to a new scan" + + + + RA-5(5)-1 + "FedRAMP requirement: operating systems, databases, web applications" + + + + RA-5(5)-2 + "FedRAMP requirement: all scans" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-11(a) + "customer-defined policies" + + + + CM-11(b) + "customer-defined methods" + + + + CM-11(c) + "FedRAMP requirement: continuously (via CM-7(5))" + + + + CM-11(1) + "organization-defined personnel or roles" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-10 + "actions including the addition, modification, deletion, approval, +sending, or receiving of data" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-1(a) + "customer-defined personnel or roles" + + + + CM-1(b)(1) + "FedRAMP requirement: at least every 3 years" + + + + CM-1(b)(2) + "FedRAMP requirement: at least annually or whenever a significant +change occurs" + + + + CM-2(1)(a) + "FedRAMP requirement: at least annually or when a significant change +occurs" + + + + CM-2(1)(b) + "FedRAMP requirement: to include when directed by the JAB" + + + + CM-2(3) + "the previously approved baseline configuration of IS components" + + + + CM-3(e) + "customer-defined time period" + + + + CM-3(g)-1 + "FedRAMP requirement: CAB" + + + + CM-3(g)-2 + "customer-defined" + + + + CM-3(g)-3 + "customer-defined" + + + + CM-3(g)-4 + "customer-defined" + + + + CM-3(1)(b) + "customer-defined authorized approvers" + + + + CM-3(1)(c) + "organization-defined time period" + + + + CM-3(1)(f) + "organization-defined configuration management approval authorities" + + + + CM-3(6) + "all security safeguards that rely on cryptography" + + + + CM-5(2)-1 + "every 30 days" + + + + CM-5(2)-2 + "organization-defined circumstance" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(b) + "FedRAMP assignment: the service provider shall use the Center for +Internet Security Guidelines (Level 1) to establish list of prohibited +or restricted functions, ports, protocols, and/or services or +establishes its own list of prohibited or restricted functions, ports, +protocols, and/or services if USGCB is not available" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-7(20 + "organization-defined information system components" + + + + SC-12(2) + "FedRAMP requirement: NIST FIPTS compliance" + + + + SC-13 + "FedRAMP requirement: FIPS-validated or NSA-approved cryptography" + + + + SC-28-1 + "confidentiality and integrity" + + + + SC-28-2 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-16 + "Windows protections, including No Execute, Address Space Layout +Randomization, and Data Execution Prevention" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-6(1) + "FedRAMP assignment: all functions not publiclly accessible and all +security-relevant information not publicly available" + + + + AC-6(2) + "FedRAMP requirement: all security functions" + + + + AC-6(3)-1 + "privileged commands used to change/configure network devices" + + + + AC-6(3)-2 + "customer-defined operational needs" + + + + AC-6(5) + "customer-defined personnel or roles" + + + + AC-6(7)(a)-1 + "at least annually" + + + + AC-6(7)(a)-2 + "all users" + + + + AC-6(8) + "FedRAMP assignment: any software except software explicitly +documented" + + + + AC-12(1)(a) + "customer-defined information resources" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(4)(a) + "customer-defined needs" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(1)(b) + "customer-defined functions, ports, protocols, and services within the +information system deemed to be unnecessary and/or nonsecure" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(2)-1 + Selection (removes or disables) + + + AC-2(2)-2 + "FedRAMP requirement: no more than 30 days for temporary and emergency +account types" + + + + AC-2(3) + "FedRAMP requirement: thirty-five (35) days for user accounts" + + + + AC-2(4) + "organization and/or service provider system owner" + + + + AC-2(5) + "inactivity is anticipated to exceed fifteen (15) minutes" + + + + AC-2(7)(c) + "FedRAMP assignment: disables/revokes access within an +organization-specified timeframe" + + + + AC-2(9) + "FedRAMP assignment: organization-defined need with justificatino +statement that explains why such accounts are necessary" + + + + AC-2(11)-1 + "customer-defined circumstances or usage conditions" + + + + AC-2(11)-2 + "customer-defined accounts" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(13) + "one hour" + + + + AC-7(a)-1 + "FedRAMP requirement: not more than three" + + + + AC-7(a)-2 + "FedRAMP requirement: fifteen minutes" + + + + AC-7(b)-1 + "FedRAMP requirement: locks the account/node for three hours" + + + + AC-7(b)-2 + "customer-defined additional actions" + + + + AC-8(a) + "customer-defined system use notification banner" + + + + AC-8(c)(1) + "customer-defined conditions" + + + + AC-10 + "customer-defined account and/or account type; FedRAMP requirement: +three sessions for privileged access and two sessions for +non-privileged access" + + + + AC-11(a) + "FedRAMP requirement: fifteen minutes" + + + + AC-12 + "customer-defined conditions or trigger events" + + + + IA-4(a) + "customer-defined personnel or roles" + + + + IA-4(d) + "FedRAMP requirement: at least two years" + + + + IA-4(e) + "FedRAMP requirement: thirty-five (35) days" + + + + IA-4(4) + "FedRAMP requirement: contractors, foreign nationals" + + + + IA-5(g) + "FedRAMP requirement: 60 days for passwords" + + + + IA-5(1)(a) + "FedRAMP requirement: case-sensitive, minimum of fourteen (14) +characters, and at least one (1) each of upper-case letters, +lower-case letters, numbers, and special characters" + + + + IA-5(1)(b) + "FedRAMP requirement: at least fifty percent (50%)" + + + + IA-5(1)(d) + "FedRAMP requirement: one day minimum, sixty day maximum" + + + + IA-5(1)(e) + "FedRAMP requirement: twenty four" + + + + IA-5(4) + "complexity as identified in IA-05 (1) Control Enhancement Part A" + + + + IA-8(3) + "N/A" + + + + diff --git a/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal.json b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal.json new file mode 100644 index 0000000000..5b26b158d5 --- /dev/null +++ b/working/JSON-mapping/docker-ee-opencontrol-moderate-ato-oscal.json @@ -0,0 +1,10267 @@ +{ + "name": "Moderate SSP for Docker Enterprise Edition Deployment ATO", + "description": "Moderate SSP for Docker Enterprise Edition Deployment ATO", + "maintainers": [ + "securitylead@agency.gov" + ], + "profiles": null, + "components": [ + { + "name": "Access Control Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-17 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-18 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-18", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-19 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-19", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-20 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-20 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-22", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Security Awareness Training Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AT-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Audit and Accountability Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AU-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "AU-6 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-9 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Security Assessment and Authorization Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "CA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-3 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-3 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Configuration Management Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "CM-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Contingency Planning Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "CP-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-6 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-9 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-10 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Docker Security Scanning (DSS)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "RA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the orgnization in meeting the requirements of this\ncontrol, the Docker Security Scanning (DSS) component of Docker\nTrusted Registry (DTR) that is included with the Docker Enterprise\nEdition Advanced tier can be used to scan Docker images for\nvulnerabilities against known vulnerability databases. Scans can be\ntriggered either manually or when Docker images are pushed to DTR.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the orgnization in meeting the requirements of this\ncontrol, the Docker Security Scanning component of Docker Trusted\nRegistry (DTR) that is included with the Docker Enterprise Edition\nAdvanced tier compiles a bill of materials (BOM) for each Docker image\nthat it scans. DSS is also synchronized to an aggregate listing of\nknown vulnerabilities that is compiled from both the MITRE and NVD CVE\ndatabases. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the orgnization in meeting the requirements of this\ncontrol, the Docker Security Scanning component of Docker Trusted\nRegistry (DTR) that is included with the Docker Enterprise Edition\nAdvanced tier identifies vulnerabilities in a Docker image and marks\nthem against predefined criticality levels; critical major and minor.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Only the appropriate users that the organization has provided Docker\nTrusted Registry access to are able to view and interpret\nvulnerability scan results.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "'For each Docker image pushed to Docker Trusted Registry at a given\ntime, Docker Security Scaninng retains a list of vulnerabilities\ndetected. The DTR API can be queried to retrieve the vulnerability\nscan results over a period of time for a given Docker image such that\nthe results can be compared per the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Security Scanning maintains a historical bill-of-materials\n(BOM) for all Docker images that are scanned. Results of previous\nvulnerability scans can be reviewed and audited per the requirements\nof this control.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "DSS Documentation", + "description": "", + "url": "https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/" + } + ] + }, + { + "name": "Docker Trusted Registry (DTR)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation for managing users and teams can\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nDocker Trusted Registry resources. By default, no one can make changes\nto the cluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Docker Trusted Registry to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Docker Trusted Registry to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations'\n", + "references": null + } + ], + "origins": [ + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (21)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Docker Trusted Registry to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Docker Trusted Registry resources. By default, no one can\nmake changes to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. Supporting documentation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nDocker Trusted Registry resources and prevent non-privileged users\nfrom executing privileged functions per the requirements of this\ncontrol. By default, no one can make changes to the cluster.\nPermissions can be granted and managed to enforce fine-grained access\ncontrol. Supporting documentation for the configuration of this\nfunctionality can be found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, a\nreview of actions allowed by unauthenticated users can be performed\nwithin Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nDocker Trusted Registry can be configured to allow/prohibit remote\naccess.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Trusted Registry are protected\nwith Transport Layer Security (TLS) 1.2. This is included at both the\nHTTPS application layer for access to the DTR user interface and for\ncommand-line based connections to the registry. In addition to this,\nall communication to DTR is enforced by way of two-way mutual TLS\nauthentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'A combination of managed load balancers, firewalls and access control\nlists, and virtual networking resources can be used to ensure traffic\ndestined for Docker Trusted Registry replicas is routed through\nmanaged network access control points.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Built-in firewall technology in Docker Trusted Registry's underlying\noperating system can be used to force the disconnection of remote\nconnections to the host. In addition, UCP slave nodes running Docker\nTrusted Registry replicas can be paused or drained, which subsequently\nstops sessions to the DTR replica.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "configured by customer" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-20 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan validate the assigned roles and access levels within Docker\nTrusted Registry to control information sharing.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by this control are logged by a\ncombination of the backend ucp-controller service within Universal\nControl Plane and the backend services that make up Docker Trusted\nRegistry. Additional documentation can be found at the following\nresource:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components'\n", + "references": null + } + ], + "origins": [ + "service provider corporate", + "Docker EE system", + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry generates all of the audit record information\nindicated by this control. A sample audit event has been provided\nbelow:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be used to interpolate the information\ndefined by this control from the logged audit records. Additional\ninformation can be found at the following resource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be used to interpolate the information\ndefined by this control from the logged audit records. Additional\ninformation can be found at the following resource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to alert individuals in\nthe event of log processing failures. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to warn the organization\nwhen the allocated log storage is full. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to warn the organization\nwhen audit log failures occur. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-6 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\norganization can subsequently centrally review and analyze all of the\nDocker EE audit records. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be used to facilitate the audit\nreduction and report generation requirements of this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + }, + { + "value": "'The underlying operating system chosen to support Docker Trusted\nRegistry should be certified to ensure that logs are not altered\nduring generation and transmission to a remote logging stack.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": null, + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to parse information by\norganization-defined audit fields. Additional information can be found\nat the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry uses the system clock of the underlying\noperating system on which it runs. This behavior cannot be modified.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Trusted Registry runs\nshould be configured such that its system clock uses Coordinated\nUniversal Time (UTC) as indicated by this control. Refer to the\noperating system's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The underlying operating system on which Docker Trusted Registry runs\nshould be configured such that its system clock compares itself with\nan authoritative time source as indicated by this control. This can be\naccomplished by utilizing the Network Time Protocol (NTP). Refer to\nthe operating system's instructions for doing so.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Trusted Registry runs\nshould be configured such that its system clock synchronizes itself to\nan authoritative time source as defined by part (a) of this control\nany time the time difference exceeds that of the organization-defined\ntime period. This can be accomplished by utilizing the Network Time\nProtocol (NTP). Refer to the operating system's instructions for doing\nso.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'By default, Docker Trusted Registry is configured to use the\nunderlying logging capabilities of Docker Enterprise Edition. As such,\non the underlying Linux operating system, only root and sudo users and\nusers that have been added to the ''docker'' group have the ability to\naccess the logs generated by UCP backend service containers. In\naddition, only UCP Administrator users can change the logging endpoint\nof the system should it be decided that logs be sent to a remote\nlogging stack. In this case, the organization is responsible for\nconfiguring the remote logging stack per the provisions of this\ncontrol.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nback up audit records per the schedule defined by this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nmeet the encryption mechanisms required by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization will be responsible for meeting the requirements of\nthis control. To assist with these requirements, Docker Trusted\nRegistry resides as an Application on a Universal Control Plane\ncluster, and as such, can be configured to send logs to a remote\nlogging stack. This logging stack can subsequently be configured to\nretain logs for the duration required by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider corporate", + "Docker EE system", + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by AU-2 a. are logged by a\ncombination of the backend services within Universal Control Plane and\nDocker Trusted Registry. The underlying Linux operating system\nsupporting DTR can be configured to audit Docker-specific events with\nthe auditd daemon. Refer to the specific Linux distribution in use for\ninstructions on configuring this service. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/'\n", + "references": null + }, + { + "value": "'Using auditd on the Linux operating system supporting DTR, the\norganization can configure audit rules to select which Docker-specific\nevents are to be audited. Refer to the specific Linux distribution in\nuse for instructions on configuring this service.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and as such, can be configured to send logs to\na remote logging stack. This logging stack can subsequently be used to\ncompile audit records in to a system-wide audit trail that is\ntime-correlated per the requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and as such, can be configured to send logs to\na remote logging stack. This logging stack can subsequently be used to\nmeet the requirements of this control. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Role-based access control can be configured within Docker Trusted\nRegistry to meet the requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust is a capability provided by Docker Enterprise\nEdition that enforces client-side signing and verification of Docker\nimage tags. It provides the ability to use digital signatures for data\nsent to and received from Docker Trusted Registry and the public\nDocker Store. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. All Docker Trusted\nRegistry Docker images are officially signed and verified by Docker,\nInc.\n\nWhen installing Docker Trusted Registry, you should enable Docker\nContent Trust and subsequently pull the the signed DTR image tag.\nAdditional information can be found at teh following resources:\n\n- https://docs.docker.com/engine/security/trust/content_trust/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/'\n", + "references": null + } + ], + "origins": [ + "service provide hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nincorporate the use of an external configuration management system to\nmeet the requirements of this control. Docker Trusted Registry''s\nconfiguration can also be backed up and stored an appropriate location\nper the requirements of this control. Additional documenation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization can define a list of allowed base Docker images and\nmake them available via Docker Trusted Registry. The organization can\nalso prevent users from being able to pull Docker images from\nuntrusted sources.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\ndefine a list of allowed base Docker images and make them available\nvia Docker Trusted Registry. The organization can also prevent users\nfrom being able to pull Docker images from untrusted sources.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nconfigure its systems to ensure that only approved Docker images are\nstored in Docker Trusted Registry. This can be accomplished by using\nDocker Content Trust to sign Docker images which can subsequently be\nstored in Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\ndefine a list of allowed base Docker images and make them available\nvia Docker Trusted Registry. The organization can also prevent users\nfrom being able to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization can define a list of allowed base Docker images and\nmake them available via Docker Trusted Registry to meet the\nrequirements of this contorl. The organization can also prevent users\nfrom being able to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CP-10 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry maintains its cluster state via an internal\nkey-value store. This, and other DTR transactions can be backed up and\nrecovered. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, Docker Trusted\nRegistry requires individual users to be authenticated in order to\ngain access to the system. Any permissions granted to the team(s) that\nwhich the user is a member are subsequently applied.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry replicas reside on Universal Control Plane\nworker nodes. In order for UCP worker nodes to join a Universal\nControl Plane cluster, they must be identified and authenticated via a\nworker token. Additional Docker Trusted Registry replicas can only be\nadded after a UCP administrator user has authenticated in to the UCP\ncluster and when mutual TLS authentication between the UCP worker and\nmanager nodes has been established. Additional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry includes a Docker volume which holds the root\nkey material for the DTR root CA that issues certificats. In addition\nUniversal Control Plane contains two, built-in root certificate\nauthorities. One CA is used for signing client bundles generated by\nusers. The other CA is used for TLS communication between UCP cluster\nnodes. Should you choose to use certificates signed by an external CA,\nin order to successfully authenticate in to the system, those\ncertificates must include a root CA public certificate, a service\ncertificate and any intermediate CA public certificates (in addition\nto SANs for all addresses used to reach the UCP controller), and a\nprivate key for the server. When adding DTR replicas, the UCP nodes on\nwhich they're installed are authenticated to the cluster via the\nappropriate built-in CA.'\n", + "references": null + }, + { + "value": "'Access to Docker Trusted Registry is only granted when a user has a\nvalid certificate bundle. This is enforced with the public/private key\npair included with the user's certificate bundle in Universal Control\nPlane.'\n", + "references": null + }, + { + "value": "'Only after a client bundle has been generated or an existing public\nkey has been added for a particular user is that user able to execute\ncommands against Docker Trusted Registry. This bundle maps the\nauthenticated identity to that of the user's profile in Universal\nControl Plane.'\n", + "references": null + }, + { + "value": "'When a client bundle has been generated or an existing public key has\nbeen added for a particular Universal Control Plane user which\nsubsequently grants that user access to Docker Trusted Registry, it is\nattached to that user''s Universal Control Plane profile. Bundles/keys\ncan be revoked by an Administrator or the user themselves. The\ncluster''s internal certificates can also be revoked and updated.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry obscures all feedback of authentication\ninformation during the authentication process. This includes both\nauthentication via the web UI and the CLI.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'All access to Docker Trusted Registry is protected with Transport\nLayer Security (TLS) 1.2 with the AES-GCM cipher. This includes both\nSSH access to the individual UCP nodes and CLI-/web-based access to\nthe UCP management functions with mutual TLS and HTTPS respectively.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Users managed by Docker Trusted Registry can be grouped per the\nrequirements of the organization and as defined by this control. This\ncan include groupings for non-organizational users.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The Docker Security Scanning tool allows for the scanning of Docker\nimages in Docker Trusted Registry against the Common Vulnerabilities\nand Exposures (CVE) dictionary.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The Docker Security Scanning tool allows for the scanning of Docker\nimages in Docker Trusted Registry against the Common Vulnerabilities\nand Exposures (CVE).' dictionary.\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust gives you the ability to verify both the\nintegrity and the publisher of all the data received from a Docker\nTrusted Registry over any channel. It allows operations with a remote\nDTR instance to enforce client-side signing and verification of image\ntags. It provides for the ability to use digital signatures for data\nsent to and receive from remote DTR instances. These signatures allow\nclient-side verification of the integrity and publisher of specific\nimage tags. Docker Trusted Registry includes an integrated imaging\nsigning service.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry is made up of a number of backend services\nthat provide for both user functionality (including user interface\nservices) and system management functionality. Each of these services\noperates independently of one another. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Trusted Registry are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the DTR\nuser interface and for command-line based connections to the registry.\nIn addition to this, all communication to DTR is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Trusted Registry are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the DTR\nuser interface and for command-line based connections to the registry.\nIn addition to this, all communication to DTR is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'All error messages generated via the configured logging mechanism of\nDocker Trusted Registry are displayed such that they meet the\nrequirements of this control. Only users that are authorized the\nappropriate level of access can view these error messages.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "Docker Trusted Registry Documentation", + "description": "", + "url": "https://docs.docker.com/datacenter/dtr/2.3/guides/" + } + ] + }, + { + "name": "Docker Enterprise Edition Engine", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Docker Enterprise Edition can be configured to aggregate\ncontainer and daemon events via a number of logging drivers.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/view_container_logs/\n- https://docs.docker.com/engine/admin/logging/overview/\n- https://docs.docker.com/engine/admin/logging/log_tags/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to control the flow of\ninformation that originates from applications running in containers.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/engine/userguide/networking/\n- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to control the flow of\ninformation that originates from applications running in containers\nper organization-defined security policy filters. Supporting\ndocumentation can be found at the following resources:\n\n- https://docs.docker.com/engine/userguide/networking/\n- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks\n\nThere are also third-party behavioral activity monitoring tools (e.g.\nSysdig Falco \u003chttp://www.sysdig.org/falco/\u003e) that can be used\nalongside Docker Enterprise Edition to satisfy this control''s\nrequirements.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (21)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to separate the flow of\ninformation that originates from applications running in containers.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/engine/userguide/networking/\n- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan restrict membership to the 'docker' group on underlying Linux\nhosts or the local \"Administrators\" group (and any other groups\ndefined within 'daemon.json') on underlying Windows Server 2016 hosts\nto only authorized users.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nDocker Enterprise Edition can be configured to allow/prohibit remote\naccess to the Engine.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2. In addition to this, all\ncommunication to Docker Enterprise Edition is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'A combination of managed load balancers, firewalls and access control\nlists, and virtual networking resources can be used to ensure traffic\ndestined for Docker Enterprise Edition is routed through managed\nnetwork access control points.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Built-in firewall technology in Docker Enterprise Edition's\nunderlying operating system can be used to force the disconnection of\nremote connections to the host. In addition, Docker Enterprise Edition\nprovides the option to pause or drain a node in the cluster, which\nsubsequently stops and/or removes sessions to the node. Individual\nservices and/or applications running on Docker Enterprise Edition can\nalso be stopped and/or removed.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "configured by customer" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Both Universal Control Plane and Docker Trusted Registry backend\nservice containers, all of which reside on Docker Enterprise Edition,\nlog all of the event types indicated by this control (as explained by\ntheir component narratives). These and other application containers\nthat reside on Docker Enterprise Edition can be configured to log data\nvia an appropriate Docker logging driver. Instructions for configuring\nlogging drivers can be found at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Both Universal Control Plane and Docker Trusted Registry are\npre-configured to take advantage of Docker Enterprise Edition''s\nbuilt-in logging mechanisms. A sample audit event recorded by Docker\nEnterprise Edition has been provided below:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}\n\nAdditional documentation can be referenced at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be used to interpolate the information defined\nby this control from the logged audit records. Additional\ndocumentation can be found at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be used to interpolate the information defined\nby this control from the logged audit records. Additional\ndocumentation can be found at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can be used to interpolate the information defined by this\ncontrol and also be configured to alert on any audit processing\nfailures. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be configured to warn the organization when the\nallocated log storage is full. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The\nlogging stack can subsequently be configured to warn the organization\nwhen audit log failures occur. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-6 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The\norganization can subsequently centrally review and analyze all of the\nDocker EE audit records. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be used to facilitate the audit reduction and\nreport generation requirements of this control. Additional information\ncan be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + }, + { + "value": "'The underlying operating system chosen to support Docker Enterprise\nEdition should be certified to ensure that logs are not altered during\ngeneration and transmission to a remote logging stack.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be configured to parse information by\norganization-defined audit fields. Additional information can be found\nat the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition uses the system clock of the underlying\noperating system on which it runs. This behavior cannot be modified.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Enterprise Edition\nruns should be configured such that its system clock uses Coordinated\nUniversal Time (UTC) as indicated by this control. Refer to the\noperating system's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The underlying operating system on which Docker Enterprise Edition runs should\nbe configured such that its system clock compares itself with an\nauthoritative time source as indicated by this control. This can be\naccomplished by utilizing the Network Time Protocol (NTP). Refer to\nthe operating system's instructions for doing so.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Enterprise Edition\nruns should be configured such that its system clock synchronizes\nitself to an authoritative time source as defined by part (a) of this\ncontrol any time the time difference exceeds that of the\norganization-defined time period. This can be accomplished by\nutilizing the Network Time Protocol (NTP). Refer to the operating\nsystem's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'On the underlying Linux operating system supporting Docker Enterprise\nEdition, only root and sudo users and users that have been added to\nthe \"docker\" group have the ability to access the logs generated by\nUCP backend service containers. Should the organization decide to\nconfigure Docker Enterprise Edition to use a logging driver other than\nthe default json-file driver, the organization is subsequently\nresponsible for configuring the chosen logging stack per the\nprovisions of this control. In addition, for Linux operating systems\nsupporting Docker Enterprise Edition that use the systemd daemon, it\nis imperative that the Journal is secured per the requirements of this\ncontrol. The same applies for Linux operating systems supporting\nDocker Enterprise Edition that instead use upstart. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to use a logging driver\nthat can subsequently meet the backup requirements of this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to use a logging driver\nthat can subsequently meet the encryption mechanisms required by this\ncontrol. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-10", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition includes functionality known as Docker\nContent Trust which allows one to cryptographically sign Docker\nimages. It enforces client-side signing and verification of image tags\nand provides the ability to use digital signatures for data sent to\nand received from Docker Trusted Registry. This ultimately provides\none with the ability to verify both the integrity and the publisher of\nall data received from DTR over any channel. With Docker Content\nTrust, an organization can enforce signature verification of all\ncontent and prohibit unsigned and unapproved content from being\nmanipulated; thus supproting the non-repudiation requirements of this\ncontrol. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/security/trust/content_trust/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization will be responsible for meeting the requirements of\nthis control. To assist with these requirements, Docker Enterprise\nEdition can be configured to use a logging driver that stores data in\na location for the duration specified by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'Both Universal Control Plane and Docker Trusted Registry backend\nservice containers, all of which reside on Docker Enterprise Edition,\nlog all of the event types indicated by this AU-2 a. These and other\napplication containers that reside on Docker Enterprise Edition can be\nconfigured to log data via an appropriate Docker logging driver. The\nunderlying Linux operating system supporting Docker Enterprise Edition\ncan be configured to audit Docker-specific events with the auditd\ndaemon. Refer to the specific Linux distribution in use for\ninstructions on configuring this service. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + }, + { + "value": "'Using auditd on the Linux operating system supporting CS Docker\nEngine, the organization can configure audit rules to select which\nDocker-specific events are to be audited. Refer to the specific Linux\ndistribution in use for instructions on configuring this service.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. This\nlogging stack can subsequently be used to compile audit records in to\na system-wide audit trail that is time-correlated per the requirements\nof this control. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. This\nlogging stack can subsequently be used to meet the requirements of\nthis control. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-1", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfiguration management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing Docker\nEnterprise Edition and for helping the organization meet the\nconfiguration management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management requirements of this control. CIS regularly\nupdates their benchmark to reflect the latest updates in the stable\nrelease of Docker Engine. Various configuration management tools such\nas Inspec (http://inspec.io/) can be used to audit Docker Enterprise\nEdition system configuration to ensure that the secure baseline\nconfigurations have been applied in an automated fashion. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management requirements of this control. CIS regularly\nupdates their benchmark to reflect the latest updates in the stable\nrelease of Docker Engine. Various configuration management tools such\nas Inspec (http://inspec.io/) can be used to audit Docker Enterprise\nEdition system configuration to ensure that the secure baseline\nconfigurations have been applied in an automated fashion and can be\nrolled back as required by this control. Additional information can be\nfound at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management change control requirements of this control.\nAdditional information can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management change control requirements of this control.\nVarious configuration management tools such as Inspec\n(http://inspec.io/) can be used to audit Docker Enterprise Edition\nsystem configuration to ensure that the secure baseline configurations\nhave been applied in an automated fashion. Additional information can\nbe found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management change control requirements of this control.\nVarious configuration management tools such as Inspec\n(http://inspec.io/) can be used to audit Docker Enterprise Edition\nsystem configuration to ensure that the secure baseline configurations\nhave been applied in an automated fashion. Additional information can\nbe found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\ncryptography management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nsystem change requirements of this control. Additional information can\nbe found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Before installing Docker Enterprise Edition, ensure that your\nsupporting Linux operating system''s packager manager supports package\nsignature verification and that it is enabled. It is also required\nthat you import the Docker public key for EE packages so as to\nretrieve the validated and signed package from Docker, Inc. Refer to\nyour Linux OS documentation for instructions on completing the above\nsteps.\n\nIn addition, Docker Content Trust is a capability provided by Docker\nEngine that enforces client-side signing and verification of Docker\nimage tags. It provides the ability to use digital signatures for data\nsent to and received from Docker Trusted Registry and the public\nDocker Store. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. When enabling Docker\nContent Trust in Docker Enterprise Edition you can enforce the use of\nsigned Docker images. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/engine/security/trust/content_trust/'\n", + "references": null + } + ], + "origins": [ + "service provide hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization can incorporate the use of an external configuration\nmanagement system to meet the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, the\nlatest CIS Docker Benchmark can be used as a secure configuration\nbaseline. Additional information can be found at the following\nresources:\n\n- https://www.cisecurity.org/benchmark/docker/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order to restrict which Docker images can be used to deploy\napplications to Docker Enterprise Edition, the organization can define\na list of allowed base Docker images and make them available via\nDocker Trusted Registry. The organization can also prevent users from\nbeing able to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements and in order to restrict\nwhich Docker images can be used to deploy applications to Docker EE\nEngine, the organization must define a list of allowed base Docker\nimages and make them available via Docker Trusted Registry. The\norganization must also prevent users from being able to pull Docker\nimages from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfiguration management plan requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order for other Docker EE engine nodes to be able to join a\ncluster managed by Universal Control Plane, they must be identified\nand authenticated via either a manager or worker token. Use of the\ntoken includes trust on first use mutual TLS.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust gives you the ability to verify both the\nintegrity and the publisher of all the data received from a Docker\nTrusted Registry over any channel. It allows operations with a remote\nDTR instance to enforce client-side signing and verification of image\ntags. It provides for the ability to use digital signatures for data\nsent to and receive from remote DTR instances. These signatures allow\nclient-side verification of the integrity and publisher of specific\nimage tags.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-7 (20)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition is designed to run application containers\nwhose content can be completely isolated/segregated from other\napplication containers within the same node/cluster. This is\naccomplished by way of Linux kernel primitives and various security\nprofiles that can be applied to the underlying host OS. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/engine/security/security/\n- https://docs.docker.com/engine/userguide/networking/overlay-security-model/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-12 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be installed on the following operating\nsystems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04\nLTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to\nmeet the requirements of this control, reference the chosen operating\nsystem's documentation to ensure it is configured in FIPS mode.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-13", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be installed on the following operating\nsystems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04\nLTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to\nmeet the requirements of this control, reference the chosen operating\nsystem's documentation to ensure it is configured in FIPS mode.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In\naddition to this, all communication to and between Docker Enterprise\nEditions is enforced by way of two-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In\naddition to this, all communication to/from and between Docker\nEnterprise Edition nodes is enforced by way of two-way mutual TLS\nauthentication. All Swarm Mode manager nodes in a Docker Enterprise\nEdition cluster store state metadata and user secrets encrypted at\nrest using the AES GCM cipher.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In\naddition to this, all communication to and between Docker Enterprise\nEditions is enforced by way of two-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition packages for supported underlying operating\nsystems can only be obtained from Docker, Inc. The Docker EE\nrepositories from which Docker EE packages are obtained are protected\nwith official GPG keys. Each Docker package is also validated with a\nsignature definition.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'All error messages generated via the logging mechanisms of the Docker\nEnterprise Edition engine are displayed such that they meet the\nrequirements of this control. Only users that are authorized the\nappropriate level of access can view these error messages.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-16", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be installed on the following operating\nsystems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04\nLTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to\nmeet the requirements of this control, reference the chosen operating\nsystem's security documentation for information regarding the\nprotection of memory from unauthorized code execution.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "Docker Enterprise Edition Engine Installation Documentation", + "description": "", + "url": "https://docs.docker.com/engine/installation/" + }, + { + "id": "", + "name": "Docker Engine Release Notes", + "description": "", + "url": "https://docs.docker.com/release-notes/" + }, + { + "id": "", + "name": "Configuring and Running Docker on Various Distributions", + "description": "", + "url": "https://docs.docker.com/engine/admin/" + }, + { + "id": "", + "name": "Docker Engine Security", + "description": "", + "url": "https://docs.docker.com/engine/security/security/" + }, + { + "id": "", + "name": "Securing Docker Datacenter and Security Best Practices", + "description": "", + "url": "https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices" + } + ] + }, + { + "name": "Identification and Authentication Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "IA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (11)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-4 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (11)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Incident Response for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "IR-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System Maintenance Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "MA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-4 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Media Protection Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "MP-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-5 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-6 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Physical and Environmental Protection Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "PE-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-13", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-13 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-13 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-14", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-14 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-15", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-16", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-17", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Security Planning Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "PL-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PL-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Personnel Security Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "PS-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-3 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Risk Assessment Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "RA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "RA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System and Services Acquisition Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "SA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-22 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System and Communications Protection Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "SC-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (13)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (18)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-12 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-13", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-15", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-18", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-19", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-22", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-28", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-39", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System and Information Integrity Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "SI-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (14)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (16)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (23)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-7 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-8 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-16", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Universal Control Plane (UCP)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation for managing users and teams can\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Universal Control Plane can be configured to send system\naccount log data to a remote logging service such as an Elasticsearch,\nLogstash and Kibana (ELK) stack. Supporting documentation can be found\nat the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nUniversal Control Plane resources. By default, no one can make changes\nto the cluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Universal Control Plane to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Universal Control Plane to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (21)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Universal Control Plane to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources. By default, no one can\nmake changes to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. Supporting documentation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources and employ principles of\nleast privilege. By default, no one can make changes to the cluster.\nPermissions can be granted and managed to enforce fine-grained access\ncontrol. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources and explicitly authorize\naccess as necessary. By default, no one can make changes to the\ncluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources. By default, no one can\nmake changes to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. Supporting documentation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources, including Docker\nnetworking components. By default, no one can make changes to the\ncluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can restrict privileged accounts within Universal Control\nPlane to custom-defined roles. By default, no one can make changes to\nthe cluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can review all implemented grants, accounts and roles\nwithin Universal Control Plane and reassign/revoke privileges as\nnecessary. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane users can be assigned to one of a number of\ndifferent permission levels. The permission level assigned to a\nspecific user determines that user''s ability to execute certain\nDocker functions within UCP. Only users mapped to either the \"Full\nControl\" or \"Admin\" roles can execute Docker commands without any\nrestrictions. Users mapped to either the \"View Only\" or \"No Access\"\nroles cannot execute any Docker commands. Users assigned to the\n\"Restricted Control\" role can only run Docker commands under their own\npurview and cannot see other users UCP resources nor run commands that\nrequired privileged access to the host. Furthermore, custom roles can\nbe created for fine-grained access to specific UCP resources and\nfunctionality. Additional documentation regarding the various\npermission levels within UCP can be found at the following resource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nUniversal Control Plane resources and prevent non-privileged users\nfrom executing privileged functions per the requirements of this\ncontrol. By default, no one can make changes to the cluster.\nPermissions can be granted and managed to enforce fine-grained access\ncontrol. Supporting documentation for the configuration of this\nfunctionality can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane includes a logout capability that allows a\nuser to terminate his/her current session.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, a\nreview of actions allowed by unauthenticated users can be performed\nwithin Universal Control Plane.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nUniversal Control Plane can be configured to allow/prohibit remote\naccess.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Universal Control Plane are protected\nwith Transport Layer Security (TLS) 1.2. This is included at both the\nHTTPS application layer for access to the UCP user interface and for\ncommand-line based connections to the cluster. In addition to this,\nall communication to UCP is enforced by way of two-way mutual TLS\nauthentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'A combination of managed load balancers, firewalls and access control\nlists, and virtual networking resources can be used to ensure traffic\ndestined for Universal Control Plane managers and worker nodes is\nrouted through managed network access control points.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nUniversal Control Plane can be configured to authorize certain\nprivileged functions via remote access.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Built-in firewall technology in Universal Control Plane's underlying\noperating system can be used to force the disconnection of remote\nconnections to the host. In addition, UCP provides the option to pause\nor drain a node in the cluster, which subsequently stops and/or\nremoves sessions to the node. Individual services and/or applications\nrunning on a UCP cluster can also be stopped and/or removed.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "configured by customer" + ], + "statuses": [ + "complete", + "partial" + ], + "references": null + }, + { + "controlId": "AC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Universal Control\nPlane.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-20 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Universal Control\nPlane.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan validate the assigned roles and access levels within Universal\nControl Plane to control information sharing.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by this control are logged by the\nbackend ucp-controller service within Universal Control Plane. In\naddition, each container created on a Universal Control Plane cluster\nlogs event data. Supporting documentation for configuring UCP logging\ncan be referenced at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane generates all of the audit record information\nindicated by this control. A sample audit event has been provided\nbelow:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be used to\ninterpolate the information defined by this control from the logged\naudit records. Additional documentation can be found at the following\nresource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be used to\ninterpolate the information defined by this control from the logged\naudit records. Additional documentation can be found at the following\nresource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nalert individuals in the event of log processing failures. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider system specific" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nwarn the organization when the allocated log storage is full.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nwarn the organization when audit log failures occur. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-6 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The organization can subsequently centrally review and\nanalyze all of the Docker EE audit records. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be used to\nfacilitate the audit reduction and report generation requirements of\nthis control. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + }, + { + "value": "'The underlying operating system chosen to support Universal Control\nPlane should be certified to ensure that logs are not altered during\ngeneration and transmission to a remote logging stack.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nparse information by organization-defined audit fields. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane uses the system clock of the underlying\noperating system on which it runs. This behavior cannot be modified.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Universal Control Plane runs\nshould be configured such that its system clock uses Coordinated\nUniversal Time (UTC) as indicated by this control. Refer to the\noperating system's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The underlying operating system on which Universal Control Plane runs\nshould be configured such that its system clock compares itself with\nan authoritative time source as indicated by this control. This can be\naccomplished by utilizing the Network Time Protocol (NTP). Refer to\nthe operating system's instructions for doing so.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Universal Control Plane runs\nshould be configured such that its system clock synchronizes itself to\nan authoritative time source as defined by part (a) of this control\nany time the time difference exceeds that of the organization-defined\ntime period. This can be accomplished by utilizing the Network Time\nProtocol (NTP). Refer to the operating system's instructions for doing\nso.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'By default, Universal Control Plane is configured to use the\nunderlying logging capabilities of Docker Enterprise Edition. As such,\non the underlying Linux operating system, only root and sudo users and\nusers that have been added to the 'docker' group have the ability to\naccess the logs generated by UCP backend service containers. In\naddition, only UCP Administrator users can change the logging endpoint\nof the system should it be decided that logs be sent to a remote\nlogging stack. In this case, the organization is responsible for\nconfiguring the remote logging stack per the provisions of this\ncontrol.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nback up audit records per the schedule defined by this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nmeet the encryption mechanisms required by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization will be responsible for meeting the requirements of\nthis control. To assist with these requirements, Universal Control\nPlane can be configured to send logs to a remote logging stack. This\nlogging stack can subsequently be configured retain logs for the\nduration required by this control. Additional information can be found\nat the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by AU-2 a. are logged by the backend\nucp-controller service within Universal Control Plane. In addition,\neach container created on a Universal Control Plane cluster logs event\ndata. The underlying Linux operating system supporting UCP can be\nconfigured to audit Docker-specific events with the auditd daemon.\nRefer to the specific Linux distribution in use for instructions on\nconfiguring this service. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + }, + { + "value": "'Using auditd on the Linux operating system supporting UCP, the\norganization can configure audit rules to select which Docker-specific\nevents are to be audited. Refer to the specific Linux distribution in\nuse for instructions on configuring this service.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. This logging stack can subsequently be used to compile\naudit records in to a system-wide audit trail that is time-correlated\nper the requirements of this control. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. This logging stack can subsequently be used to meet the\nrequirements of this control. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Role-based access control can be configured within Universal Control\nPlane to meet the requirements of this control. Additional information\ncan be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust is a capability provided by Docker Enterprise\nEdition that enforces client-side signing and verification of Docker\nimage tags. It provides the ability to use digital signatures for data\nsent to and received from Docker Trusted Registry and the public\nDocker Store. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. All Universal Control\nPlane Docker images are officially signed and verified by Docker, Inc.\n\nWhen configuring Universal Control Plane, you should enforce\napplications to only use Docker images signed by trusted UCP users\nwithin your organization. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/'\n", + "references": null + } + ], + "origins": [ + "service provide hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nincorporate the use of an external configuration management system to\nmeet the requirements of this control. Universal Control Plane''s\nconfiguration can also be managed, backed up and stored in another\nlocation per the requirements of this control. Additional documentation\ncan be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nUniversal Control Plane includes a robust access control model to\ndisable any functionality as mandated by this control.'\n", + "references": null + } + ], + "origins": [ + "service provider corporate", + "Docker EE system", + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order to restrict which Docker images can be used to deploy\napplications to Universal Control Plane, the organization can define a\nlist of allowed base Docker images and make them available via Docker\nTrusted Registry. The organization can also prevent users from being\nable to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements and in order to restrict\nwhich Docker images can be used to deploy applications to Universal\nControl Plane, the organization must define a list of allowed base\nDocker images and make them available via Docker Trusted Registry. The\norganization must also prevent users from being able to pull Docker\nimages from untrusted sources.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nconfigure its systems to ensure that only approved Docker images\nstored in Docker Trusted Registry can be run on Universal Control\nPlane. This can be accomplished by using Docker Content Trust to sign\nDocker images, and configure UCP to enforce only signed images from\nspecific Teams at runtime. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CP-10 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane maintains its cluster state via an internal\nkey-value store. This, and other UCP transactions can be backed up and\nrecovered. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, Universal Control\nPlane requires individual users to be authenticated in order to gain\naccess to the system. Any permissions granted to the team(s) that\nwhich the user is a member are subsequently applied.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order for nodes to join a Universal Control Plane cluster, they\nmust be identified and authenticated via either a manager or worker\ntoken. Additional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane contains two, built-in root certificate\nauthorities. One CA is used for signing client bundles generated by\nusers. The other CA is used for TLS communication between UCP cluster\nnodes. Should you choose to use certificates signed by an external CA,\nin order to successfully authenticate in to the system, those\ncertificates must include a root CA public certificate, a service\ncertificate and any intermediate CA public certificates (in addition\nto SANs for all addresses used to reach the UCP controller), and a\nprivate key for the server.'\n", + "references": null + }, + { + "value": "'Access to a Universal Control Plane cluster is only granted when a\nuser has a valid certificate bundle. This is enforced with the\npublic/private key pair included with the user's certificate bundle.'\n", + "references": null + }, + { + "value": "'Only after a client bundle has been generated or an existing public\nkey has been added for a particular user is that user able to execute\ncommands against the Universal Control Plane cluster. This bundle maps\nthe authenticated identity to that of the user.'\n", + "references": null + }, + { + "value": "'When a client bundle has been generated or an existing public key has\nbeen added for a particular Universal Control Plane user, it is\nattached to that user''s profile. Bundles/keys can be revoked by an\nAdministrator or the user themselves. The cluster''s internal\ncertificates can also be revoked and updated. Additional information\ncan be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane obscures all feedback of authentication\ninformation during the authentication process. This includes both\nauthentication via the web UI and the CLI.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'All access to Universal Control Plane is protected with Transport\nLayer Security (TLS) 1.2 with the AES GCM cipher. This includes both\nSSH access to the individual UCP nodes and CLI-/web-based access to\nthe UCP management functions with mutual TLS and HTTPS respectively.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Users managed by Universal Control Plane can be grouped per the\nrequirements of the organization and as defined by this control. This\ncan include groupings for non-organizational users.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, Docker Content Trust gives\nyou the ability to verify both the integrity and the publisher of all\nthe data received from a Docker Trusted Registry over any channel. It\nallows operations with a remote DTR instance to enforce client-side\nsigning and verification of image tags. It provides for the ability to\nuse digital signatures for data sent to and receive from remote DTR\ninstances. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. Universal Control\nPlane can be configured to only run trusted and signed images.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane is made up of a number of backend services\nthat provide for both user functionality (including user interface\nservices) and system management functionality. Each of these services\noperates independently of one another. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Universal Control Plane are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the UCP\nuser interface and for command-line based connections to the cluster.\nIn addition to this, all communication to UCP is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Universal Control Plane are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the UCP\nuser interface and for command-line based connections to the cluster.\nIn addition to this, all communication to UCP is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'All error messages generated via the configured logging mechanism of\nUniversal Control Plane are displayed such that they meet the\nrequirements of this control. Only users that are authorized the\nappropriate level of access can view these error messages.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "UCP Documentation", + "description": "", + "url": "https://docs.docker.com/datacenter/ucp/2.2/guides/" + } + ] + }, + { + "name": "Authentication and Authorization Service (eNZi)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-1", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams are allowed to create\nand manipulate Docker Enterprise Edition resources. By default, no one\ncan make changes to the cluster. Permissions can be granted and\nmanaged to enforce fine-grained access control. Supporting\ndocumentation can found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, an external identity management system (such as Microsoft''s\nActive Directory or an LDAP endpoint) can be configured as mandated by\nthis control and can be integrated with Docker Enterprise Edition.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, an external identity management system (such as Microsoft''s\nActive Directory or an LDAP endpoint) can be configured as mandated by\nthis control and can be integrated with Docker Enterprise Edition.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Using Docker Enterprise Edition''s LDAP integration capabilities, one\ncan disable and/or remove temporary and emergency accounts in a\nconnected directory service (such as Active Directory) after an\norganization-defined time period. When a user is removed from LDAP,\nthat user becomes inactive after the LDAP synchronization runs.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Using Docker Enterprise Edition''s LDAP integration capabilities, one\ncan automatically disable inactive accounts in a connected directory\nservice (such as Active Directory). When a user is removed from LDAP,\nthat user becomes inactive after the LDAP synchronization runs.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs various authentication and\nauthorization events to standard log files. One can configure Docker\nEnterprise Edition to direct these event logs to a remote logging\nservice such as an Elasticsearch, Logstash and Kibana (ELK) stack and\nsubsequently alert on specific event types. When integrating Docker\nEnterprise Edition with LDAP, one can refer the the directory\nservice''s logging mechanisms for auditing the events defined by this\ncontrol. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Docker Enterprise Edition can be configured to enforce automated\nsession termination of users after an organization-defined time period\nof inactivity. By default, the initial lifetime of a user''s session\nis set to 72 hours and the renewal session for a user''s session is\nset to 24 hours. These values can both be changed in the \"Auth\"\nsection of the \"Admin Settings\" in Universal Control Plane.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Docker Enterprise Edition supports various levels of user\npermissions and role-based access control enforcements. Administrator\nusers have permissions to: manage other Docker Enterprise Edition\nusers, manage Docker Trusted Registry repositories and settings, and\nmanage the Universal Control Plane and underlying Docker Swarm Mode\ncluster. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, users and/or groups synchronized to Docker Enterprise Edition\nvia LDAP can be configured at the directory service.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Users and/or groups synchronized to Docker Enterprise Edition via\nLDAP can be configured at the directory service to ensure shared/group\naccount credentials are terminated when members leave the group.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (11)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Information system accounts synchronized to Docker Enterprise Edition\nvia LDAP can be configured at the directory service to meet this\nrequirement as necessary.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, when Docker Enterprise Edition is configured for LDAP\nintegration, one can refer to the directory service''s existing\nmonitoring tools.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (13)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, users and/or groups synchronized to Docker Enterprise Edition\nvia LDAP can be managed at the directory service and disabled if\nposing a significant risk.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nDocker Enterprise Edition resources. By default, no one can make\nchanges to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. The eNZi component facilitates\nauthorizations as dictated by the system''s administrators. Supporting\ndocumentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs privileged user events to standard log\nfiles. One can configure Docker Enterprise Edition to direct these\nevent logs to a remote logging service such as an Elasticsearch,\nLogstash and Kibana (ELK) stack and subsequently alert on specific\nevent types. When integrating Docker Enterprise Edition with LDAP, one\ncan refer the the directory service''s logging mechanisms for auditing\nthe events defined by this control. Supporting documentation regarding\nlogging and monitoring can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'When Docker Enterprise Edition is integrated to a directory service\nvia LDAP, one can reference the functionality of the directory service\nto configure the enforcement of a limit to the number of conesecutive\ninvalid logon attempts by a user during a specified time period.'\n", + "references": null + }, + { + "value": "'When Docker Enterprise Edition is integrated to a directory service\nvia LDAP, one can reference the functionality of the directory service\nto configure he ability to automatically lock/disable an account for a\nspecified period of time after a consecutive invalid logon attempt\nlimit is reached.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'The feature required to satisfy the requirements of this control has\nnot yet been built in to Docker EE but is planned for a future\nrelease.'\n", + "references": null + }, + { + "value": "'The feature required to satisfy the requirements of this control has\nnot yet been built in to Docker EE but is planned for a future\nrelease.'\n", + "references": null + }, + { + "value": "'The feature required to satisfy control has\nnot yet been built in to Docker EE but is planned for a future\nrelease.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "planned" + ], + "references": null + }, + { + "controlId": "AC-10", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to limit the number of\nconcurrent sessions for each account. These options can be found\nwithin the Universal Control Plane Admin Settings under the\n\"Authentication \u0026 Authorization\" section. '\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'Per the requirements of AC-2 (5), Docker Enterprise Edition can be\nconfigured to enforce user session lifetime limits and renewal\nthresholds. These options can be found within the Universal Control\nPlane Admin Settings under the \"Authentication \u0026 Authorization\"\nsection. Configurable options include the initial lifetime (in hours)\nof a user''s session and the renewal threshold of a session (in\nhours).'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Per the requirements of AC-2 (5), Docker Enterprise Edition can be\nconfigured to enforce user session lifetime limits and renewal\nthresholds. These options can be found within the Universal Control\nPlane Admin Settings under the \"Authentication \u0026 Authorization\"\nsection. Configurable options include the initial lifetime (in hours)\nof a user''s session and the renewal threshold of a session (in\nhours). Upon the expiration of the configured session thresholds, a\nuser will be locked out of his/her session per the requirements of\nthis controls.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'Per the requirements of AC-2 (5), Docker Enterprise Edition can be\nconfigured to enforce user session lifetime limits and renewal\nthresholds. These options can be found within the Universal Control\nPlane Admin Settings under the \"Authentication \u0026 Authorization\"\nsection. Configurable options include the initial lifetime (in hours)\nof a user''s session and the renewal threshold of a session (in\nhours). Upon the expiration of the configured session thresholds, a\nuser will be locked out of his/her session.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition generates all of the audit record\ninformation indicated by this control. A sample audit event has been\nprovided below:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to identify and\nauthenticate users via it''s integrated support for LDAP. Users and\ngroups managed within the organization''s LDAP directory service (e.g.\nActive Directory) can be synchronized to UCP and DTR on a regular\ninterval. When a user is removed from the LDAP-backed directory, that\nuser becomes inactive within UCP and DTR. In addition, UCP and DTR\nteams can be mapped to groups synchronized via LDAP. When a user is\nadded/removed to/from the LDAP group, that same user is automatically\nadded/removed to/from the UCP and DTR team. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, Docker Enterprise\nEdition requires individual users to be authenticated in order to gain\naccess to the system. Any permissions granted to the team(s) that\nwhich the user is a member are subsequently applied.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition integrates with LDAP for authenticating\nusers to an external directory service. You should configure your\nexternal directory service for ensuring that you are protected against\nreplay attacks.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition integrates with LDAP for authenticating\nusers to an external directory service. You should configure your\nexternal directory service for ensuring that you are protected against\nreplay attacks.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to prevent the reuse of user identifiers for a\nspecified period of time. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to prevent the reuse of user identifiers for a\nspecified period of time. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to prevent the reuse of user identifiers for a\nspecified period of time. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-4 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to uniquely identify each individual according to\nthe requirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to establish initial authenticator content according\nto the requirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to enforce strength requirements for authenticators\naccording to the requirements of this control. Refer to your directory\nservice''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to distribute, redistribute, and revoke\nauthenticators according to the requirements of this control. Refer to\nyour directory service''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to change default authenticator content according to\nthe requirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to set minimum and maximum lifetime restrictions and\nreuse conditions for authenticators according to the requirements of\nthis control. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to refresh authenticators at a regular cadence\naccording to the requirements of this control. Refer to your directory\nservice''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to protect authenticator content from unauthorized\ndisclosure or modification according to the requirements of this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to implement specific security safeguards to protect\nauthentications according to the requirements of this control. Refer\nto your directory service''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to change authenticators for group or role accounts\nwhen membership to those groups or roles changes according to the\nrequirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce minimum password\ncomplexity requirements. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the requirement to\nchange at least one character when changing passwords according to the\nrequirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to store and transmit\ncryptographically protected passwords according to the requirements of\nthis control. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the required minimum and\nmaximum lifetime restrictions according to the requirements of this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the required number of\ngenerations before password reuse according to the requirements of\nthis control. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the requirement to\nchange initial/temporary passwords upon first login according to the\nrequirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, the system validates the certificates per the\nrequirements of this control.'\n", + "references": null + }, + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, the system enforces authorized access to the\ncorresponding private key per the requirements of this control.'\n", + "references": null + }, + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, the system maps the authenticated identity to the\naccount of the individual or group per the requirements of this\ncontrol.'\n", + "references": null + }, + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, it is up to the underlying operating system\nhosting Docker Enterprise Edition to ensure that it implements a local\ncache of revocation data per the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP can be\nconfigured with automation to ensure that password authenticators meet\nstrength requirements as defined by this control. Refer to your\ndirectory service's documentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to protect authenticators as required by this\ncontrol. Refer to your directory service's documentation for\nconfiguring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to meet the FICAM requirements as\nindicated by this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to meet the FICAM requirements as indicated by this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to meet the FICAM requirements as indicated by this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition invalidates session identifiers upon user\nlogout per the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "UCP Documentation", + "description": "", + "url": "https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management" + } + ] + } + ], + "policies": null, + "procedures": null, + "params": [ + { + "paramId": "RA-5(2)", + "value": "\"FedRAMP requirement: prior to a new scan\"\n" + }, + { + "paramId": "RA-5(5)-1", + "value": "\"FedRAMP requirement: operating systems, databases, web applications\"\n" + }, + { + "paramId": "RA-5(5)-2", + "value": "\"FedRAMP requirement: all scans\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-4", + "value": "\"customer-defined information flow control policies\"\n" + }, + { + "paramId": "AC-4(8)(a)", + "value": "\"FedRAMP assignment: security policy filters inherent in boundary\nprotection devices such as gateways, routers, guards, encrypted\ntunnels, firewalls\"\n" + }, + { + "paramId": "AC-4(8)(b)", + "value": "\"FedRAMP assignment: information containing PII or organization\nsensitive information types\"\n" + }, + { + "paramId": "AC-4(21)-1", + "value": "\"customer-defined mechanisms and/or techniques\"\n" + }, + { + "paramId": "AC-4(21)-2", + "value": "\"customer-defined required separation by types of information\"\n" + }, + { + "paramId": "AC-5(a)", + "value": "\"customer-defined duties of individuals\"\n" + }, + { + "paramId": "AC-14(a)", + "value": "\"customer-defined user actions\"\n" + }, + { + "paramId": "AC-17(3)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AC-17(9)", + "value": "\"FedRAMP requirement: no greater than fifteen minutes\"\n" + }, + { + "paramId": "AC-21(a)", + "value": "\"customer-defined information sharing circumstances\"\n" + }, + { + "paramId": "AC-21(b)", + "value": "\"customer-defined automated mechanisms or manual processes\"\n" + }, + { + "paramId": "AU-2(a)", + "value": "\"FedRAMP requirement: successful and unsuccessful account logon\nevents, account management events, object access, policy change,\nprivileged functions, process tracking, and system events. For Web\napplications: all administrator activity, authentication checks,\nauthorization checks, data deletions, data access, data changes, and\npermission changes\"\n" + }, + { + "paramId": "AU-2(d)", + "value": "\"FedRAMP requirement: organization-defined subset of the auditable\nevents defined in AU-2-a. to be audited continually for each\nidentified event\"\n" + }, + { + "paramId": "AU-3(1)", + "value": "\"FedRAMP requirement: session, connection, trasaction, or activity\nduration; for client-server transactions, the number of bytes received\nand bytes sent, additional informational messages to diagnose or\nidentify the event, characteristics that describe or identify the\nobject or resource being acted upon\"\n" + }, + { + "paramId": "AU-3(2)", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-5(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-5(b)", + "value": "\"FedRAMP requirement: low-impact: overwrite oldest audit records;\nmoderate-impact: shut down\"\n" + }, + { + "paramId": "AU-5(1)-1", + "value": "\"appropriate service team personnel, customer-defined personnel\"\n" + }, + { + "paramId": "AU-5(1)-2", + "value": "\"24 hours, customer-defined time period\"\n" + }, + { + "paramId": "AU-5(1)-3", + "value": "\"a service team defined percentage, customer-defined percentage\"\n" + }, + { + "paramId": "AU-5(2)-1", + "value": "\"real-time\"\n" + }, + { + "paramId": "AU-5(2)-2", + "value": "\"appropriate service team personnel\"\n" + }, + { + "paramId": "AU-5(2)-3", + "value": "\"events defined by each service team, audit failure events requiring\nreal-time alerts, as defined by organization audit policy\"\n" + }, + { + "paramId": "AU-7(1)", + "value": "\"customer-defined audit fields within audit records\"\n" + }, + { + "paramId": "AU-8(b)", + "value": "\"millisecond precision\"\n" + }, + { + "paramId": "AU-8(1)(a)-1", + "value": "\"FedRAMP requirement: at least hourly\"\n" + }, + { + "paramId": "AU-8(1)(a)-2", + "value": "\"FedRAMP requirement: authoritative time source:\nhttp://tf.nist.gov/tf-cgi/servers.cgi\"\n" + }, + { + "paramId": "AU-8(1)(b)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AU-9(2)", + "value": "\"FedRAMP requirement: at least weekly\"\n" + }, + { + "paramId": "AU-11", + "value": "\"FedRAMP requirement: at least one year\"\n" + }, + { + "paramId": "AU-12(a)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "AU-12(b)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-12(1)-1", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(1)-2", + "value": "\"1 millisecond, organization-defined level of tolerance\"\n" + }, + { + "paramId": "AU-12(3)-1", + "value": "\"service team members with audit configuration responsibilities\"\n" + }, + { + "paramId": "AU-12(3)-2", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(3)-3", + "value": "\"changes to the thread environment, organization-defined threat\nsituations\"\n" + }, + { + "paramId": "AU-12(3)-4", + "value": "\"risk-based assessment, organization-defined time thresholds\"\n" + }, + { + "paramId": "CM-5(3)", + "value": "\"customer-defined software\"\n" + }, + { + "paramId": "CM-6(1)", + "value": "\"customer-defined information system components\"\n" + }, + { + "paramId": "CM-7(5)(a)", + "value": "\"customer-defined software programs authorized to execute on the\ninformation system\"\n" + }, + { + "paramId": "CM-11(a)", + "value": "\"customer-defined policies\"\n" + }, + { + "paramId": "CM-11(b)", + "value": "\"customer-defined methods\"\n" + }, + { + "paramId": "CM-11(c)", + "value": "\"FedRAMP requirement: continuously (via CM-7(5))\"\n" + }, + { + "paramId": "CM-11(1)", + "value": "\"organization-defined personnel or roles\"\n" + }, + { + "paramId": "SC-28(1)-1", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-2", + "value": "\"CSP servers\"\n" + }, + { + "paramId": "SI-11(b)", + "value": "\"authorized service personnel and CSP users\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-4", + "value": "\"customer-defined information flow control policies\"\n" + }, + { + "paramId": "AC-4(8)(a)", + "value": "\"FedRAMP assignment: security policy filters inherent in boundary\nprotection devices such as gateways, routers, guards, encrypted\ntunnels, firewalls\"\n" + }, + { + "paramId": "AC-4(8)(b)", + "value": "\"FedRAMP assignment: information containing PII or organization\nsensitive information types\"\n" + }, + { + "paramId": "AC-4(21)-1", + "value": "\"customer-defined mechanisms and/or techniques\"\n" + }, + { + "paramId": "AC-4(21)-2", + "value": "\"customer-defined required separation by types of information\"\n" + }, + { + "paramId": "AC-14(a)", + "value": "\"customer-defined user actions\"\n" + }, + { + "paramId": "AC-17(3)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AC-17(9)", + "value": "\"FedRAMP requirement: no greater than fifteen minutes\"\n" + }, + { + "paramId": "AU-3(1)", + "value": "\"FedRAMP requirement: session, connection, trasaction, or activity\nduration; for client-server transactions, the number of bytes received\nand bytes sent, additional informational messages to diagnose or\nidentify the event, characteristics that describe or identify the\nobject or resource being acted upon\"\n" + }, + { + "paramId": "AU-3(2)", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-5(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-5(b)", + "value": "\"FedRAMP requirement: low-impact: overwrite oldest audit records;\nmoderate-impact: shut down\"\n" + }, + { + "paramId": "AU-5(1)-1", + "value": "\"appropriate service team personnel, customer-defined personnel\"\n" + }, + { + "paramId": "AU-5(1)-2", + "value": "\"24 hours, customer-defined time period\"\n" + }, + { + "paramId": "AU-5(1)-3", + "value": "\"a service team defined percentage, customer-defined percentage\"\n" + }, + { + "paramId": "AU-5(2)-1", + "value": "\"real-time\"\n" + }, + { + "paramId": "AU-5(2)-2", + "value": "\"appropriate service team personnel\"\n" + }, + { + "paramId": "AU-5(2)-3", + "value": "\"events defined by each service team, audit failure events requiring\nreal-time alerts, as defined by organization audit policy\"\n" + }, + { + "paramId": "AU-7(1)", + "value": "\"customer-defined audit fields within audit records\"\n" + }, + { + "paramId": "AU-8(b)", + "value": "\"millisecond precision\"\n" + }, + { + "paramId": "AU-8(1)(a)-1", + "value": "\"FedRAMP requirement: at least hourly\"\n" + }, + { + "paramId": "AU-8(1)(a)-2", + "value": "\"FedRAMP requirement: authoritative time source:\nhttp://tf.nist.gov/tf-cgi/servers.cgi\"\n" + }, + { + "paramId": "AU-8(1)(b)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AU-9(2)", + "value": "\"FedRAMP requirement: at least weekly\"\n" + }, + { + "paramId": "AU-10", + "value": "\"actions including the addition, modification, deletion, approval,\nsending, or receiving of data\"\n" + }, + { + "paramId": "AU-11", + "value": "\"FedRAMP requirement: at least one year\"\n" + }, + { + "paramId": "AU-12(a)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "AU-12(b)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-12(1)-1", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(1)-2", + "value": "\"1 millisecond, organization-defined level of tolerance\"\n" + }, + { + "paramId": "AU-12(3)-1", + "value": "\"service team members with audit configuration responsibilities\"\n" + }, + { + "paramId": "AU-12(3)-2", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(3)-3", + "value": "\"changes to the thread environment, organization-defined threat\nsituations\"\n" + }, + { + "paramId": "AU-12(3)-4", + "value": "\"risk-based assessment, organization-defined time thresholds\"\n" + }, + { + "paramId": "CM-1(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "CM-1(b)(1)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "CM-1(b)(2)", + "value": "\"FedRAMP requirement: at least annually or whenever a significant\nchange occurs\"\n" + }, + { + "paramId": "CM-2(1)(a)", + "value": "\"FedRAMP requirement: at least annually or when a significant change\noccurs\"\n" + }, + { + "paramId": "CM-2(1)(b)", + "value": "\"FedRAMP requirement: to include when directed by the JAB\"\n" + }, + { + "paramId": "CM-2(3)", + "value": "\"the previously approved baseline configuration of IS components\"\n" + }, + { + "paramId": "CM-3(e)", + "value": "\"customer-defined time period\"\n" + }, + { + "paramId": "CM-3(g)-1", + "value": "\"FedRAMP requirement: CAB\"\n" + }, + { + "paramId": "CM-3(g)-2", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "CM-3(g)-3", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "CM-3(g)-4", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "CM-3(1)(b)", + "value": "\"customer-defined authorized approvers\"\n" + }, + { + "paramId": "CM-3(1)(c)", + "value": "\"organization-defined time period\"\n" + }, + { + "paramId": "CM-3(1)(f)", + "value": "\"organization-defined configuration management approval authorities\"\n" + }, + { + "paramId": "CM-3(6)", + "value": "\"all security safeguards that rely on cryptography\"\n" + }, + { + "paramId": "CM-5(2)-1", + "value": "\"every 30 days\"\n" + }, + { + "paramId": "CM-5(2)-2", + "value": "\"organization-defined circumstance\"\n" + }, + { + "paramId": "CM-5(3)", + "value": "\"customer-defined software\"\n" + }, + { + "paramId": "CM-6(1)", + "value": "\"customer-defined information system components\"\n" + }, + { + "paramId": "CM-7(b)", + "value": "\"FedRAMP assignment: the service provider shall use the Center for\nInternet Security Guidelines (Level 1) to establish list of prohibited\nor restricted functions, ports, protocols, and/or services or\nestablishes its own list of prohibited or restricted functions, ports,\nprotocols, and/or services if USGCB is not available\"\n" + }, + { + "paramId": "CM-7(2)", + "value": "\"customer-defined policies regarding software program usage or\nrestrictions\"\n" + }, + { + "paramId": "CM-7(5)(a)", + "value": "\"customer-defined software programs authorized to execute on the\ninformation system\"\n" + }, + { + "paramId": "SC-7(20", + "value": "\"organization-defined information system components\"\n" + }, + { + "paramId": "SC-12(2)", + "value": "\"FedRAMP requirement: NIST FIPTS compliance\"\n" + }, + { + "paramId": "SC-13", + "value": "\"FedRAMP requirement: FIPS-validated or NSA-approved cryptography\"\n" + }, + { + "paramId": "SC-28-1", + "value": "\"confidentiality and integrity\"\n" + }, + { + "paramId": "SC-28-2", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-1", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-2", + "value": "\"CSP servers\"\n" + }, + { + "paramId": "SI-11(b)", + "value": "\"authorized service personnel and CSP users\"\n" + }, + { + "paramId": "SI-16", + "value": "\"Windows protections, including No Execute, Address Space Layout\nRandomization, and Data Execution Prevention\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-4", + "value": "\"customer-defined information flow control policies\"\n" + }, + { + "paramId": "AC-4(8)(a)", + "value": "\"FedRAMP assignment: security policy filters inherent in boundary\nprotection devices such as gateways, routers, guards, encrypted\ntunnels, firewalls\"\n" + }, + { + "paramId": "AC-4(8)(b)", + "value": "\"FedRAMP assignment: information containing PII or organization\nsensitive information types\"\n" + }, + { + "paramId": "AC-4(21)-1", + "value": "\"customer-defined mechanisms and/or techniques\"\n" + }, + { + "paramId": "AC-4(21)-2", + "value": "\"customer-defined required separation by types of information\"\n" + }, + { + "paramId": "AC-5(a)", + "value": "\"customer-defined duties of individuals\"\n" + }, + { + "paramId": "AC-6(1)", + "value": "\"FedRAMP assignment: all functions not publiclly accessible and all\nsecurity-relevant information not publicly available\"\n" + }, + { + "paramId": "AC-6(2)", + "value": "\"FedRAMP requirement: all security functions\"\n" + }, + { + "paramId": "AC-6(3)-1", + "value": "\"privileged commands used to change/configure network devices\"\n" + }, + { + "paramId": "AC-6(3)-2", + "value": "\"customer-defined operational needs\"\n" + }, + { + "paramId": "AC-6(5)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AC-6(7)(a)-1", + "value": "\"at least annually\"\n" + }, + { + "paramId": "AC-6(7)(a)-2", + "value": "\"all users\"\n" + }, + { + "paramId": "AC-6(8)", + "value": "\"FedRAMP assignment: any software except software explicitly\ndocumented\"\n" + }, + { + "paramId": "AC-12(1)(a)", + "value": "\"customer-defined information resources\"\n" + }, + { + "paramId": "AC-14(a)", + "value": "\"customer-defined user actions\"\n" + }, + { + "paramId": "AC-17(3)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AC-17(4)(a)", + "value": "\"customer-defined needs\"\n" + }, + { + "paramId": "AC-17(9)", + "value": "\"FedRAMP requirement: no greater than fifteen minutes\"\n" + }, + { + "paramId": "AC-21(a)", + "value": "\"customer-defined information sharing circumstances\"\n" + }, + { + "paramId": "AC-21(b)", + "value": "\"customer-defined automated mechanisms or manual processes\"\n" + }, + { + "paramId": "AU-2(a)", + "value": "\"FedRAMP requirement: successful and unsuccessful account logon\nevents, account management events, object access, policy change,\nprivileged functions, process tracking, and system events. For Web\napplications: all administrator activity, authentication checks,\nauthorization checks, data deletions, data access, data changes, and\npermission changes\"\n" + }, + { + "paramId": "AU-2(d)", + "value": "\"FedRAMP requirement: organization-defined subset of the auditable\nevents defined in AU-2-a. to be audited continually for each\nidentified event\"\n" + }, + { + "paramId": "AU-3(1)", + "value": "\"FedRAMP requirement: session, connection, trasaction, or activity\nduration; for client-server transactions, the number of bytes received\nand bytes sent, additional informational messages to diagnose or\nidentify the event, characteristics that describe or identify the\nobject or resource being acted upon\"\n" + }, + { + "paramId": "AU-3(2)", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-5(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-5(b)", + "value": "\"FedRAMP requirement: low-impact: overwrite oldest audit records;\nmoderate-impact: shut down\"\n" + }, + { + "paramId": "AU-5(1)-1", + "value": "\"appropriate service team personnel, customer-defined personnel\"\n" + }, + { + "paramId": "AU-5(1)-2", + "value": "\"24 hours, customer-defined time period\"\n" + }, + { + "paramId": "AU-5(1)-3", + "value": "\"a service team defined percentage, customer-defined percentage\"\n" + }, + { + "paramId": "AU-5(2)-1", + "value": "\"real-time\"\n" + }, + { + "paramId": "AU-5(2)-2", + "value": "\"appropriate service team personnel\"\n" + }, + { + "paramId": "AU-5(2)-3", + "value": "\"events defined by each service team, audit failure events requiring\nreal-time alerts, as defined by organization audit policy\"\n" + }, + { + "paramId": "AU-7(1)", + "value": "\"customer-defined audit fields within audit records\"\n" + }, + { + "paramId": "AU-8(b)", + "value": "\"millisecond precision\"\n" + }, + { + "paramId": "AU-8(1)(a)-1", + "value": "\"FedRAMP requirement: at least hourly\"\n" + }, + { + "paramId": "AU-8(1)(a)-2", + "value": "\"FedRAMP requirement: authoritative time source:\nhttp://tf.nist.gov/tf-cgi/servers.cgi\"\n" + }, + { + "paramId": "AU-8(1)(b)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AU-9(2)", + "value": "\"FedRAMP requirement: at least weekly\"\n" + }, + { + "paramId": "AU-11", + "value": "\"FedRAMP requirement: at least one year\"\n" + }, + { + "paramId": "AU-12(a)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "AU-12(b)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-12(1)-1", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(1)-2", + "value": "\"1 millisecond, organization-defined level of tolerance\"\n" + }, + { + "paramId": "AU-12(3)-1", + "value": "\"service team members with audit configuration responsibilities\"\n" + }, + { + "paramId": "AU-12(3)-2", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(3)-3", + "value": "\"changes to the thread environment, organization-defined threat\nsituations\"\n" + }, + { + "paramId": "AU-12(3)-4", + "value": "\"risk-based assessment, organization-defined time thresholds\"\n" + }, + { + "paramId": "CM-5(3)", + "value": "\"customer-defined software\"\n" + }, + { + "paramId": "CM-6(1)", + "value": "\"customer-defined information system components\"\n" + }, + { + "paramId": "CM-7(1)(b)", + "value": "\"customer-defined functions, ports, protocols, and services within the\ninformation system deemed to be unnecessary and/or nonsecure\"\n" + }, + { + "paramId": "CM-7(2)", + "value": "\"customer-defined policies regarding software program usage or\nrestrictions\"\n" + }, + { + "paramId": "CM-7(5)(a)", + "value": "\"customer-defined software programs authorized to execute on the\ninformation system\"\n" + }, + { + "paramId": "SC-28(1)-1", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-2", + "value": "\"CSP servers\"\n" + }, + { + "paramId": "SI-11(b)", + "value": "\"authorized service personnel and CSP users\"\n" + }, + { + "paramId": "AC-2(2)-1", + "value": "Selection (removes or disables)" + }, + { + "paramId": "AC-2(2)-2", + "value": "\"FedRAMP requirement: no more than 30 days for temporary and emergency\naccount types\"\n" + }, + { + "paramId": "AC-2(3)", + "value": "\"FedRAMP requirement: thirty-five (35) days for user accounts\"\n" + }, + { + "paramId": "AC-2(4)", + "value": "\"organization and/or service provider system owner\"\n" + }, + { + "paramId": "AC-2(5)", + "value": "\"inactivity is anticipated to exceed fifteen (15) minutes\"\n" + }, + { + "paramId": "AC-2(7)(c)", + "value": "\"FedRAMP assignment: disables/revokes access within an\norganization-specified timeframe\"\n" + }, + { + "paramId": "AC-2(9)", + "value": "\"FedRAMP assignment: organization-defined need with justificatino\nstatement that explains why such accounts are necessary\"\n" + }, + { + "paramId": "AC-2(11)-1", + "value": "\"customer-defined circumstances or usage conditions\"\n" + }, + { + "paramId": "AC-2(11)-2", + "value": "\"customer-defined accounts\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-2(13)", + "value": "\"one hour\"\n" + }, + { + "paramId": "AC-7(a)-1", + "value": "\"FedRAMP requirement: not more than three\"\n" + }, + { + "paramId": "AC-7(a)-2", + "value": "\"FedRAMP requirement: fifteen minutes\"\n" + }, + { + "paramId": "AC-7(b)-1", + "value": "\"FedRAMP requirement: locks the account/node for three hours\"\n" + }, + { + "paramId": "AC-7(b)-2", + "value": "\"customer-defined additional actions\"\n" + }, + { + "paramId": "AC-8(a)", + "value": "\"customer-defined system use notification banner\"\n" + }, + { + "paramId": "AC-8(c)(1)", + "value": "\"customer-defined conditions\"\n" + }, + { + "paramId": "AC-10", + "value": "\"customer-defined account and/or account type; FedRAMP requirement:\nthree sessions for privileged access and two sessions for\nnon-privileged access\"\n" + }, + { + "paramId": "AC-11(a)", + "value": "\"FedRAMP requirement: fifteen minutes\"\n" + }, + { + "paramId": "AC-12", + "value": "\"customer-defined conditions or trigger events\"\n" + }, + { + "paramId": "IA-4(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "IA-4(d)", + "value": "\"FedRAMP requirement: at least two years\"\n" + }, + { + "paramId": "IA-4(e)", + "value": "\"FedRAMP requirement: thirty-five (35) days\"\n" + }, + { + "paramId": "IA-4(4)", + "value": "\"FedRAMP requirement: contractors, foreign nationals\"\n" + }, + { + "paramId": "IA-5(g)", + "value": "\"FedRAMP requirement: 60 days for passwords\"\n" + }, + { + "paramId": "IA-5(1)(a)", + "value": "\"FedRAMP requirement: case-sensitive, minimum of fourteen (14)\ncharacters, and at least one (1) each of upper-case letters,\nlower-case letters, numbers, and special characters\"\n" + }, + { + "paramId": "IA-5(1)(b)", + "value": "\"FedRAMP requirement: at least fifty percent (50%)\"\n" + }, + { + "paramId": "IA-5(1)(d)", + "value": "\"FedRAMP requirement: one day minimum, sixty day maximum\"\n" + }, + { + "paramId": "IA-5(1)(e)", + "value": "\"FedRAMP requirement: twenty four\"\n" + }, + { + "paramId": "IA-5(4)", + "value": "\"complexity as identified in IA-05 (1) Control Enhancement Part A\"\n" + }, + { + "paramId": "IA-8(3)", + "value": "\"N/A\"\n" + } + ] +} \ No newline at end of file diff --git a/working/JSON-mapping/docker-ee-opencontrol-oscal-ENRICHED-SP800-53.xml b/working/JSON-mapping/docker-ee-opencontrol-oscal-ENRICHED-SP800-53.xml new file mode 100644 index 0000000000..d4b07b2ece --- /dev/null +++ b/working/JSON-mapping/docker-ee-opencontrol-oscal-ENRICHED-SP800-53.xml @@ -0,0 +1,8149 @@ + + + Moderate SSP for Docker Enterprise Edition Deployment ATO +

                                    Moderate SSP for Docker Enterprise Edition Deployment ATO

                                    + securitylead@agency.gov + + NIST SP800-53 rev 4 + + + + Access Control Policy for [Agency_Here] +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INACTIVITY LOGOUT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ROLE-BASED SCHEMES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION OF DUTIES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LEAST PRIVILEGE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM USE NOTIFICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONCURRENT SESSION CONTROL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION LOCK +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PATTERN-HIDING DISPLAYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION TERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATION AND ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FULL DEVICE / CONTAINER-BASED ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR MOBILE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PORTABLE STORAGE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LIMITS ON AUTHORIZED USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SHARING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLICLY ACCESSIBLE CONTENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Awareness Training Policy for [Agency_Here] +

                                    +

                                    + + ROLE-BASED SECURITY TRAINING +

                                    [Agency's control implementation here] +

                                    + none + + + SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AWARENESS TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSIDER THREAT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY TRAINING RECORDS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Audit and Accountability Policy for [Agency_Here] +

                                    +

                                    + + AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete + + + AUDIT EVENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT STORAGE CAPACITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT REVIEW, ANALYSIS, AND REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS INTEGRATION +

                                    [Agency's control implementation here] +

                                    +
                                    + + CORRELATE AUDIT REPOSITORIES +

                                    [Agency's control implementation here] +

                                    +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC PROCESSING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME STAMPS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS BY SUBSET OF PRIVILEGED USERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT RECORD RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Assessment and Authorization Policy for [Agency_Here] +

                                    +

                                    + + SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + EXTERNAL ORGANIZATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPECIALIZED ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPECIALIZED ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL ORGANIZATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM INTERCONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PLAN OF ACTION AND MILESTONES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AUTHORIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT PENETRATION AGENT OR TEAM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PENETRATION TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Configuration Management Policy for [Agency_Here] +

                                    +

                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + BASELINE CONFIGURATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR ACCURACY / CURRENCY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION SETTINGS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM COMPONENT INVENTORY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Contingency Planning Policy for [Agency_Here] +

                                    +

                                    + + CONTINGENCY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTINGENCY PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CAPACITY PLANNING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY CRITICAL ASSETS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY PLAN TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE STORAGE SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE PROCESSING SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE PROVISIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM BACKUP +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TESTING FOR RELIABILITY / INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATE STORAGE FOR CRITICAL INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM RECOVERY AND RECONSTITUTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSACTION RECOVERY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Docker Security Scanning (DSS) +

                                    +

                                    + + UPDATE TOOL CAPABILITY +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning (DSS) component of Docker +Trusted Registry (DTR) that is included with the Docker Enterprise +Edition Advanced tier can be used to scan Docker images for +vulnerabilities against known vulnerability databases. Scans can be +triggered either manually or when Docker images are pushed to DTR.' +

                                    + service provider hybrid + complete + + + UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier compiles a bill of materials (BOM) for each Docker image +that it scans. DSS is also synchronized to an aggregate listing of +known vulnerabilities that is compiled from both the MITRE and NVD CVE +databases. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning' +

                                    + service provider hybrid + complete +
                                    + + BREADTH / DEPTH OF COVERAGE +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier identifies vulnerabilities in a Docker image and marks +them against predefined criticality levels; critical major and minor.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCESS +

                                    'Only the appropriate users that the organization has provided Docker +Trusted Registry access to are able to view and interpret +vulnerability scan results.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED TREND ANALYSES +

                                    'For each Docker image pushed to Docker Trusted Registry at a given +time, Docker Security Scaninng retains a list of vulnerabilities +detected. The DTR API can be queried to retrieve the vulnerability +scan results over a period of time for a given Docker image such that +the results can be compared per the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + REVIEW HISTORIC AUDIT LOGS +

                                    'Docker Security Scanning maintains a historical bill-of-materials +(BOM) for all Docker images that are scanned. Results of previous +vulnerability scans can be reviewed and audited per the requirements +of this control.' +

                                    + service provider hybrid + complete +
                                    + + DSS Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ + + + + Docker Trusted Registry (DTR) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/' +

                                    + service provider hybrid + complete +
                                    + + ROLE-BASED SCHEMES +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + Docker EE system + complete +
                                    + + SECURITY POLICY FILTERS +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + shared + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + service provider hybrid + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Docker Trusted Registry resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Docker Trusted Registry.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Trusted Registry can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Trusted Registry logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the DTR user interface and for +command-line based connections to the registry. In addition to this, +all communication to DTR is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Trusted Registry replicas is routed through +managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS +

                                    'Built-in firewall technology in Docker Trusted Registry's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP slave nodes running Docker +Trusted Registry replicas can be paused or drained, which subsequently +stops sessions to the DTR replica.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Docker +Trusted Registry to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by a +combination of the backend ucp-controller service within Universal +Control Plane and the backend services that make up Docker Trusted +Registry. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Trusted Registry generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to alert individuals in +the event of log processing failures. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT STORAGE CAPACITY +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when the allocated log storage is full. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to facilitate the audit +reduction and report generation requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Docker Trusted +Registry should be certified to ensure that logs are not altered +during generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Trusted Registry uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Docker Trusted Registry is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the ''docker'' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Trusted +Registry resides as an Application on a Universal Control Plane +cluster, and as such, can be configured to send logs to a remote +logging stack. This logging stack can subsequently be configured to +retain logs for the duration required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by a +combination of the backend services within Universal Control Plane and +Docker Trusted Registry. The underlying Linux operating system +supporting DTR can be configured to audit Docker-specific events with +the auditd daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/' +

                                    +

                                    'Using auditd on the Linux operating system supporting DTR, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +compile audit records in to a system-wide audit trail that is +time-correlated per the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +meet the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATED ACCESS ENFORCEMENT / AUDITING +

                                    'Role-based access control can be configured within Docker Trusted +Registry to meet the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Docker Trusted +Registry Docker images are officially signed and verified by Docker, +Inc. + +When installing Docker Trusted Registry, you should enable Docker +Content Trust and subsequently pull the the signed DTR image tag. +Additional information can be found at teh following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Docker Trusted Registry''s +configuration can also be backed up and stored an appropriate location +per the requirements of this control. Additional documenation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry. The organization can +also prevent users from being able to pull Docker images from +untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images are +stored in Docker Trusted Registry. This can be accomplished by using +Docker Content Trust to sign Docker images which can subsequently be +stored in Docker Trusted Registry.' +

                                    + service provider hybrid + shared + complete +
                                    + + USER-INSTALLED SOFTWARE +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + ALERTS FOR UNAUTHORIZED INSTALLATIONS +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry to meet the +requirements of this contorl. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Docker Trusted Registry maintains its cluster state via an internal +key-value store. This, and other DTR transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup' +

                                    + Docker EE system + complete +
                                    + + GROUP AUTHENTICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Trusted +Registry requires individual users to be authenticated in order to +gain access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'Docker Trusted Registry replicas reside on Universal Control Plane +worker nodes. In order for UCP worker nodes to join a Universal +Control Plane cluster, they must be identified and authenticated via a +worker token. Additional Docker Trusted Registry replicas can only be +added after a UCP administrator user has authenticated in to the UCP +cluster and when mutual TLS authentication between the UCP worker and +manager nodes has been established. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Docker Trusted Registry includes a Docker volume which holds the root +key material for the DTR root CA that issues certificats. In addition +Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server. When adding DTR replicas, the UCP nodes on +which they're installed are authenticated to the cluster via the +appropriate built-in CA.' +

                                    +

                                    'Access to Docker Trusted Registry is only granted when a user has a +valid certificate bundle. This is enforced with the public/private key +pair included with the user's certificate bundle in Universal Control +Plane.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against Docker Trusted Registry. This bundle maps the +authenticated identity to that of the user's profile in Universal +Control Plane.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user which +subsequently grants that user access to Docker Trusted Registry, it is +attached to that user''s Universal Control Plane profile. Bundles/keys +can be revoked by an Administrator or the user themselves. The +cluster''s internal certificates can also be revoked and updated. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Docker Trusted Registry obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Docker Trusted Registry is protected with Transport +Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Docker Trusted Registry can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + UPDATE TOOL CAPABILITY +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE) dictionary.' +

                                    + service provider hybrid + complete +
                                    + + BREADTH / DEPTH OF COVERAGE +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE).' dictionary. +

                                    + service provider hybrid + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags. Docker Trusted Registry includes an integrated imaging +signing service.' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Docker Trusted Registry is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Docker Trusted Registry are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + Docker Trusted Registry Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/ + + + + Docker Enterprise Edition Engine +

                                    +

                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to aggregate +container and daemon events via a number of logging drivers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/view_container_logs/ +- https://docs.docker.com/engine/admin/logging/overview/ +- https://docs.docker.com/engine/admin/logging/log_tags/' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + SECURITY POLICY FILTERS +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers +per organization-defined security policy filters. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks + +There are also third-party behavioral activity monitoring tools (e.g. +Sysdig Falco <http://www.sysdig.org/falco/>) that can be used +alongside Docker Enterprise Edition to satisfy this control''s +requirements.' +

                                    + service provider hybrid + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS +

                                    'Docker Enterprise Edition can be configured to separate the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, one +can restrict membership to the 'docker' group on underlying Linux +hosts or the local "Administrators" group (and any other groups +defined within 'daemon.json') on underlying Windows Server 2016 hosts +to only authorized users.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Enterprise Edition can be configured to allow/prohibit remote +access to the Engine.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2. In addition to this, all +communication to Docker Enterprise Edition is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Enterprise Edition is routed through managed +network access control points.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS +

                                    'Built-in firewall technology in Docker Enterprise Edition's +underlying operating system can be used to force the disconnection of +remote connections to the host. In addition, Docker Enterprise Edition +provides the option to pause or drain a node in the cluster, which +subsequently stops and/or removes sessions to the node. Individual +services and/or applications running on Docker Enterprise Edition can +also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AUDIT EVENTS +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this control (as explained by +their component narratives). These and other application containers +that reside on Docker Enterprise Edition can be configured to log data +via an appropriate Docker logging driver. Instructions for configuring +logging drivers can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Both Universal Control Plane and Docker Trusted Registry are +pre-configured to take advantage of Docker Enterprise Edition''s +built-in logging mechanisms. A sample audit event recorded by Docker +Enterprise Edition has been provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"} + +Additional documentation can be referenced at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can be used to interpolate the information defined by this +control and also be configured to alert on any audit processing +failures. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT STORAGE CAPACITY +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to warn the organization when the +allocated log storage is full. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to facilitate the audit reduction and +report generation requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'The underlying operating system chosen to support Docker Enterprise +Edition should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Enterprise Edition uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Enterprise Edition runs should +be configured such that its system clock compares itself with an +authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock synchronizes +itself to an authoritative time source as defined by part (a) of this +control any time the time difference exceeds that of the +organization-defined time period. This can be accomplished by +utilizing the Network Time Protocol (NTP). Refer to the operating +system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'On the underlying Linux operating system supporting Docker Enterprise +Edition, only root and sudo users and users that have been added to +the "docker" group have the ability to access the logs generated by +UCP backend service containers. Should the organization decide to +configure Docker Enterprise Edition to use a logging driver other than +the default json-file driver, the organization is subsequently +responsible for configuring the chosen logging stack per the +provisions of this control. In addition, for Linux operating systems +supporting Docker Enterprise Edition that use the systemd daemon, it +is imperative that the Journal is secured per the requirements of this +control. The same applies for Linux operating systems supporting +Docker Enterprise Edition that instead use upstart. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the backup requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the encryption mechanisms required by this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + NON-REPUDIATION +

                                    'Docker Enterprise Edition includes functionality known as Docker +Content Trust which allows one to cryptographically sign Docker +images. It enforces client-side signing and verification of image tags +and provides the ability to use digital signatures for data sent to +and received from Docker Trusted Registry. This ultimately provides +one with the ability to verify both the integrity and the publisher of +all data received from DTR over any channel. With Docker Content +Trust, an organization can enforce signature verification of all +content and prohibit unsigned and unapproved content from being +manipulated; thus supproting the non-repudiation requirements of this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + Docker EE system + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Enterprise +Edition can be configured to use a logging driver that stores data in +a location for the duration specified by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this AU-2 a. These and other +application containers that reside on Docker Enterprise Edition can be +configured to log data via an appropriate Docker logging driver. The +underlying Linux operating system supporting Docker Enterprise Edition +can be configured to audit Docker-specific events with the auditd +daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'Using auditd on the Linux operating system supporting CS Docker +Engine, the organization can configure audit rules to select which +Docker-specific events are to be audited. Refer to the specific Linux +distribution in use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to compile audit records in to +a system-wide audit trail that is time-correlated per the requirements +of this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to meet the requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + BASELINE CONFIGURATION +

                                    'The CIS Docker Benchmark can be used as a baseline for securing Docker +Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + REVIEWS AND UPDATES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATION SUPPORT FOR ACCURACY / CURRENCY +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion and can be +rolled back as required by this control. Additional information can be +found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Additional information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + TEST / VALIDATE / DOCUMENT CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHY MANAGEMENT +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +cryptography management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + REVIEW SYSTEM CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +system change requirements of this control. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS +

                                    'Before installing Docker Enterprise Edition, ensure that your +supporting Linux operating system''s packager manager supports package +signature verification and that it is enabled. It is also required +that you import the Docker public key for EE packages so as to +retrieve the validated and signed package from Docker, Inc. Refer to +your Linux OS documentation for instructions on completing the above +steps. + +In addition, Docker Content Trust is a capability provided by Docker +Engine that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. When enabling Docker +Content Trust in Docker Enterprise Edition you can enforce the use of +signed Docker images. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION +

                                    'The organization can incorporate the use of an external configuration +management system to meet the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + LEAST FUNCTIONALITY +

                                    'To help the organization meet the requirements of this control, the +latest CIS Docker Benchmark can be used as a secure configuration +baseline. Additional information can be found at the following +resources: + +- https://www.cisecurity.org/benchmark/docker/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Docker Enterprise Edition, the organization can define +a list of allowed base Docker images and make them available via +Docker Trusted Registry. The organization can also prevent users from +being able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Docker EE +Engine, the organization must define a list of allowed base Docker +images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT PLAN +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management plan requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for other Docker EE engine nodes to be able to join a +cluster managed by Universal Control Plane, they must be identified +and authenticated via either a manager or worker token. Use of the +token includes trust on first use mutual TLS.' +

                                    + Docker EE system + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags.' +

                                    + service provider hybrid + complete +
                                    + + DYNAMIC ISOLATION / SEGREGATION +

                                    'Docker Enterprise Edition is designed to run application containers +whose content can be completely isolated/segregated from other +application containers within the same node/cluster. This is +accomplished by way of Linux kernel primitives and various security +profiles that can be applied to the underlying host OS. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/security/security/ +- https://docs.docker.com/engine/userguide/networking/overlay-security-model/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security' +

                                    + Docker EE system + complete +
                                    + + SYMMETRIC KEYS +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to/from and between Docker +Enterprise Edition nodes is enforced by way of two-way mutual TLS +authentication. All Swarm Mode manager nodes in a Docker Enterprise +Edition cluster store state metadata and user secrets encrypted at +rest using the AES GCM cipher.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATIC UPDATES +

                                    'Docker Enterprise Edition packages for supported underlying operating +systems can only be obtained from Docker, Inc. The Docker EE +repositories from which Docker EE packages are obtained are protected +with official GPG keys. Each Docker package is also validated with a +signature definition.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the logging mechanisms of the Docker +Enterprise Edition engine are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + MEMORY PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's security documentation for information regarding the +protection of memory from unauthorized code execution.' +

                                    + service provider hybrid + complete +
                                    + + Docker Enterprise Edition Engine Installation Documentation +

                                    + https://docs.docker.com/engine/installation/ + + + Docker Engine Release Notes +

                                    + https://docs.docker.com/release-notes/ + + + Configuring and Running Docker on Various Distributions +

                                    + https://docs.docker.com/engine/admin/ + + + Docker Engine Security +

                                    + https://docs.docker.com/engine/security/security/ + + + Securing Docker Datacenter and Security Best Practices +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices + + + + Identification and Authentication Policy for [Agency_Here] +

                                    +

                                    + + IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + GROUP AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LOCAL ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS - SEPARATE DEVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFIER MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY USER STATUS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PKI-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUTHENTICATORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HARDWARE TOKEN-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Incident Response for [Agency_Here] +

                                    +

                                    + + INCIDENT RESPONSE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INCIDENT RESPONSE TRAINING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED INCIDENT HANDLING PROCESSES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT MONITORING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED REPORTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE ASSISTANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH EXTERNAL PROVIDERS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SPILLAGE RESPONSE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSIBLE PERSONNEL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POST-SPILL OPERATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXPOSURE TO UNAUTHORIZED PERSONNEL +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System Maintenance Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM MAINTENANCE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTROLLED MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT MEDIA +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT UNAUTHORIZED REMOVAL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DOCUMENT NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE PERSONNEL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDIVIDUALS WITHOUT APPROPRIATE ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIMELY MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Media Protection Policy for [Agency_Here] +

                                    +

                                    + + MEDIA PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MEDIA ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA MARKING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA STORAGE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA TRANSPORT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA SANITIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EQUIPMENT TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT USE WITHOUT OWNER +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Physical and Environmental Protection Policy for [Agency_Here] +

                                    +

                                    + + PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PHYSICAL ACCESS AUTHORIZATIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PHYSICAL ACCESS CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR TRANSMISSION MEDIUM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR OUTPUT DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING PHYSICAL ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTRUSION ALARMS / SURVEILLANCE EQUIPMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VISITOR ACCESS RECORDS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POWER EQUIPMENT AND CABLING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY SHUTOFF +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY POWER +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY LIGHTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FIRE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SUPPRESSION DEVICES / SYSTEMS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC FIRE SUPPRESSION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TEMPERATURE AND HUMIDITY CONTROLS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING WITH ALARMS / NOTIFICATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WATER DAMAGE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DELIVERY AND REMOVAL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE WORK SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Planning Policy for [Agency_Here] +

                                    +

                                    + + SECURITY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INFORMATION SECURITY ARCHITECTURE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Personnel Security Policy for [Agency_Here] +

                                    +

                                    + + PERSONNEL SECURITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + POSITION RISK DESIGNATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SCREENING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION WITH SPECIAL PROTECTION MEASURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TERMINATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TRANSFER +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS AGREEMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + THIRD-PARTY PERSONNEL SECURITY +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SANCTIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Risk Assessment Policy for [Agency_Here] +

                                    +

                                    + + RISK ASSESSMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + VULNERABILITY SCANNING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Services Acquisition Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + ALLOCATION OF RESOURCES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM DEVELOPMENT LIFE CYCLE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACQUISITION PROCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONAL PROPERTIES OF SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING PLAN +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF APPROVED PIV PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM DOCUMENTATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ENGINEERING PRINCIPLES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL INFORMATION SYSTEM SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESSING, STORAGE, AND SERVICE LOCATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVELOPER CONFIGURATION MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    [Agency's control implementation here] +

                                    +
                                    + + DEVELOPER SECURITY TESTING AND EVALUATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +
                                    + + STATIC CODE ANALYSIS +

                                    [Agency's control implementation here] +

                                    +
                                    + + THREAT AND VULNERABILITY ANALYSES +

                                    [Agency's control implementation here] +

                                    +
                                    + + DYNAMIC CODE ANALYSIS +

                                    [Agency's control implementation here] +

                                    +
                                    + + ALTERNATIVE SOURCES FOR CONTINUED SUPPORT +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Communications Protection Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + APPLICATION PARTITIONING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION IN SHARED RESOURCES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENIAL OF SERVICE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESOURCE AVAILABILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + BOUNDARY PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS POINTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENY BY DEFAULT / ALLOW BY EXCEPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT SPLIT TUNNELING FOR REMOTE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HOST-BASED PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FAIL SECURE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSMISSION CONFIDENTIALITY AND INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK DISCONNECT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYMMETRIC KEYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ASYMMETRIC KEYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COLLABORATIVE COMPUTING DEVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLIC KEY INFRASTRUCTURE CERTIFICATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MOBILE CODE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VOICE OVER INTERNET PROTOCOL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION AUTHENTICITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS ISOLATION +

                                    [Agency's control implementation here] +

                                    + complete +
                                    +
                                    + + System and Information Integrity Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + FLAW REMEDIATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED FLAW REMEDIATION STATUS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MALICIOUS CODE PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONSIGNATURE-BASED DETECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-WIDE INTRUSION DETECTION SYSTEM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED TOOLS FOR REAL-TIME ANALYSIS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-GENERATED ALERTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS INTRUSION DETECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CORRELATE MONITORING INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HOST-BASED DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ALERTS, ADVISORIES, AND DIRECTIVES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY FUNCTION VERIFICATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRITY CHECKS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRATION OF DETECTION AND RESPONSE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPAM PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION INPUT VALIDATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ERROR HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION HANDLING AND RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEMORY PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Universal Control Plane (UCP) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/' +

                                    + service provider hybrid + complete + + + ROLE-BASED SCHEMES +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, Universal Control Plane can be configured to send system +account log data to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack. Supporting documentation can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + complete +
                                    + + SECURITY POLICY FILTERS +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + LEAST PRIVILEGE +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and employ principles of +least privilege. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and explicitly authorize +access as necessary. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED COMMANDS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources, including Docker +networking components. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCOUNTS +

                                    'To assist the organization in meeting the requirements of this +control, one can restrict privileged accounts within Universal Control +Plane to custom-defined roles. By default, no one can make changes to +the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + REVIEW OF USER PRIVILEGES +

                                    'To assist the organization in meeting the requirements of this +control, one can review all implemented grants, accounts and roles +within Universal Control Plane and reassign/revoke privileges as +necessary. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGE LEVELS FOR CODE EXECUTION +

                                    'Universal Control Plane users can be assigned to one of a number of +different permission levels. The permission level assigned to a +specific user determines that user''s ability to execute certain +Docker functions within UCP. Only users mapped to either the "Full +Control" or "Admin" roles can execute Docker commands without any +restrictions. Users mapped to either the "View Only" or "No Access" +roles cannot execute any Docker commands. Users assigned to the +"Restricted Control" role can only run Docker commands under their own +purview and cannot see other users UCP resources nor run commands that +required privileged access to the host. Furthermore, custom roles can +be created for fine-grained access to specific UCP resources and +functionality. Additional documentation regarding the various +permission levels within UCP can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + USER-INITIATED LOGOUTS / MESSAGE DISPLAYS +

                                    'Universal Control Plane includes a logout capability that allows a +user to terminate his/her current session.' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Universal Control Plane.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Universal Control Plane logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the UCP user interface and for +command-line based connections to the cluster. In addition to this, +all communication to UCP is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Universal Control Plane managers and worker nodes is +routed through managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to authorize certain +privileged functions via remote access.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS +

                                    'Built-in firewall technology in Universal Control Plane's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP provides the option to pause +or drain a node in the cluster, which subsequently stops and/or +removes sessions to the node. Individual services and/or applications +running on a UCP cluster can also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete + partial +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Universal +Control Plane to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by the +backend ucp-controller service within Universal Control Plane. In +addition, each container created on a Universal Control Plane cluster +logs event data. Supporting documentation for configuring UCP logging +can be referenced at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Universal Control Plane generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +alert individuals in the event of log processing failures. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider system specific + complete +
                                    + + AUDIT STORAGE CAPACITY +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when the allocated log storage is full. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when audit log failures occur. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The organization can subsequently centrally review and +analyze all of the Docker EE audit records. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +facilitate the audit reduction and report generation requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Universal Control +Plane should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +parse information by organization-defined audit fields. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Universal Control Plane uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Universal Control Plane is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the 'docker' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Universal Control +Plane can be configured to send logs to a remote logging stack. This +logging stack can subsequently be configured retain logs for the +duration required by this control. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by the backend +ucp-controller service within Universal Control Plane. In addition, +each container created on a Universal Control Plane cluster logs event +data. The underlying Linux operating system supporting UCP can be +configured to audit Docker-specific events with the auditd daemon. +Refer to the specific Linux distribution in use for instructions on +configuring this service. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'Using auditd on the Linux operating system supporting UCP, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to compile +audit records in to a system-wide audit trail that is time-correlated +per the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to meet the +requirements of this control. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATED ACCESS ENFORCEMENT / AUDITING +

                                    'Role-based access control can be configured within Universal Control +Plane to meet the requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Universal Control +Plane Docker images are officially signed and verified by Docker, Inc. + +When configuring Universal Control Plane, you should enforce +applications to only use Docker images signed by trusted UCP users +within your organization. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Universal Control Plane''s +configuration can also be managed, backed up and stored in another +location per the requirements of this control. Additional documentation +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PERIODIC REVIEW +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane includes a robust access control model to +disable any functionality as mandated by this control.' +

                                    + service provider corporate + Docker EE system + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Universal Control Plane, the organization can define a +list of allowed base Docker images and make them available via Docker +Trusted Registry. The organization can also prevent users from being +able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Universal +Control Plane, the organization must define a list of allowed base +Docker images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images +stored in Docker Trusted Registry can be run on Universal Control +Plane. This can be accomplished by using Docker Content Trust to sign +Docker images, and configure UCP to enforce only signed images from +specific Teams at runtime. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Universal Control Plane maintains its cluster state via an internal +key-value store. This, and other UCP transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup' +

                                    + Docker EE system + complete +
                                    + + GROUP AUTHENTICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Universal Control +Plane requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for nodes to join a Universal Control Plane cluster, they +must be identified and authenticated via either a manager or worker +token. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server.' +

                                    +

                                    'Access to a Universal Control Plane cluster is only granted when a +user has a valid certificate bundle. This is enforced with the +public/private key pair included with the user's certificate bundle.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against the Universal Control Plane cluster. This bundle maps +the authenticated identity to that of the user.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user, it is +attached to that user''s profile. Bundles/keys can be revoked by an +Administrator or the user themselves. The cluster''s internal +certificates can also be revoked and updated. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Universal Control Plane obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Universal Control Plane is protected with Transport +Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Universal Control Plane can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, Docker Content Trust gives +you the ability to verify both the integrity and the publisher of all +the data received from a Docker Trusted Registry over any channel. It +allows operations with a remote DTR instance to enforce client-side +signing and verification of image tags. It provides for the ability to +use digital signatures for data sent to and receive from remote DTR +instances. These signatures allow client-side verification of the +integrity and publisher of specific image tags. Universal Control +Plane can be configured to only run trusted and signed images. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Universal Control Plane is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Universal Control Plane are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + UCP Documentation +

                                    + https://docs.docker.com/datacenter/ucp/2.2/guides/ + + + + Authentication and Authorization Service (eNZi) +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams are allowed to create +and manipulate Docker Enterprise Edition resources. By default, no one +can make changes to the cluster. Permissions can be granted and +managed to enforce fine-grained access control. Supporting +documentation can found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can disable and/or remove temporary and emergency accounts in a +connected directory service (such as Active Directory) after an +organization-defined time period. When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can automatically disable inactive accounts in a connected directory +service (such as Active Directory). When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED AUDIT ACTIONS +

                                    'Docker Enterprise Edition logs various authentication and +authorization events to standard log files. One can configure Docker +Enterprise Edition to direct these event logs to a remote logging +service such as an Elasticsearch, Logstash and Kibana (ELK) stack and +subsequently alert on specific event types. When integrating Docker +Enterprise Edition with LDAP, one can refer the the directory +service''s logging mechanisms for auditing the events defined by this +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + INACTIVITY LOGOUT +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to enforce automated +session termination of users after an organization-defined time period +of inactivity. By default, the initial lifetime of a user''s session +is set to 72 hours and the renewal session for a user''s session is +set to 24 hours. These values can both be changed in the "Auth" +section of the "Admin Settings" in Universal Control Plane.' +

                                    + service provider hybrid + complete +
                                    + + ROLE-BASED SCHEMES +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition supports various levels of user +permissions and role-based access control enforcements. Administrator +users have permissions to: manage other Docker Enterprise Edition +users, manage Docker Trusted Registry repositories and settings, and +manage the Universal Control Plane and underlying Docker Swarm Mode +cluster. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service.' +

                                    + service provider hybrid + complete +
                                    + + SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION +

                                    'Users and/or groups synchronized to Docker Enterprise Edition via +LDAP can be configured at the directory service to ensure shared/group +account credentials are terminated when members leave the group.' +

                                    + service provider hybrid + complete +
                                    + + USAGE CONDITIONS +

                                    'Information system accounts synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service to meet this +requirement as necessary.' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE +

                                    'To assist the organization in meeting the requirements of this +control, when Docker Enterprise Edition is configured for LDAP +integration, one can refer to the directory service''s existing +monitoring tools.' +

                                    + service provider hybrid + complete +
                                    + + DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be managed at the directory service and disabled if +posing a significant risk.' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Enterprise Edition resources. By default, no one can make +changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. The eNZi component facilitates +authorizations as dictated by the system''s administrators. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    'Docker Enterprise Edition logs privileged user events to standard log +files. One can configure Docker Enterprise Edition to direct these +event logs to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack and subsequently alert on specific +event types. When integrating Docker Enterprise Edition with LDAP, one +can refer the the directory service''s logging mechanisms for auditing +the events defined by this control. Supporting documentation regarding +logging and monitoring can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + complete +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure the enforcement of a limit to the number of conesecutive +invalid logon attempts by a user during a specified time period.' +

                                    +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure he ability to automatically lock/disable an account for a +specified period of time after a consecutive invalid logon attempt +limit is reached.' +

                                    + service provider hybrid + complete +
                                    + + SYSTEM USE NOTIFICATION +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    + Docker EE system + planned +
                                    + + CONCURRENT SESSION CONTROL +

                                    'Docker Enterprise Edition can be configured to limit the number of +concurrent sessions for each account. These options can be found +within the Universal Control Plane Admin Settings under the +"Authentication & Authorization" section. ' +

                                    + Docker EE system + complete +
                                    + + SESSION LOCK +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours).' +

                                    + Docker EE system + complete +
                                    + + PATTERN-HIDING DISPLAYS +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session per the requirements of +this controls.' +

                                    + Docker EE system + complete +
                                    + + SESSION TERMINATION +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Enterprise Edition generates all of the audit record +information indicated by this control. A sample audit event has been +provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    'Docker Enterprise Edition can be configured to identify and +authenticate users via it''s integrated support for LDAP. Users and +groups managed within the organization''s LDAP directory service (e.g. +Active Directory) can be synchronized to UCP and DTR on a regular +interval. When a user is removed from the LDAP-backed directory, that +user becomes inactive within UCP and DTR. In addition, UCP and DTR +teams can be mapped to groups synchronized via LDAP. When a user is +added/removed to/from the LDAP group, that same user is automatically +added/removed to/from the UCP and DTR team. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + Docker EE system + shared + complete +
                                    + + GROUP AUTHENTICATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Enterprise +Edition requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFIER MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IDENTIFY USER STATUS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to uniquely identify each individual according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to establish initial authenticator content according +to the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to enforce strength requirements for authenticators +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to distribute, redistribute, and revoke +authenticators according to the requirements of this control. Refer to +your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change default authenticator content according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to set minimum and maximum lifetime restrictions and +reuse conditions for authenticators according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to refresh authenticators at a regular cadence +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticator content from unauthorized +disclosure or modification according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to implement specific security safeguards to protect +authentications according to the requirements of this control. Refer +to your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change authenticators for group or role accounts +when membership to those groups or roles changes according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce minimum password +complexity requirements. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change at least one character when changing passwords according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to store and transmit +cryptographically protected passwords according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required minimum and +maximum lifetime restrictions according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required number of +generations before password reuse according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change initial/temporary passwords upon first login according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system validates the certificates per the +requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system enforces authorized access to the +corresponding private key per the requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system maps the authenticated identity to the +account of the individual or group per the requirements of this +control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, it is up to the underlying operating system +hosting Docker Enterprise Edition to ensure that it implements a local +cache of revocation data per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP can be +configured with automation to ensure that password authenticators meet +strength requirements as defined by this control. Refer to your +directory service's documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUTHENTICATORS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticators as required by this +control. Refer to your directory service's documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to meet the FICAM requirements as +indicated by this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + INVALIDATE SESSION IDENTIFIERS AT LOGOUT +

                                    'Docker Enterprise Edition invalidates session identifiers upon user +logout per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + UCP Documentation +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management + + + + + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined account and/or account type + organization-defined account and/or account type + + + organization-defined number + organization-defined number + + + AC-10 + "customer-defined account and/or account type; FedRAMP requirement: +three sessions for privileged access and two sessions for +non-privileged access" + + + + organization-defined time period + organization-defined time period + + + AC-11(a) + "FedRAMP requirement: fifteen minutes" + + + + organization-defined conditions or trigger events requiring session disconnect + organization-defined conditions or trigger events requiring session disconnect + + + AC-12 + "customer-defined conditions or trigger events" + + + + organization-defined information resources + organization-defined information resources + + + AC-12(1)(a) + "customer-defined information resources" + + + + organization-defined user actions + organization-defined user actions + + + AC-14(a) + "customer-defined user actions" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-14(a) + "customer-defined user actions" + + + + organization-defined number + organization-defined number + + + organization-defined needs + organization-defined needs + + + organization-defined time period + organization-defined time period + + + AC-17(3) + "customer-defined" + + + + AC-17(3) + "customer-defined" + + + + AC-17(3) + "customer-defined" + + + + AC-17(4)(a) + "customer-defined needs" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + organization-defined mobile devices + organization-defined mobile devices + + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + + organization-defined circumstances and/or usage conditions + organization-defined circumstances and/or usage conditions + + + organization-defined information system accounts + organization-defined information system accounts + + + organization-defined atypical usage + organization-defined atypical usage + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period for each type of account + organization-defined time period for each type of account + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time-period of expected inactivity or description of when to log out + organization-defined time-period of expected inactivity or description of when to log out + + + organization-defined actions + organization-defined actions + + + organization-defined conditions for establishing shared/group accounts + organization-defined conditions for establishing shared/group accounts + + + AC-2(11)-1 + "customer-defined circumstances or usage conditions" + + + + AC-2(11)-2 + "customer-defined accounts" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(13) + "one hour" + + + + AC-2(2)-1 + Selection (removes or disables) + + + AC-2(2)-2 + "FedRAMP requirement: no more than 30 days for temporary and emergency +account types" + + + + AC-2(3) + "FedRAMP requirement: thirty-five (35) days for user accounts" + + + + AC-2(4) + "organization and/or service provider system owner" + + + + AC-2(5) + "inactivity is anticipated to exceed fifteen (15) minutes" + + + + AC-2(7)(c) + "FedRAMP assignment: disables/revokes access within an +organization-specified timeframe" + + + + AC-2(9) + "FedRAMP assignment: organization-defined need with justificatino +statement that explains why such accounts are necessary" + + + + organization-defined information sharing circumstances where user discretion is required + organization-defined information sharing circumstances where user discretion is required + + + organization-defined automated mechanisms or manual processes + organization-defined automated mechanisms or manual processes + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined information flow control policies + organization-defined information flow control policies + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4 + "customer-defined information flow control policies" + + + + organization-defined mechanisms and/or techniques + organization-defined mechanisms and/or techniques + + + organization-defined required separations by types of information + organization-defined required separations by types of information + + + organization-defined security policy filters + organization-defined security policy filters + + + organization-defined information flows + organization-defined information flows + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + organization-defined duties of individuals + organization-defined duties of individuals + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + + + organization-defined security functions or security-relevant information + organization-defined security functions or security-relevant information + + + organization-defined privileged commands + organization-defined privileged commands + + + organization-defined compelling operational needs + organization-defined compelling operational needs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined roles or classes of users + organization-defined roles or classes of users + + + organization-defined software + organization-defined software + + + AC-6(1) + "FedRAMP assignment: all functions not publiclly accessible and all +security-relevant information not publicly available" + + + + AC-6(2) + "FedRAMP requirement: all security functions" + + + + AC-6(3)-1 + "privileged commands used to change/configure network devices" + + + + AC-6(3)-2 + "customer-defined operational needs" + + + + AC-6(5) + "customer-defined personnel or roles" + + + + AC-6(7)(a)-1 + "at least annually" + + + + AC-6(7)(a)-2 + "all users" + + + + AC-6(8) + "FedRAMP assignment: any software except software explicitly +documented" + + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + + AC-7(a)-1 + "FedRAMP requirement: not more than three" + + + + AC-7(a)-2 + "FedRAMP requirement: fifteen minutes" + + + + AC-7(b)-1 + "FedRAMP requirement: locks the account/node for three hours" + + + + AC-7(b)-2 + "customer-defined additional actions" + + + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + + AC-8(a) + "customer-defined system use notification banner" + + + + AC-8(c)(1) + "customer-defined conditions" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined actions to be covered by non-repudiation + organization-defined actions to be covered by non-repudiation + + + AU-10 + "actions including the addition, modification, deletion, approval, +sending, or receiving of data" + + + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail + organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined selectable event criteria + organization-defined selectable event criteria + + + organization-defined time thresholds + organization-defined time thresholds + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + + organization-defined frequency + organization-defined frequency + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + organization-defined additional, more detailed information + organization-defined additional, more detailed information + + + organization-defined information system components + organization-defined information system components + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + + organization-defined personnel, roles, and/or locations + organization-defined personnel, roles, and/or locations + + + organization-defined time period + organization-defined time period + + + organization-defined percentage + organization-defined percentage + + + organization-defined real-time period + organization-defined real-time period + + + organization-defined personnel, roles, and/or locations + organization-defined personnel, roles, and/or locations + + + organization-defined audit failure events requiring real-time alerts + organization-defined audit failure events requiring real-time alerts + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined audit fields within audit records + organization-defined audit fields within audit records + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + + organization-defined frequency + organization-defined frequency + + + organization-defined authoritative time source + organization-defined authoritative time source + + + organization-defined time period + organization-defined time period + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(b) + "millisecond precision" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined subset of privileged users + organization-defined subset of privileged users + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined other forms of security assessment + organization-defined other forms of security assessment + + + organization-defined information system + organization-defined information system + + + organization-defined external organization + organization-defined external organization + + + organization-defined requirements + organization-defined requirements + + + organization-defined frequency + organization-defined frequency + + + organization-defined unclassified, non-national security system + organization-defined unclassified, non-national security system + + + Assignment; organization-defined boundary protection device + Assignment; organization-defined boundary protection device + + + organization-defined information systems + organization-defined information systems + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + CM-1(a) + "customer-defined personnel or roles" + + + + CM-1(b)(1) + "FedRAMP requirement: at least every 3 years" + + + + CM-1(b)(2) + "FedRAMP requirement: at least annually or whenever a significant +change occurs" + + + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + CM-11(1) + "organization-defined personnel or roles" + + + + CM-11(a) + "customer-defined policies" + + + + CM-11(b) + "customer-defined methods" + + + + CM-11(c) + "FedRAMP requirement: continuously (via CM-7(5))" + + + + organization-defined frequency + organization-defined frequency + + + Assignment organization-defined circumstances + Assignment organization-defined circumstances + + + organization-defined previous versions of baseline configurations of the information system + organization-defined previous versions of baseline configurations of the information system + + + organization-defined information systems, system components, or devices + organization-defined information systems, system components, or devices + + + organization-defined configurations + organization-defined configurations + + + organization-defined security safeguards + organization-defined security safeguards + + + CM-2(1)(a) + "FedRAMP requirement: at least annually or when a significant change +occurs" + + + + CM-2(1)(b) + "FedRAMP requirement: to include when directed by the JAB" + + + + CM-2(3) + "the previously approved baseline configuration of IS components" + + + + organization-defined time period + organization-defined time period + + + organization-defined configuration change control element (e.g., committee, board) + organization-defined configuration change control element (e.g., committee, board) + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration change conditions + organization-defined configuration change conditions + + + organized-defined approval authorities + organized-defined approval authorities + + + organization-defined time period + organization-defined time period + + + organization-defined personnel + organization-defined personnel + + + organization-defined security safeguards + organization-defined security safeguards + + + CM-3(1)(b) + "customer-defined authorized approvers" + + + + CM-3(1)(c) + "organization-defined time period" + + + + CM-3(1)(f) + "organization-defined configuration management approval authorities" + + + + CM-3(6) + "all security safeguards that rely on cryptography" + + + + CM-3(e) + "customer-defined time period" + + + + CM-3(g)-1 + "FedRAMP requirement: CAB" + + + + CM-3(g)-2 + "customer-defined" + + + + CM-3(g)-3 + "customer-defined" + + + + CM-3(g)-4 + "customer-defined" + + + + organization-defined frequency + organization-defined frequency + + + organization-defined circumstances + organization-defined circumstances + + + organization-defined software and firmware components + organization-defined software and firmware components + + + CM-5(2)-1 + "every 30 days" + + + + CM-5(2)-2 + "organization-defined circumstance" + + + + CM-5(3) + "customer-defined software" + + + + CM-5(3) + "customer-defined software" + + + + CM-5(3) + "customer-defined software" + + + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + + organization-defined information system components + organization-defined information system components + + + CM-6(1) + "customer-defined information system components" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-6(1) + "customer-defined information system components" + + + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + + organization-defined frequency + organization-defined frequency + + + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + + + organization-defined policies regarding software program usage and restrictions + organization-defined policies regarding software program usage and restrictions + + + organization-defined software programs authorized to execute on the information system + organization-defined software programs authorized to execute on the information system + + + organization-defined frequency + organization-defined frequency + + + CM-7(1)(b) + "customer-defined functions, ports, protocols, and services within the +information system deemed to be unnecessary and/or nonsecure" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-7(b) + "FedRAMP assignment: the service provider shall use the Center for +Internet Security Guidelines (Level 1) to establish list of prohibited +or restricted functions, ports, protocols, and/or services or +establishes its own list of prohibited or restricted functions, ports, +protocols, and/or services if USGCB is not available" + + + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period consistent with recovery time and recovery point objectives + organization-defined time period consistent with recovery time and recovery point objectives + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period + organization-defined time period + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency + organization-defined frequency + + + organization-defined critical information system software and other security-related information + organization-defined critical information system software and other security-related information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined strength of mechanism requirements + organization-defined strength of mechanism requirements + + + organization-defined specific and/or types of devices + organization-defined specific and/or types of devices + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + + organization-defined characteristic identifying individual status + organization-defined characteristic identifying individual status + + + IA-4(4) + "FedRAMP requirement: contractors, foreign nationals" + + + + IA-4(a) + "customer-defined personnel or roles" + + + + IA-4(d) + "FedRAMP requirement: at least two years" + + + + IA-4(e) + "FedRAMP requirement: thirty-five (35) days" + + + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + + organization-defined token quality requirements + organization-defined token quality requirements + + + organization-defined types of and/or specific authenticators + organization-defined types of and/or specific authenticators + + + organization-defined registration authority + organization-defined registration authority + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined requirements + organization-defined requirements + + + IA-5(1)(a) + "FedRAMP requirement: case-sensitive, minimum of fourteen (14) +characters, and at least one (1) each of upper-case letters, +lower-case letters, numbers, and special characters" + + + + IA-5(1)(b) + "FedRAMP requirement: at least fifty percent (50%)" + + + + IA-5(1)(d) + "FedRAMP requirement: one day minimum, sixty day maximum" + + + + IA-5(1)(e) + "FedRAMP requirement: twenty four" + + + + IA-5(4) + "complexity as identified in IA-05 (1) Control Enhancement Part A" + + + + IA-5(g) + "FedRAMP requirement: 60 days for passwords" + + + + organization-defined information systems + organization-defined information systems + + + IA-8(3) + "N/A" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined procedures + organization-defined procedures + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined location by information system or system component + organization-defined location by information system or system component + + + organization-defined emergency responders + organization-defined emergency responders + + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system components + organization-defined types of information system components + + + organization-defined security controls + organization-defined security controls + + + organization-defined frequency + organization-defined frequency + + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system distribution and transmission lines + organization-defined information system distribution and transmission lines + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + + organization-defined additional personnel screening criteria + organization-defined additional personnel screening criteria + + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-identified information system components + organization-identified information system components + + + organization-defined vulnerability scanning activities + organization-defined vulnerability scanning activities + + + RA-5(2) + "FedRAMP requirement: prior to a new scan" + + + + RA-5(5)-1 + "FedRAMP requirement: operating systems, databases, web applications" + + + + RA-5(5)-2 + "FedRAMP requirement: all scans" + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration items under configuration management + organization-defined configuration items under configuration management + + + organization-defined personnel + organization-defined personnel + + + organization-defined depth and coverage + organization-defined depth and coverage + + + organization-defined support from external providers + organization-defined support from external providers + + + organization-defined system development life cycle + organization-defined system development life cycle + + + organization-defined design/implementation information + organization-defined design/implementation information + + + organization-defined level of detail + organization-defined level of detail + + + organization-defined level of detail + organization-defined level of detail + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined external information system services + organization-defined external information system services + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined external service providers + organization-defined external service providers + + + organization-defined locations + organization-defined locations + + + organization-defined requirements or conditions + organization-defined requirements or conditions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + + SC-12(2) + "FedRAMP requirement: NIST FIPTS compliance" + + + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + + SC-13 + "FedRAMP requirement: FIPS-validated or NSA-approved cryptography" + + + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + + organization-defined certificate policy + organization-defined certificate policy + + + organization-defined information at rest + organization-defined information at rest + + + organization-defined information + organization-defined information + + + organization-defined information system components + organization-defined information system components + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28(1)-2 + "CSP servers" + + + + SC-28-1 + "confidentiality and integrity" + + + + SC-28-2 + "customer data" + + + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined resources + organization-defined resources + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined host-based boundary protection mechanisms + organization-defined host-based boundary protection mechanisms + + + organization-defined information system components + organization-defined information system components + + + organization-defined information security tools, mechanisms, and support components + organization-defined information security tools, mechanisms, and support components + + + organization-defined information system components + organization-defined information system components + + + organization-defined frequency + organization-defined frequency + + + organization-defined internal communications traffic + organization-defined internal communications traffic + + + organization-defined external networks + organization-defined external networks + + + SC-7(20 + "organization-defined information system components" + + + + organization-defined alternative physical safeguards + organization-defined alternative physical safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information inputs + organization-defined information inputs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + organization-defined security safeguards + organization-defined security safeguards + + + SI-16 + "Windows protections, including No Execute, Address Space Layout +Randomization, and Data Execution Prevention" + + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined benchmarks + organization-defined benchmarks + + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined host-based monitoring mechanisms + organization-defined host-based monitoring mechanisms + + + organization-defined information system components + organization-defined information system components + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined compromise indicators + organization-defined compromise indicators + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined security functions + organization-defined security functions + + + organization-defined system transitional states + organization-defined system transitional states + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined alternative action(s) + organization-defined alternative action(s) + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined transitional states or security-relevant events + organization-defined transitional states or security-relevant events + + + organization-defined frequency + organization-defined frequency + + + organization-defined security-relevant changes to the information system + organization-defined security-relevant changes to the information system + + + diff --git a/working/JSON-mapping/docker-ee-opencontrol-oscal-LINKED.xml b/working/JSON-mapping/docker-ee-opencontrol-oscal-LINKED.xml new file mode 100644 index 0000000000..0c5664b331 --- /dev/null +++ b/working/JSON-mapping/docker-ee-opencontrol-oscal-LINKED.xml @@ -0,0 +1,6649 @@ + + Moderate SSP for Docker Enterprise Edition Deployment ATO +

                                    Moderate SSP for Docker Enterprise Edition Deployment ATO

                                    + securitylead@agency.gov + + SP800-53 MODERATE BASELINE IMPACT + + + + Access Control Policy for [Agency_Here] +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION OF DUTIES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LEAST PRIVILEGE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM USE NOTIFICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION LOCK +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PATTERN-HIDING DISPLAYS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION TERMINATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATION AND ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FULL DEVICE / CONTAINER-BASED ENCRYPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR MOBILE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PORTABLE STORAGE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LIMITS ON AUTHORIZED USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SHARING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLICLY ACCESSIBLE CONTENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Awareness Training Policy for [Agency_Here] +

                                    +

                                    + + ROLE-BASED SECURITY TRAINING +

                                    [Agency's control implementation here] +

                                    + none + + + SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AWARENESS TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSIDER THREAT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY TRAINING RECORDS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Audit and Accountability Policy for [Agency_Here] +

                                    +

                                    + + AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete + + + AUDIT EVENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT STORAGE CAPACITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT REVIEW, ANALYSIS, AND REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS INTEGRATION +

                                    [Agency's control implementation here] +

                                    +
                                    + + CORRELATE AUDIT REPOSITORIES +

                                    [Agency's control implementation here] +

                                    +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC PROCESSING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME STAMPS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS BY SUBSET OF PRIVILEGED USERS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT RECORD RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT GENERATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Assessment and Authorization Policy for [Agency_Here] +

                                    +

                                    + + SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ASSESSMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSORS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM INTERCONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PLAN OF ACTION AND MILESTONES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AUTHORIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTERNAL SYSTEM CONNECTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Configuration Management Policy for [Agency_Here] +

                                    +

                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + BASELINE CONFIGURATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REVIEWS AND UPDATES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION SETTINGS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM COMPONENT INVENTORY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Contingency Planning Policy for [Agency_Here] +

                                    +

                                    + + CONTINGENCY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTINGENCY PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY CRITICAL ASSETS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY TRAINING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY PLAN TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE STORAGE SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE PROCESSING SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE PROVISIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM BACKUP +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TESTING FOR RELIABILITY / INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM RECOVERY AND RECONSTITUTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSACTION RECOVERY +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Docker Security Scanning (DSS) +

                                    +

                                    + + UPDATE TOOL CAPABILITY +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning (DSS) component of Docker +Trusted Registry (DTR) that is included with the Docker Enterprise +Edition Advanced tier can be used to scan Docker images for +vulnerabilities against known vulnerability databases. Scans can be +triggered either manually or when Docker images are pushed to DTR.' +

                                    + service provider hybrid + complete + + + UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier compiles a bill of materials (BOM) for each Docker image +that it scans. DSS is also synchronized to an aggregate listing of +known vulnerabilities that is compiled from both the MITRE and NVD CVE +databases. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier identifies vulnerabilities in a Docker image and marks +them against predefined criticality levels; critical major and minor.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCESS +

                                    'Only the appropriate users that the organization has provided Docker +Trusted Registry access to are able to view and interpret +vulnerability scan results.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'For each Docker image pushed to Docker Trusted Registry at a given +time, Docker Security Scaninng retains a list of vulnerabilities +detected. The DTR API can be queried to retrieve the vulnerability +scan results over a period of time for a given Docker image such that +the results can be compared per the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Security Scanning maintains a historical bill-of-materials +(BOM) for all Docker images that are scanned. Results of previous +vulnerability scans can be reviewed and audited per the requirements +of this control.' +

                                    + service provider hybrid + complete +
                                    + + + DSS Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ + + + + Docker Trusted Registry (DTR) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + shared + complete +
                                    + + +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + service provider hybrid + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Docker Trusted Registry resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Docker Trusted Registry.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Trusted Registry can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Trusted Registry logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the DTR user interface and for +command-line based connections to the registry. In addition to this, +all communication to DTR is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Trusted Registry replicas is routed through +managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Docker Trusted Registry's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP slave nodes running Docker +Trusted Registry replicas can be paused or drained, which subsequently +stops sessions to the DTR replica.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Docker +Trusted Registry to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by a +combination of the backend ucp-controller service within Universal +Control Plane and the backend services that make up Docker Trusted +Registry. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Trusted Registry generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to alert individuals in +the event of log processing failures. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when the allocated log storage is full. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to facilitate the audit +reduction and report generation requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Docker Trusted +Registry should be certified to ensure that logs are not altered +during generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Trusted Registry uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Docker Trusted Registry is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the ''docker'' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Trusted +Registry resides as an Application on a Universal Control Plane +cluster, and as such, can be configured to send logs to a remote +logging stack. This logging stack can subsequently be configured to +retain logs for the duration required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by a +combination of the backend services within Universal Control Plane and +Docker Trusted Registry. The underlying Linux operating system +supporting DTR can be configured to audit Docker-specific events with +the auditd daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/' +

                                    +

                                    'Using auditd on the Linux operating system supporting DTR, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +compile audit records in to a system-wide audit trail that is +time-correlated per the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +meet the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'Role-based access control can be configured within Docker Trusted +Registry to meet the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Docker Trusted +Registry Docker images are officially signed and verified by Docker, +Inc. + +When installing Docker Trusted Registry, you should enable Docker +Content Trust and subsequently pull the the signed DTR image tag. +Additional information can be found at teh following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Docker Trusted Registry''s +configuration can also be backed up and stored an appropriate location +per the requirements of this control. Additional documenation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry. The organization can +also prevent users from being able to pull Docker images from +untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images are +stored in Docker Trusted Registry. This can be accomplished by using +Docker Content Trust to sign Docker images which can subsequently be +stored in Docker Trusted Registry.' +

                                    + service provider hybrid + shared + complete +
                                    + + USER-INSTALLED SOFTWARE +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry to meet the +requirements of this contorl. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Docker Trusted Registry maintains its cluster state via an internal +key-value store. This, and other DTR transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Trusted +Registry requires individual users to be authenticated in order to +gain access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'Docker Trusted Registry replicas reside on Universal Control Plane +worker nodes. In order for UCP worker nodes to join a Universal +Control Plane cluster, they must be identified and authenticated via a +worker token. Additional Docker Trusted Registry replicas can only be +added after a UCP administrator user has authenticated in to the UCP +cluster and when mutual TLS authentication between the UCP worker and +manager nodes has been established. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Docker Trusted Registry includes a Docker volume which holds the root +key material for the DTR root CA that issues certificats. In addition +Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server. When adding DTR replicas, the UCP nodes on +which they're installed are authenticated to the cluster via the +appropriate built-in CA.' +

                                    +

                                    'Access to Docker Trusted Registry is only granted when a user has a +valid certificate bundle. This is enforced with the public/private key +pair included with the user's certificate bundle in Universal Control +Plane.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against Docker Trusted Registry. This bundle maps the +authenticated identity to that of the user's profile in Universal +Control Plane.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user which +subsequently grants that user access to Docker Trusted Registry, it is +attached to that user''s Universal Control Plane profile. Bundles/keys +can be revoked by an Administrator or the user themselves. The +cluster''s internal certificates can also be revoked and updated. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Docker Trusted Registry obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Docker Trusted Registry is protected with Transport +Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Docker Trusted Registry can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + UPDATE TOOL CAPABILITY +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE) dictionary.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE).' dictionary. +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags. Docker Trusted Registry includes an integrated imaging +signing service.' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Docker Trusted Registry is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Docker Trusted Registry are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + Docker Trusted Registry Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/ + + + + Docker Enterprise Edition Engine +

                                    +

                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to aggregate +container and daemon events via a number of logging drivers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/view_container_logs/ +- https://docs.docker.com/engine/admin/logging/overview/ +- https://docs.docker.com/engine/admin/logging/log_tags/' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers +per organization-defined security policy filters. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks + +There are also third-party behavioral activity monitoring tools (e.g. +Sysdig Falco <http://www.sysdig.org/falco/>) that can be used +alongside Docker Enterprise Edition to satisfy this control''s +requirements.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to separate the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, one +can restrict membership to the 'docker' group on underlying Linux +hosts or the local "Administrators" group (and any other groups +defined within 'daemon.json') on underlying Windows Server 2016 hosts +to only authorized users.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Docker Enterprise Edition can be configured to allow/prohibit remote +access to the Engine.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2. In addition to this, all +communication to Docker Enterprise Edition is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Enterprise Edition is routed through managed +network access control points.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Docker Enterprise Edition's +underlying operating system can be used to force the disconnection of +remote connections to the host. In addition, Docker Enterprise Edition +provides the option to pause or drain a node in the cluster, which +subsequently stops and/or removes sessions to the node. Individual +services and/or applications running on Docker Enterprise Edition can +also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AUDIT EVENTS +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this control (as explained by +their component narratives). These and other application containers +that reside on Docker Enterprise Edition can be configured to log data +via an appropriate Docker logging driver. Instructions for configuring +logging drivers can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Both Universal Control Plane and Docker Trusted Registry are +pre-configured to take advantage of Docker Enterprise Edition''s +built-in logging mechanisms. A sample audit event recorded by Docker +Enterprise Edition has been provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"} + +Additional documentation can be referenced at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can be used to interpolate the information defined by this +control and also be configured to alert on any audit processing +failures. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to warn the organization when the +allocated log storage is full. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to facilitate the audit reduction and +report generation requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'The underlying operating system chosen to support Docker Enterprise +Edition should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Docker Enterprise Edition uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Docker Enterprise Edition runs should +be configured such that its system clock compares itself with an +authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock synchronizes +itself to an authoritative time source as defined by part (a) of this +control any time the time difference exceeds that of the +organization-defined time period. This can be accomplished by +utilizing the Network Time Protocol (NTP). Refer to the operating +system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'On the underlying Linux operating system supporting Docker Enterprise +Edition, only root and sudo users and users that have been added to +the "docker" group have the ability to access the logs generated by +UCP backend service containers. Should the organization decide to +configure Docker Enterprise Edition to use a logging driver other than +the default json-file driver, the organization is subsequently +responsible for configuring the chosen logging stack per the +provisions of this control. In addition, for Linux operating systems +supporting Docker Enterprise Edition that use the systemd daemon, it +is imperative that the Journal is secured per the requirements of this +control. The same applies for Linux operating systems supporting +Docker Enterprise Edition that instead use upstart. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the backup requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the encryption mechanisms required by this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition includes functionality known as Docker +Content Trust which allows one to cryptographically sign Docker +images. It enforces client-side signing and verification of image tags +and provides the ability to use digital signatures for data sent to +and received from Docker Trusted Registry. This ultimately provides +one with the ability to verify both the integrity and the publisher of +all data received from DTR over any channel. With Docker Content +Trust, an organization can enforce signature verification of all +content and prohibit unsigned and unapproved content from being +manipulated; thus supproting the non-repudiation requirements of this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + Docker EE system + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Enterprise +Edition can be configured to use a logging driver that stores data in +a location for the duration specified by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this AU-2 a. These and other +application containers that reside on Docker Enterprise Edition can be +configured to log data via an appropriate Docker logging driver. The +underlying Linux operating system supporting Docker Enterprise Edition +can be configured to audit Docker-specific events with the auditd +daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'Using auditd on the Linux operating system supporting CS Docker +Engine, the organization can configure audit rules to select which +Docker-specific events are to be audited. Refer to the specific Linux +distribution in use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to compile audit records in to +a system-wide audit trail that is time-correlated per the requirements +of this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to meet the requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + BASELINE CONFIGURATION +

                                    'The CIS Docker Benchmark can be used as a baseline for securing Docker +Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + REVIEWS AND UPDATES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion and can be +rolled back as required by this control. Additional information can be +found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CONFIGURATION CHANGE CONTROL +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Additional information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + TEST / VALIDATE / DOCUMENT CHANGES +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +cryptography management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +system change requirements of this control. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Before installing Docker Enterprise Edition, ensure that your +supporting Linux operating system''s packager manager supports package +signature verification and that it is enabled. It is also required +that you import the Docker public key for EE packages so as to +retrieve the validated and signed package from Docker, Inc. Refer to +your Linux OS documentation for instructions on completing the above +steps. + +In addition, Docker Content Trust is a capability provided by Docker +Engine that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. When enabling Docker +Content Trust in Docker Enterprise Edition you can enforce the use of +signed Docker images. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization can incorporate the use of an external configuration +management system to meet the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + LEAST FUNCTIONALITY +

                                    'To help the organization meet the requirements of this control, the +latest CIS Docker Benchmark can be used as a secure configuration +baseline. Additional information can be found at the following +resources: + +- https://www.cisecurity.org/benchmark/docker/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Docker Enterprise Edition, the organization can define +a list of allowed base Docker images and make them available via +Docker Trusted Registry. The organization can also prevent users from +being able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Docker EE +Engine, the organization must define a list of allowed base Docker +images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT PLAN +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management plan requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for other Docker EE engine nodes to be able to join a +cluster managed by Universal Control Plane, they must be identified +and authenticated via either a manager or worker token. Use of the +token includes trust on first use mutual TLS.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition is designed to run application containers +whose content can be completely isolated/segregated from other +application containers within the same node/cluster. This is +accomplished by way of Linux kernel primitives and various security +profiles that can be applied to the underlying host OS. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/security/security/ +- https://docs.docker.com/engine/userguide/networking/overlay-security-model/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to/from and between Docker +Enterprise Edition nodes is enforced by way of two-way mutual TLS +authentication. All Swarm Mode manager nodes in a Docker Enterprise +Edition cluster store state metadata and user secrets encrypted at +rest using the AES GCM cipher.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATIC UPDATES +

                                    'Docker Enterprise Edition packages for supported underlying operating +systems can only be obtained from Docker, Inc. The Docker EE +repositories from which Docker EE packages are obtained are protected +with official GPG keys. Each Docker package is also validated with a +signature definition.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the logging mechanisms of the Docker +Enterprise Edition engine are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + MEMORY PROTECTION +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's security documentation for information regarding the +protection of memory from unauthorized code execution.' +

                                    + service provider hybrid + complete +
                                    + + + Docker Enterprise Edition Engine Installation Documentation +

                                    + https://docs.docker.com/engine/installation/ + + + + Docker Engine Release Notes +

                                    + https://docs.docker.com/release-notes/ + + + + Configuring and Running Docker on Various Distributions +

                                    + https://docs.docker.com/engine/admin/ + + + + Docker Engine Security +

                                    + https://docs.docker.com/engine/security/security/ + + + + Securing Docker Datacenter and Security Best Practices +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices + + + + Identification and Authentication Policy for [Agency_Here] +

                                    +

                                    + + IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LOCAL ACCESS TO PRIVILEGED ACCOUNTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS - SEPARATE DEVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFIER MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PKI-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HARDWARE TOKEN-BASED AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Incident Response for [Agency_Here] +

                                    +

                                    + + INCIDENT RESPONSE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INCIDENT RESPONSE TRAINING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE TESTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH RELATED PLANS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED INCIDENT HANDLING PROCESSES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT MONITORING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT REPORTING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED REPORTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE ASSISTANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE PLAN +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System Maintenance Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM MAINTENANCE POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTROLLED MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT TOOLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT MEDIA +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DOCUMENT NONLOCAL MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE PERSONNEL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIMELY MAINTENANCE +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Media Protection Policy for [Agency_Here] +

                                    +

                                    + + MEDIA PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MEDIA ACCESS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA MARKING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA STORAGE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA TRANSPORT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA SANITIZATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT USE WITHOUT OWNER +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Physical and Environmental Protection Policy for [Agency_Here] +

                                    +

                                    + + PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PHYSICAL ACCESS AUTHORIZATIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PHYSICAL ACCESS CONTROL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR TRANSMISSION MEDIUM +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR OUTPUT DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING PHYSICAL ACCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTRUSION ALARMS / SURVEILLANCE EQUIPMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VISITOR ACCESS RECORDS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POWER EQUIPMENT AND CABLING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY SHUTOFF +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY POWER +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY LIGHTING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FIRE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC FIRE SUPPRESSION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TEMPERATURE AND HUMIDITY CONTROLS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WATER DAMAGE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DELIVERY AND REMOVAL +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE WORK SITE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Planning Policy for [Agency_Here] +

                                    +

                                    + + SECURITY PLANNING POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INFORMATION SECURITY ARCHITECTURE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Personnel Security Policy for [Agency_Here] +

                                    +

                                    + + PERSONNEL SECURITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + POSITION RISK DESIGNATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SCREENING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TERMINATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TRANSFER +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS AGREEMENTS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + THIRD-PARTY PERSONNEL SECURITY +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SANCTIONS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Risk Assessment Policy for [Agency_Here] +

                                    +

                                    + + RISK ASSESSMENT POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + VULNERABILITY SCANNING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Services Acquisition Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + ALLOCATION OF RESOURCES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM DEVELOPMENT LIFE CYCLE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACQUISITION PROCESS +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONAL PROPERTIES OF SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF APPROVED PIV PRODUCTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM DOCUMENTATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ENGINEERING PRINCIPLES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL INFORMATION SYSTEM SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVELOPER CONFIGURATION MANAGEMENT +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + DEVELOPER SECURITY TESTING AND EVALUATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Communications Protection Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + APPLICATION PARTITIONING +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION IN SHARED RESOURCES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENIAL OF SERVICE PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + BOUNDARY PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS POINTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL TELECOMMUNICATIONS SERVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENY BY DEFAULT / ALLOW BY EXCEPTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT SPLIT TUNNELING FOR REMOTE DEVICES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSMISSION CONFIDENTIALITY AND INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK DISCONNECT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COLLABORATIVE COMPUTING DEVICES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLIC KEY INFRASTRUCTURE CERTIFICATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MOBILE CODE +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VOICE OVER INTERNET PROTOCOL +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION AUTHENTICITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF INFORMATION AT REST +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS ISOLATION +

                                    [Agency's control implementation here] +

                                    + complete +
                                    +
                                    + + System and Information Integrity Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES +

                                    [Agency's control implementation here] +

                                    + none + + + FLAW REMEDIATION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED FLAW REMEDIATION STATUS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MALICIOUS CODE PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM MONITORING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED TOOLS FOR REAL-TIME ANALYSIS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-GENERATED ALERTS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ALERTS, ADVISORIES, AND DIRECTIVES +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRITY CHECKS +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRATION OF DETECTION AND RESPONSE +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPAM PROTECTION +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION INPUT VALIDATION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ERROR HANDLING +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION HANDLING AND RETENTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEMORY PROTECTION +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Universal Control Plane (UCP) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/' +

                                    + service provider hybrid + complete + + + +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Universal Control Plane can be configured to send system +account log data to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack. Supporting documentation can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + SEPARATION OF DUTIES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + LEAST PRIVILEGE +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and employ principles of +least privilege. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and explicitly authorize +access as necessary. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources, including Docker +networking components. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCOUNTS +

                                    'To assist the organization in meeting the requirements of this +control, one can restrict privileged accounts within Universal Control +Plane to custom-defined roles. By default, no one can make changes to +the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, one can review all implemented grants, accounts and roles +within Universal Control Plane and reassign/revoke privileges as +necessary. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane users can be assigned to one of a number of +different permission levels. The permission level assigned to a +specific user determines that user''s ability to execute certain +Docker functions within UCP. Only users mapped to either the "Full +Control" or "Admin" roles can execute Docker commands without any +restrictions. Users mapped to either the "View Only" or "No Access" +roles cannot execute any Docker commands. Users assigned to the +"Restricted Control" role can only run Docker commands under their own +purview and cannot see other users UCP resources nor run commands that +required privileged access to the host. Furthermore, custom roles can +be created for fine-grained access to specific UCP resources and +functionality. Additional documentation regarding the various +permission levels within UCP can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Universal Control Plane includes a logout capability that allows a +user to terminate his/her current session.' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Universal Control Plane.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Universal Control Plane logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the UCP user interface and for +command-line based connections to the cluster. In addition to this, +all communication to UCP is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Universal Control Plane managers and worker nodes is +routed through managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED COMMANDS / ACCESS +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to authorize certain +privileged functions via remote access.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Built-in firewall technology in Universal Control Plane's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP provides the option to pause +or drain a node in the cluster, which subsequently stops and/or +removes sessions to the node. Individual services and/or applications +running on a UCP cluster can also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete + partial +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Universal +Control Plane to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS +

                                    'All of the event types indicated by this control are logged by the +backend ucp-controller service within Universal Control Plane. In +addition, each container created on a Universal Control Plane cluster +logs event data. Supporting documentation for configuring UCP logging +can be referenced at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Universal Control Plane generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +alert individuals in the event of log processing failures. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider system specific + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when the allocated log storage is full. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when audit log failures occur. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The organization can subsequently centrally review and +analyze all of the Docker EE audit records. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +facilitate the audit reduction and report generation requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Universal Control +Plane should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +parse information by organization-defined audit fields. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS +

                                    'Universal Control Plane uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION +

                                    'By default, Universal Control Plane is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the 'docker' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Universal Control +Plane can be configured to send logs to a remote logging stack. This +logging stack can subsequently be configured retain logs for the +duration required by this control. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION +

                                    'All of the event types indicated by AU-2 a. are logged by the backend +ucp-controller service within Universal Control Plane. In addition, +each container created on a Universal Control Plane cluster logs event +data. The underlying Linux operating system supporting UCP can be +configured to audit Docker-specific events with the auditd daemon. +Refer to the specific Linux distribution in use for instructions on +configuring this service. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'Using auditd on the Linux operating system supporting UCP, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to compile +audit records in to a system-wide audit trail that is time-correlated +per the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to meet the +requirements of this control. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + +

                                    'Role-based access control can be configured within Universal Control +Plane to meet the requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Universal Control +Plane Docker images are officially signed and verified by Docker, Inc. + +When configuring Universal Control Plane, you should enforce +applications to only use Docker images signed by trusted UCP users +within your organization. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Universal Control Plane''s +configuration can also be managed, backed up and stored in another +location per the requirements of this control. Additional documentation +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PERIODIC REVIEW +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane includes a robust access control model to +disable any functionality as mandated by this control.' +

                                    + service provider corporate + Docker EE system + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION +

                                    'In order to restrict which Docker images can be used to deploy +applications to Universal Control Plane, the organization can define a +list of allowed base Docker images and make them available via Docker +Trusted Registry. The organization can also prevent users from being +able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Universal +Control Plane, the organization must define a list of allowed base +Docker images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images +stored in Docker Trusted Registry can be run on Universal Control +Plane. This can be accomplished by using Docker Content Trust to sign +Docker images, and configure UCP to enforce only signed images from +specific Teams at runtime. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY +

                                    'Universal Control Plane maintains its cluster state via an internal +key-value store. This, and other UCP transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Universal Control +Plane requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION +

                                    'In order for nodes to join a Universal Control Plane cluster, they +must be identified and authenticated via either a manager or worker +token. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server.' +

                                    +

                                    'Access to a Universal Control Plane cluster is only granted when a +user has a valid certificate bundle. This is enforced with the +public/private key pair included with the user's certificate bundle.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against the Universal Control Plane cluster. This bundle maps +the authenticated identity to that of the user.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user, it is +attached to that user''s profile. Bundles/keys can be revoked by an +Administrator or the user themselves. The cluster''s internal +certificates can also be revoked and updated. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK +

                                    'Universal Control Plane obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION +

                                    'All access to Universal Control Plane is protected with Transport +Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) +

                                    'Users managed by Universal Control Plane can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, Docker Content Trust gives +you the ability to verify both the integrity and the publisher of all +the data received from a Docker Trusted Registry over any channel. It +allows operations with a remote DTR instance to enforce client-side +signing and verification of image tags. It provides for the ability to +use digital signatures for data sent to and receive from remote DTR +instances. These signatures allow client-side verification of the +integrity and publisher of specific image tags. Universal Control +Plane can be configured to only run trusted and signed images. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING +

                                    'Universal Control Plane is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING +

                                    'All error messages generated via the configured logging mechanism of +Universal Control Plane are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://docs.docker.com/datacenter/ucp/2.2/guides/ + + + + Authentication and Authorization Service (eNZi) +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams are allowed to create +and manipulate Docker Enterprise Edition resources. By default, no one +can make changes to the cluster. Permissions can be granted and +managed to enforce fine-grained access control. Supporting +documentation can found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can disable and/or remove temporary and emergency accounts in a +connected directory service (such as Active Directory) after an +organization-defined time period. When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + DISABLE INACTIVE ACCOUNTS +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can automatically disable inactive accounts in a connected directory +service (such as Active Directory). When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED AUDIT ACTIONS +

                                    'Docker Enterprise Edition logs various authentication and +authorization events to standard log files. One can configure Docker +Enterprise Edition to direct these event logs to a remote logging +service such as an Elasticsearch, Logstash and Kibana (ELK) stack and +subsequently alert on specific event types. When integrating Docker +Enterprise Edition with LDAP, one can refer the the directory +service''s logging mechanisms for auditing the events defined by this +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to enforce automated +session termination of users after an organization-defined time period +of inactivity. By default, the initial lifetime of a user''s session +is set to 72 hours and the renewal session for a user''s session is +set to 24 hours. These values can both be changed in the "Auth" +section of the "Admin Settings" in Universal Control Plane.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition supports various levels of user +permissions and role-based access control enforcements. Administrator +users have permissions to: manage other Docker Enterprise Edition +users, manage Docker Trusted Registry repositories and settings, and +manage the Universal Control Plane and underlying Docker Swarm Mode +cluster. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Users and/or groups synchronized to Docker Enterprise Edition via +LDAP can be configured at the directory service to ensure shared/group +account credentials are terminated when members leave the group.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Information system accounts synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service to meet this +requirement as necessary.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, when Docker Enterprise Edition is configured for LDAP +integration, one can refer to the directory service''s existing +monitoring tools.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be managed at the directory service and disabled if +posing a significant risk.' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT +

                                    'One can control which users and teams can create and manipulate +Docker Enterprise Edition resources. By default, no one can make +changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. The eNZi component facilitates +authorizations as dictated by the system''s administrators. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS +

                                    'Docker Enterprise Edition logs privileged user events to standard log +files. One can configure Docker Enterprise Edition to direct these +event logs to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack and subsequently alert on specific +event types. When integrating Docker Enterprise Edition with LDAP, one +can refer the the directory service''s logging mechanisms for auditing +the events defined by this control. Supporting documentation regarding +logging and monitoring can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + complete +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure the enforcement of a limit to the number of conesecutive +invalid logon attempts by a user during a specified time period.' +

                                    +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure he ability to automatically lock/disable an account for a +specified period of time after a consecutive invalid logon attempt +limit is reached.' +

                                    + service provider hybrid + complete +
                                    + + SYSTEM USE NOTIFICATION +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    + Docker EE system + planned +
                                    + + +

                                    'Docker Enterprise Edition can be configured to limit the number of +concurrent sessions for each account. These options can be found +within the Universal Control Plane Admin Settings under the +"Authentication & Authorization" section. ' +

                                    + Docker EE system + complete +
                                    + + SESSION LOCK +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours).' +

                                    + Docker EE system + complete +
                                    + + PATTERN-HIDING DISPLAYS +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session per the requirements of +this controls.' +

                                    + Docker EE system + complete +
                                    + + SESSION TERMINATION +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED MONITORING / CONTROL +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + CONTENT OF AUDIT RECORDS +

                                    'Docker Enterprise Edition generates all of the audit record +information indicated by this control. A sample audit event has been +provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) +

                                    'Docker Enterprise Edition can be configured to identify and +authenticate users via it''s integrated support for LDAP. Users and +groups managed within the organization''s LDAP directory service (e.g. +Active Directory) can be synchronized to UCP and DTR on a regular +interval. When a user is removed from the LDAP-backed directory, that +user becomes inactive within UCP and DTR. In addition, UCP and DTR +teams can be mapped to groups synchronized via LDAP. When a user is +added/removed to/from the LDAP group, that same user is automatically +added/removed to/from the UCP and DTR team. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + Docker EE system + shared + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Enterprise +Edition requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFIER MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to uniquely identify each individual according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + AUTHENTICATOR MANAGEMENT +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to establish initial authenticator content according +to the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to enforce strength requirements for authenticators +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to distribute, redistribute, and revoke +authenticators according to the requirements of this control. Refer to +your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change default authenticator content according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to set minimum and maximum lifetime restrictions and +reuse conditions for authenticators according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to refresh authenticators at a regular cadence +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticator content from unauthorized +disclosure or modification according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to implement specific security safeguards to protect +authentications according to the requirements of this control. Refer +to your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change authenticators for group or role accounts +when membership to those groups or roles changes according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PASSWORD-BASED AUTHENTICATION +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce minimum password +complexity requirements. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change at least one character when changing passwords according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to store and transmit +cryptographically protected passwords according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required minimum and +maximum lifetime restrictions according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required number of +generations before password reuse according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change initial/temporary passwords upon first login according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PKI-BASED AUTHENTICATION +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system validates the certificates per the +requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system enforces authorized access to the +corresponding private key per the requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system maps the authenticated identity to the +account of the individual or group per the requirements of this +control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, it is up to the underlying operating system +hosting Docker Enterprise Edition to ensure that it implements a local +cache of revocation data per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP can be +configured with automation to ensure that password authenticators meet +strength requirements as defined by this control. Refer to your +directory service's documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticators as required by this +control. Refer to your directory service's documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to meet the FICAM requirements as +indicated by this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-APPROVED PRODUCTS +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-ISSUED PROFILES +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + +

                                    'Docker Enterprise Edition invalidates session identifiers upon user +logout per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management + + + + + + + + RA-5(2) + "FedRAMP requirement: prior to a new scan" + + + + RA-5(5)-1 + "FedRAMP requirement: operating systems, databases, web applications" + + + + RA-5(5)-2 + "FedRAMP requirement: all scans" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-11(a) + "customer-defined policies" + + + + CM-11(b) + "customer-defined methods" + + + + CM-11(c) + "FedRAMP requirement: continuously (via CM-7(5))" + + + + CM-11(1) + "organization-defined personnel or roles" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-10 + "actions including the addition, modification, deletion, approval, +sending, or receiving of data" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-1(a) + "customer-defined personnel or roles" + + + + CM-1(b)(1) + "FedRAMP requirement: at least every 3 years" + + + + CM-1(b)(2) + "FedRAMP requirement: at least annually or whenever a significant +change occurs" + + + + CM-2(1)(a) + "FedRAMP requirement: at least annually or when a significant change +occurs" + + + + CM-2(1)(b) + "FedRAMP requirement: to include when directed by the JAB" + + + + CM-2(3) + "the previously approved baseline configuration of IS components" + + + + CM-3(e) + "customer-defined time period" + + + + CM-3(g)-1 + "FedRAMP requirement: CAB" + + + + CM-3(g)-2 + "customer-defined" + + + + CM-3(g)-3 + "customer-defined" + + + + CM-3(g)-4 + "customer-defined" + + + + CM-3(1)(b) + "customer-defined authorized approvers" + + + + CM-3(1)(c) + "organization-defined time period" + + + + CM-3(1)(f) + "organization-defined configuration management approval authorities" + + + + CM-3(6) + "all security safeguards that rely on cryptography" + + + + CM-5(2)-1 + "every 30 days" + + + + CM-5(2)-2 + "organization-defined circumstance" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(b) + "FedRAMP assignment: the service provider shall use the Center for +Internet Security Guidelines (Level 1) to establish list of prohibited +or restricted functions, ports, protocols, and/or services or +establishes its own list of prohibited or restricted functions, ports, +protocols, and/or services if USGCB is not available" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-7(20 + "organization-defined information system components" + + + + SC-12(2) + "FedRAMP requirement: NIST FIPTS compliance" + + + + SC-13 + "FedRAMP requirement: FIPS-validated or NSA-approved cryptography" + + + + SC-28-1 + "confidentiality and integrity" + + + + SC-28-2 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-16 + "Windows protections, including No Execute, Address Space Layout +Randomization, and Data Execution Prevention" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-6(1) + "FedRAMP assignment: all functions not publiclly accessible and all +security-relevant information not publicly available" + + + + AC-6(2) + "FedRAMP requirement: all security functions" + + + + AC-6(3)-1 + "privileged commands used to change/configure network devices" + + + + AC-6(3)-2 + "customer-defined operational needs" + + + + AC-6(5) + "customer-defined personnel or roles" + + + + AC-6(7)(a)-1 + "at least annually" + + + + AC-6(7)(a)-2 + "all users" + + + + AC-6(8) + "FedRAMP assignment: any software except software explicitly +documented" + + + + AC-12(1)(a) + "customer-defined information resources" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(4)(a) + "customer-defined needs" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(1)(b) + "customer-defined functions, ports, protocols, and services within the +information system deemed to be unnecessary and/or nonsecure" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(2)-1 + Selection (removes or disables) + + + AC-2(2)-2 + "FedRAMP requirement: no more than 30 days for temporary and emergency +account types" + + + + AC-2(3) + "FedRAMP requirement: thirty-five (35) days for user accounts" + + + + AC-2(4) + "organization and/or service provider system owner" + + + + AC-2(5) + "inactivity is anticipated to exceed fifteen (15) minutes" + + + + AC-2(7)(c) + "FedRAMP assignment: disables/revokes access within an +organization-specified timeframe" + + + + AC-2(9) + "FedRAMP assignment: organization-defined need with justificatino +statement that explains why such accounts are necessary" + + + + AC-2(11)-1 + "customer-defined circumstances or usage conditions" + + + + AC-2(11)-2 + "customer-defined accounts" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(13) + "one hour" + + + + AC-7(a)-1 + "FedRAMP requirement: not more than three" + + + + AC-7(a)-2 + "FedRAMP requirement: fifteen minutes" + + + + AC-7(b)-1 + "FedRAMP requirement: locks the account/node for three hours" + + + + AC-7(b)-2 + "customer-defined additional actions" + + + + AC-8(a) + "customer-defined system use notification banner" + + + + AC-8(c)(1) + "customer-defined conditions" + + + + AC-10 + "customer-defined account and/or account type; FedRAMP requirement: +three sessions for privileged access and two sessions for +non-privileged access" + + + + AC-11(a) + "FedRAMP requirement: fifteen minutes" + + + + AC-12 + "customer-defined conditions or trigger events" + + + + IA-4(a) + "customer-defined personnel or roles" + + + + IA-4(d) + "FedRAMP requirement: at least two years" + + + + IA-4(e) + "FedRAMP requirement: thirty-five (35) days" + + + + IA-4(4) + "FedRAMP requirement: contractors, foreign nationals" + + + + IA-5(g) + "FedRAMP requirement: 60 days for passwords" + + + + IA-5(1)(a) + "FedRAMP requirement: case-sensitive, minimum of fourteen (14) +characters, and at least one (1) each of upper-case letters, +lower-case letters, numbers, and special characters" + + + + IA-5(1)(b) + "FedRAMP requirement: at least fifty percent (50%)" + + + + IA-5(1)(d) + "FedRAMP requirement: one day minimum, sixty day maximum" + + + + IA-5(1)(e) + "FedRAMP requirement: twenty four" + + + + IA-5(4) + "complexity as identified in IA-05 (1) Control Enhancement Part A" + + + + IA-8(3) + "N/A" + + + + diff --git a/working/JSON-mapping/docker-ee-opencontrol-oscal.json b/working/JSON-mapping/docker-ee-opencontrol-oscal.json new file mode 100644 index 0000000000..5b26b158d5 --- /dev/null +++ b/working/JSON-mapping/docker-ee-opencontrol-oscal.json @@ -0,0 +1,10267 @@ +{ + "name": "Moderate SSP for Docker Enterprise Edition Deployment ATO", + "description": "Moderate SSP for Docker Enterprise Edition Deployment ATO", + "maintainers": [ + "securitylead@agency.gov" + ], + "profiles": null, + "components": [ + { + "name": "Access Control Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-2 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-6 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-17 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-18 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-18", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-19 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-19", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-20 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-20 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AC-22", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Security Awareness Training Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AT-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AT-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Audit and Accountability Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AU-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "AU-6 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-9 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Security Assessment and Authorization Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "CA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-3 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-3 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CA-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Configuration Management Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "CM-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CM-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Contingency Planning Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "CP-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-2 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-6 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-7 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-9 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "CP-10 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Docker Security Scanning (DSS)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "RA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the orgnization in meeting the requirements of this\ncontrol, the Docker Security Scanning (DSS) component of Docker\nTrusted Registry (DTR) that is included with the Docker Enterprise\nEdition Advanced tier can be used to scan Docker images for\nvulnerabilities against known vulnerability databases. Scans can be\ntriggered either manually or when Docker images are pushed to DTR.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the orgnization in meeting the requirements of this\ncontrol, the Docker Security Scanning component of Docker Trusted\nRegistry (DTR) that is included with the Docker Enterprise Edition\nAdvanced tier compiles a bill of materials (BOM) for each Docker image\nthat it scans. DSS is also synchronized to an aggregate listing of\nknown vulnerabilities that is compiled from both the MITRE and NVD CVE\ndatabases. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the orgnization in meeting the requirements of this\ncontrol, the Docker Security Scanning component of Docker Trusted\nRegistry (DTR) that is included with the Docker Enterprise Edition\nAdvanced tier identifies vulnerabilities in a Docker image and marks\nthem against predefined criticality levels; critical major and minor.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Only the appropriate users that the organization has provided Docker\nTrusted Registry access to are able to view and interpret\nvulnerability scan results.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "'For each Docker image pushed to Docker Trusted Registry at a given\ntime, Docker Security Scaninng retains a list of vulnerabilities\ndetected. The DTR API can be queried to retrieve the vulnerability\nscan results over a period of time for a given Docker image such that\nthe results can be compared per the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Security Scanning maintains a historical bill-of-materials\n(BOM) for all Docker images that are scanned. Results of previous\nvulnerability scans can be reviewed and audited per the requirements\nof this control.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "DSS Documentation", + "description": "", + "url": "https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/" + } + ] + }, + { + "name": "Docker Trusted Registry (DTR)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation for managing users and teams can\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nDocker Trusted Registry resources. By default, no one can make changes\nto the cluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Docker Trusted Registry to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Docker Trusted Registry to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations'\n", + "references": null + } + ], + "origins": [ + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (21)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Docker Trusted Registry to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Docker Trusted Registry resources. By default, no one can\nmake changes to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. Supporting documentation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nDocker Trusted Registry resources and prevent non-privileged users\nfrom executing privileged functions per the requirements of this\ncontrol. By default, no one can make changes to the cluster.\nPermissions can be granted and managed to enforce fine-grained access\ncontrol. Supporting documentation for the configuration of this\nfunctionality can be found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, a\nreview of actions allowed by unauthenticated users can be performed\nwithin Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nDocker Trusted Registry can be configured to allow/prohibit remote\naccess.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Trusted Registry are protected\nwith Transport Layer Security (TLS) 1.2. This is included at both the\nHTTPS application layer for access to the DTR user interface and for\ncommand-line based connections to the registry. In addition to this,\nall communication to DTR is enforced by way of two-way mutual TLS\nauthentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'A combination of managed load balancers, firewalls and access control\nlists, and virtual networking resources can be used to ensure traffic\ndestined for Docker Trusted Registry replicas is routed through\nmanaged network access control points.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Built-in firewall technology in Docker Trusted Registry's underlying\noperating system can be used to force the disconnection of remote\nconnections to the host. In addition, UCP slave nodes running Docker\nTrusted Registry replicas can be paused or drained, which subsequently\nstops sessions to the DTR replica.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "configured by customer" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-20 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan validate the assigned roles and access levels within Docker\nTrusted Registry to control information sharing.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by this control are logged by a\ncombination of the backend ucp-controller service within Universal\nControl Plane and the backend services that make up Docker Trusted\nRegistry. Additional documentation can be found at the following\nresource:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components'\n", + "references": null + } + ], + "origins": [ + "service provider corporate", + "Docker EE system", + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry generates all of the audit record information\nindicated by this control. A sample audit event has been provided\nbelow:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be used to interpolate the information\ndefined by this control from the logged audit records. Additional\ninformation can be found at the following resource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be used to interpolate the information\ndefined by this control from the logged audit records. Additional\ninformation can be found at the following resource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to alert individuals in\nthe event of log processing failures. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to warn the organization\nwhen the allocated log storage is full. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to warn the organization\nwhen audit log failures occur. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-6 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\norganization can subsequently centrally review and analyze all of the\nDocker EE audit records. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be used to facilitate the audit\nreduction and report generation requirements of this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + }, + { + "value": "'The underlying operating system chosen to support Docker Trusted\nRegistry should be certified to ensure that logs are not altered\nduring generation and transmission to a remote logging stack.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": null, + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack, which in turn, sends the Docker Trusted Registry\nbackend container audit records to the remote logging stack. The\nlogging stack can subsequently be configured to parse information by\norganization-defined audit fields. Additional information can be found\nat the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry uses the system clock of the underlying\noperating system on which it runs. This behavior cannot be modified.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Trusted Registry runs\nshould be configured such that its system clock uses Coordinated\nUniversal Time (UTC) as indicated by this control. Refer to the\noperating system's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The underlying operating system on which Docker Trusted Registry runs\nshould be configured such that its system clock compares itself with\nan authoritative time source as indicated by this control. This can be\naccomplished by utilizing the Network Time Protocol (NTP). Refer to\nthe operating system's instructions for doing so.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Trusted Registry runs\nshould be configured such that its system clock synchronizes itself to\nan authoritative time source as defined by part (a) of this control\nany time the time difference exceeds that of the organization-defined\ntime period. This can be accomplished by utilizing the Network Time\nProtocol (NTP). Refer to the operating system's instructions for doing\nso.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'By default, Docker Trusted Registry is configured to use the\nunderlying logging capabilities of Docker Enterprise Edition. As such,\non the underlying Linux operating system, only root and sudo users and\nusers that have been added to the ''docker'' group have the ability to\naccess the logs generated by UCP backend service containers. In\naddition, only UCP Administrator users can change the logging endpoint\nof the system should it be decided that logs be sent to a remote\nlogging stack. In this case, the organization is responsible for\nconfiguring the remote logging stack per the provisions of this\ncontrol.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nback up audit records per the schedule defined by this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nmeet the encryption mechanisms required by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization will be responsible for meeting the requirements of\nthis control. To assist with these requirements, Docker Trusted\nRegistry resides as an Application on a Universal Control Plane\ncluster, and as such, can be configured to send logs to a remote\nlogging stack. This logging stack can subsequently be configured to\nretain logs for the duration required by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider corporate", + "Docker EE system", + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by AU-2 a. are logged by a\ncombination of the backend services within Universal Control Plane and\nDocker Trusted Registry. The underlying Linux operating system\nsupporting DTR can be configured to audit Docker-specific events with\nthe auditd daemon. Refer to the specific Linux distribution in use for\ninstructions on configuring this service. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/'\n", + "references": null + }, + { + "value": "'Using auditd on the Linux operating system supporting DTR, the\norganization can configure audit rules to select which Docker-specific\nevents are to be audited. Refer to the specific Linux distribution in\nuse for instructions on configuring this service.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and as such, can be configured to send logs to\na remote logging stack. This logging stack can subsequently be used to\ncompile audit records in to a system-wide audit trail that is\ntime-correlated per the requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry resides as an Application on a Universal\nControl Plane cluster, and as such, can be configured to send logs to\na remote logging stack. This logging stack can subsequently be used to\nmeet the requirements of this control. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Role-based access control can be configured within Docker Trusted\nRegistry to meet the requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust is a capability provided by Docker Enterprise\nEdition that enforces client-side signing and verification of Docker\nimage tags. It provides the ability to use digital signatures for data\nsent to and received from Docker Trusted Registry and the public\nDocker Store. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. All Docker Trusted\nRegistry Docker images are officially signed and verified by Docker,\nInc.\n\nWhen installing Docker Trusted Registry, you should enable Docker\nContent Trust and subsequently pull the the signed DTR image tag.\nAdditional information can be found at teh following resources:\n\n- https://docs.docker.com/engine/security/trust/content_trust/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/'\n", + "references": null + } + ], + "origins": [ + "service provide hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nincorporate the use of an external configuration management system to\nmeet the requirements of this control. Docker Trusted Registry''s\nconfiguration can also be backed up and stored an appropriate location\nper the requirements of this control. Additional documenation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization can define a list of allowed base Docker images and\nmake them available via Docker Trusted Registry. The organization can\nalso prevent users from being able to pull Docker images from\nuntrusted sources.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\ndefine a list of allowed base Docker images and make them available\nvia Docker Trusted Registry. The organization can also prevent users\nfrom being able to pull Docker images from untrusted sources.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nconfigure its systems to ensure that only approved Docker images are\nstored in Docker Trusted Registry. This can be accomplished by using\nDocker Content Trust to sign Docker images which can subsequently be\nstored in Docker Trusted Registry.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\ndefine a list of allowed base Docker images and make them available\nvia Docker Trusted Registry. The organization can also prevent users\nfrom being able to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization can define a list of allowed base Docker images and\nmake them available via Docker Trusted Registry to meet the\nrequirements of this contorl. The organization can also prevent users\nfrom being able to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CP-10 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry maintains its cluster state via an internal\nkey-value store. This, and other DTR transactions can be backed up and\nrecovered. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, Docker Trusted\nRegistry requires individual users to be authenticated in order to\ngain access to the system. Any permissions granted to the team(s) that\nwhich the user is a member are subsequently applied.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry replicas reside on Universal Control Plane\nworker nodes. In order for UCP worker nodes to join a Universal\nControl Plane cluster, they must be identified and authenticated via a\nworker token. Additional Docker Trusted Registry replicas can only be\nadded after a UCP administrator user has authenticated in to the UCP\ncluster and when mutual TLS authentication between the UCP worker and\nmanager nodes has been established. Additional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry includes a Docker volume which holds the root\nkey material for the DTR root CA that issues certificats. In addition\nUniversal Control Plane contains two, built-in root certificate\nauthorities. One CA is used for signing client bundles generated by\nusers. The other CA is used for TLS communication between UCP cluster\nnodes. Should you choose to use certificates signed by an external CA,\nin order to successfully authenticate in to the system, those\ncertificates must include a root CA public certificate, a service\ncertificate and any intermediate CA public certificates (in addition\nto SANs for all addresses used to reach the UCP controller), and a\nprivate key for the server. When adding DTR replicas, the UCP nodes on\nwhich they're installed are authenticated to the cluster via the\nappropriate built-in CA.'\n", + "references": null + }, + { + "value": "'Access to Docker Trusted Registry is only granted when a user has a\nvalid certificate bundle. This is enforced with the public/private key\npair included with the user's certificate bundle in Universal Control\nPlane.'\n", + "references": null + }, + { + "value": "'Only after a client bundle has been generated or an existing public\nkey has been added for a particular user is that user able to execute\ncommands against Docker Trusted Registry. This bundle maps the\nauthenticated identity to that of the user's profile in Universal\nControl Plane.'\n", + "references": null + }, + { + "value": "'When a client bundle has been generated or an existing public key has\nbeen added for a particular Universal Control Plane user which\nsubsequently grants that user access to Docker Trusted Registry, it is\nattached to that user''s Universal Control Plane profile. Bundles/keys\ncan be revoked by an Administrator or the user themselves. The\ncluster''s internal certificates can also be revoked and updated.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry obscures all feedback of authentication\ninformation during the authentication process. This includes both\nauthentication via the web UI and the CLI.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'All access to Docker Trusted Registry is protected with Transport\nLayer Security (TLS) 1.2 with the AES-GCM cipher. This includes both\nSSH access to the individual UCP nodes and CLI-/web-based access to\nthe UCP management functions with mutual TLS and HTTPS respectively.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Users managed by Docker Trusted Registry can be grouped per the\nrequirements of the organization and as defined by this control. This\ncan include groupings for non-organizational users.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The Docker Security Scanning tool allows for the scanning of Docker\nimages in Docker Trusted Registry against the Common Vulnerabilities\nand Exposures (CVE) dictionary.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "RA-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The Docker Security Scanning tool allows for the scanning of Docker\nimages in Docker Trusted Registry against the Common Vulnerabilities\nand Exposures (CVE).' dictionary.\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust gives you the ability to verify both the\nintegrity and the publisher of all the data received from a Docker\nTrusted Registry over any channel. It allows operations with a remote\nDTR instance to enforce client-side signing and verification of image\ntags. It provides for the ability to use digital signatures for data\nsent to and receive from remote DTR instances. These signatures allow\nclient-side verification of the integrity and publisher of specific\nimage tags. Docker Trusted Registry includes an integrated imaging\nsigning service.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Trusted Registry is made up of a number of backend services\nthat provide for both user functionality (including user interface\nservices) and system management functionality. Each of these services\noperates independently of one another. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Trusted Registry are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the DTR\nuser interface and for command-line based connections to the registry.\nIn addition to this, all communication to DTR is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Trusted Registry are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the DTR\nuser interface and for command-line based connections to the registry.\nIn addition to this, all communication to DTR is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'All error messages generated via the configured logging mechanism of\nDocker Trusted Registry are displayed such that they meet the\nrequirements of this control. Only users that are authorized the\nappropriate level of access can view these error messages.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "Docker Trusted Registry Documentation", + "description": "", + "url": "https://docs.docker.com/datacenter/dtr/2.3/guides/" + } + ] + }, + { + "name": "Docker Enterprise Edition Engine", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Docker Enterprise Edition can be configured to aggregate\ncontainer and daemon events via a number of logging drivers.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/view_container_logs/\n- https://docs.docker.com/engine/admin/logging/overview/\n- https://docs.docker.com/engine/admin/logging/log_tags/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to control the flow of\ninformation that originates from applications running in containers.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/engine/userguide/networking/\n- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to control the flow of\ninformation that originates from applications running in containers\nper organization-defined security policy filters. Supporting\ndocumentation can be found at the following resources:\n\n- https://docs.docker.com/engine/userguide/networking/\n- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks\n\nThere are also third-party behavioral activity monitoring tools (e.g.\nSysdig Falco \u003chttp://www.sysdig.org/falco/\u003e) that can be used\nalongside Docker Enterprise Edition to satisfy this control''s\nrequirements.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (21)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to separate the flow of\ninformation that originates from applications running in containers.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/engine/userguide/networking/\n- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan restrict membership to the 'docker' group on underlying Linux\nhosts or the local \"Administrators\" group (and any other groups\ndefined within 'daemon.json') on underlying Windows Server 2016 hosts\nto only authorized users.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nDocker Enterprise Edition can be configured to allow/prohibit remote\naccess to the Engine.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2. In addition to this, all\ncommunication to Docker Enterprise Edition is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'A combination of managed load balancers, firewalls and access control\nlists, and virtual networking resources can be used to ensure traffic\ndestined for Docker Enterprise Edition is routed through managed\nnetwork access control points.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Built-in firewall technology in Docker Enterprise Edition's\nunderlying operating system can be used to force the disconnection of\nremote connections to the host. In addition, Docker Enterprise Edition\nprovides the option to pause or drain a node in the cluster, which\nsubsequently stops and/or removes sessions to the node. Individual\nservices and/or applications running on Docker Enterprise Edition can\nalso be stopped and/or removed.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "configured by customer" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Both Universal Control Plane and Docker Trusted Registry backend\nservice containers, all of which reside on Docker Enterprise Edition,\nlog all of the event types indicated by this control (as explained by\ntheir component narratives). These and other application containers\nthat reside on Docker Enterprise Edition can be configured to log data\nvia an appropriate Docker logging driver. Instructions for configuring\nlogging drivers can be found at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Both Universal Control Plane and Docker Trusted Registry are\npre-configured to take advantage of Docker Enterprise Edition''s\nbuilt-in logging mechanisms. A sample audit event recorded by Docker\nEnterprise Edition has been provided below:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}\n\nAdditional documentation can be referenced at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be used to interpolate the information defined\nby this control from the logged audit records. Additional\ndocumentation can be found at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be used to interpolate the information defined\nby this control from the logged audit records. Additional\ndocumentation can be found at the following resource:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can be used to interpolate the information defined by this\ncontrol and also be configured to alert on any audit processing\nfailures. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be configured to warn the organization when the\nallocated log storage is full. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The\nlogging stack can subsequently be configured to warn the organization\nwhen audit log failures occur. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-6 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The\norganization can subsequently centrally review and analyze all of the\nDocker EE audit records. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be used to facilitate the audit reduction and\nreport generation requirements of this control. Additional information\ncan be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + }, + { + "value": "'The underlying operating system chosen to support Docker Enterprise\nEdition should be certified to ensure that logs are not altered during\ngeneration and transmission to a remote logging stack.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. The logging\nstack can subsequently be configured to parse information by\norganization-defined audit fields. Additional information can be found\nat the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition uses the system clock of the underlying\noperating system on which it runs. This behavior cannot be modified.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Enterprise Edition\nruns should be configured such that its system clock uses Coordinated\nUniversal Time (UTC) as indicated by this control. Refer to the\noperating system's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The underlying operating system on which Docker Enterprise Edition runs should\nbe configured such that its system clock compares itself with an\nauthoritative time source as indicated by this control. This can be\naccomplished by utilizing the Network Time Protocol (NTP). Refer to\nthe operating system's instructions for doing so.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Docker Enterprise Edition\nruns should be configured such that its system clock synchronizes\nitself to an authoritative time source as defined by part (a) of this\ncontrol any time the time difference exceeds that of the\norganization-defined time period. This can be accomplished by\nutilizing the Network Time Protocol (NTP). Refer to the operating\nsystem's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'On the underlying Linux operating system supporting Docker Enterprise\nEdition, only root and sudo users and users that have been added to\nthe \"docker\" group have the ability to access the logs generated by\nUCP backend service containers. Should the organization decide to\nconfigure Docker Enterprise Edition to use a logging driver other than\nthe default json-file driver, the organization is subsequently\nresponsible for configuring the chosen logging stack per the\nprovisions of this control. In addition, for Linux operating systems\nsupporting Docker Enterprise Edition that use the systemd daemon, it\nis imperative that the Journal is secured per the requirements of this\ncontrol. The same applies for Linux operating systems supporting\nDocker Enterprise Edition that instead use upstart. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to use a logging driver\nthat can subsequently meet the backup requirements of this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to use a logging driver\nthat can subsequently meet the encryption mechanisms required by this\ncontrol. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-10", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition includes functionality known as Docker\nContent Trust which allows one to cryptographically sign Docker\nimages. It enforces client-side signing and verification of image tags\nand provides the ability to use digital signatures for data sent to\nand received from Docker Trusted Registry. This ultimately provides\none with the ability to verify both the integrity and the publisher of\nall data received from DTR over any channel. With Docker Content\nTrust, an organization can enforce signature verification of all\ncontent and prohibit unsigned and unapproved content from being\nmanipulated; thus supproting the non-repudiation requirements of this\ncontrol. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/security/trust/content_trust/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization will be responsible for meeting the requirements of\nthis control. To assist with these requirements, Docker Enterprise\nEdition can be configured to use a logging driver that stores data in\na location for the duration specified by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'Both Universal Control Plane and Docker Trusted Registry backend\nservice containers, all of which reside on Docker Enterprise Edition,\nlog all of the event types indicated by this AU-2 a. These and other\napplication containers that reside on Docker Enterprise Edition can be\nconfigured to log data via an appropriate Docker logging driver. The\nunderlying Linux operating system supporting Docker Enterprise Edition\ncan be configured to audit Docker-specific events with the auditd\ndaemon. Refer to the specific Linux distribution in use for\ninstructions on configuring this service. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + }, + { + "value": "'Using auditd on the Linux operating system supporting CS Docker\nEngine, the organization can configure audit rules to select which\nDocker-specific events are to be audited. Refer to the specific Linux\ndistribution in use for instructions on configuring this service.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. This\nlogging stack can subsequently be used to compile audit records in to\na system-wide audit trail that is time-correlated per the requirements\nof this control. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured with various logging\ndrivers to send audit events to an external logging stack. This\nlogging stack can subsequently be used to meet the requirements of\nthis control. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/engine/admin/logging/overview/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-1", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfiguration management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing Docker\nEnterprise Edition and for helping the organization meet the\nconfiguration management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management requirements of this control. CIS regularly\nupdates their benchmark to reflect the latest updates in the stable\nrelease of Docker Engine. Various configuration management tools such\nas Inspec (http://inspec.io/) can be used to audit Docker Enterprise\nEdition system configuration to ensure that the secure baseline\nconfigurations have been applied in an automated fashion. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management requirements of this control. CIS regularly\nupdates their benchmark to reflect the latest updates in the stable\nrelease of Docker Engine. Various configuration management tools such\nas Inspec (http://inspec.io/) can be used to audit Docker Enterprise\nEdition system configuration to ensure that the secure baseline\nconfigurations have been applied in an automated fashion and can be\nrolled back as required by this control. Additional information can be\nfound at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management change control requirements of this control.\nAdditional information can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management change control requirements of this control.\nVarious configuration management tools such as Inspec\n(http://inspec.io/) can be used to audit Docker Enterprise Edition\nsystem configuration to ensure that the secure baseline configurations\nhave been applied in an automated fashion. Additional information can\nbe found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfigurmation management change control requirements of this control.\nVarious configuration management tools such as Inspec\n(http://inspec.io/) can be used to audit Docker Enterprise Edition\nsystem configuration to ensure that the secure baseline configurations\nhave been applied in an automated fashion. Additional information can\nbe found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-3 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\ncryptography management requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nsystem change requirements of this control. Additional information can\nbe found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Before installing Docker Enterprise Edition, ensure that your\nsupporting Linux operating system''s packager manager supports package\nsignature verification and that it is enabled. It is also required\nthat you import the Docker public key for EE packages so as to\nretrieve the validated and signed package from Docker, Inc. Refer to\nyour Linux OS documentation for instructions on completing the above\nsteps.\n\nIn addition, Docker Content Trust is a capability provided by Docker\nEngine that enforces client-side signing and verification of Docker\nimage tags. It provides the ability to use digital signatures for data\nsent to and received from Docker Trusted Registry and the public\nDocker Store. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. When enabling Docker\nContent Trust in Docker Enterprise Edition you can enforce the use of\nsigned Docker images. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/engine/security/trust/content_trust/'\n", + "references": null + } + ], + "origins": [ + "service provide hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization can incorporate the use of an external configuration\nmanagement system to meet the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, the\nlatest CIS Docker Benchmark can be used as a secure configuration\nbaseline. Additional information can be found at the following\nresources:\n\n- https://www.cisecurity.org/benchmark/docker/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order to restrict which Docker images can be used to deploy\napplications to Docker Enterprise Edition, the organization can define\na list of allowed base Docker images and make them available via\nDocker Trusted Registry. The organization can also prevent users from\nbeing able to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements and in order to restrict\nwhich Docker images can be used to deploy applications to Docker EE\nEngine, the organization must define a list of allowed base Docker\nimages and make them available via Docker Trusted Registry. The\norganization must also prevent users from being able to pull Docker\nimages from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'The CIS Docker Benchmark can be used as a baseline for securing\nDocker Enterprise Edition and for helping the organization meet the\nconfiguration management plan requirements of this control. Additional\ninformation can be found at the following resources:\n\n- https://www.cisecurity.org/benchmark/docker/\n- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order for other Docker EE engine nodes to be able to join a\ncluster managed by Universal Control Plane, they must be identified\nand authenticated via either a manager or worker token. Use of the\ntoken includes trust on first use mutual TLS.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust gives you the ability to verify both the\nintegrity and the publisher of all the data received from a Docker\nTrusted Registry over any channel. It allows operations with a remote\nDTR instance to enforce client-side signing and verification of image\ntags. It provides for the ability to use digital signatures for data\nsent to and receive from remote DTR instances. These signatures allow\nclient-side verification of the integrity and publisher of specific\nimage tags.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-7 (20)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition is designed to run application containers\nwhose content can be completely isolated/segregated from other\napplication containers within the same node/cluster. This is\naccomplished by way of Linux kernel primitives and various security\nprofiles that can be applied to the underlying host OS. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/engine/security/security/\n- https://docs.docker.com/engine/userguide/networking/overlay-security-model/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-12 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be installed on the following operating\nsystems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04\nLTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to\nmeet the requirements of this control, reference the chosen operating\nsystem's documentation to ensure it is configured in FIPS mode.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-13", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be installed on the following operating\nsystems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04\nLTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to\nmeet the requirements of this control, reference the chosen operating\nsystem's documentation to ensure it is configured in FIPS mode.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In\naddition to this, all communication to and between Docker Enterprise\nEditions is enforced by way of two-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In\naddition to this, all communication to/from and between Docker\nEnterprise Edition nodes is enforced by way of two-way mutual TLS\nauthentication. All Swarm Mode manager nodes in a Docker Enterprise\nEdition cluster store state metadata and user secrets encrypted at\nrest using the AES GCM cipher.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Docker Enterprise Edition are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In\naddition to this, all communication to and between Docker Enterprise\nEditions is enforced by way of two-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition packages for supported underlying operating\nsystems can only be obtained from Docker, Inc. The Docker EE\nrepositories from which Docker EE packages are obtained are protected\nwith official GPG keys. Each Docker package is also validated with a\nsignature definition.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'All error messages generated via the logging mechanisms of the Docker\nEnterprise Edition engine are displayed such that they meet the\nrequirements of this control. Only users that are authorized the\nappropriate level of access can view these error messages.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-16", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be installed on the following operating\nsystems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04\nLTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to\nmeet the requirements of this control, reference the chosen operating\nsystem's security documentation for information regarding the\nprotection of memory from unauthorized code execution.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "Docker Enterprise Edition Engine Installation Documentation", + "description": "", + "url": "https://docs.docker.com/engine/installation/" + }, + { + "id": "", + "name": "Docker Engine Release Notes", + "description": "", + "url": "https://docs.docker.com/release-notes/" + }, + { + "id": "", + "name": "Configuring and Running Docker on Various Distributions", + "description": "", + "url": "https://docs.docker.com/engine/admin/" + }, + { + "id": "", + "name": "Docker Engine Security", + "description": "", + "url": "https://docs.docker.com/engine/security/security/" + }, + { + "id": "", + "name": "Securing Docker Datacenter and Security Best Practices", + "description": "", + "url": "https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices" + } + ] + }, + { + "name": "Identification and Authentication Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "IA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (11)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-4 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-5 (11)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IA-8 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Incident Response for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "IR-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "IR-9 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System Maintenance Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "MA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-3 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-4 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Media Protection Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "MP-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-5 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-6 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "MP-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Physical and Environmental Protection Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "PE-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-13", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-13 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-13 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-14", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-14 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-15", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-16", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PE-17", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Security Planning Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "PL-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PL-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Personnel Security Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "PS-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-3 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "PS-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Risk Assessment Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "RA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "RA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System and Services Acquisition Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "SA-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-4 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-9 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-11 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": null, + "references": null + }, + { + "controlId": "SA-22 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System and Communications Protection Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "SC-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (13)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-7 (18)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-12 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-13", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-15", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-18", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-19", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-22", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-28", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SC-39", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": null + }, + { + "name": "System and Information Integrity Policy for [Agency_Here]", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "SI-1", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-2", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-3 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (14)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (16)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-4 (23)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-5", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-6", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-7", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-7 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-8", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-8 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-10", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + }, + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-12", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + }, + { + "controlId": "SI-16", + "subcontrolId": "", + "narratives": [ + { + "value": "[Agency's control implementation here]\n", + "references": null + } + ], + "origins": null, + "statuses": [ + "none" + ], + "references": null + } + ], + "references": null + }, + { + "name": "Universal Control Plane (UCP)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation for managing users and teams can\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Universal Control Plane can be configured to send system\naccount log data to a remote logging service such as an Elasticsearch,\nLogstash and Kibana (ELK) stack. Supporting documentation can be found\nat the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nUniversal Control Plane resources. By default, no one can make changes\nto the cluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Universal Control Plane to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Universal Control Plane to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-4 (21)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Supporting documentation to configure Universal Control Plane to meet\nthe requirements of this control can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources. By default, no one can\nmake changes to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. Supporting documentation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources and employ principles of\nleast privilege. By default, no one can make changes to the cluster.\nPermissions can be granted and managed to enforce fine-grained access\ncontrol. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources and explicitly authorize\naccess as necessary. By default, no one can make changes to the\ncluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources. By default, no one can\nmake changes to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. Supporting documentation can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams can create and\nmanipulate Universal Control Plane resources, including Docker\nnetworking components. By default, no one can make changes to the\ncluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can restrict privileged accounts within Universal Control\nPlane to custom-defined roles. By default, no one can make changes to\nthe cluster. Permissions can be granted and managed to enforce\nfine-grained access control. Supporting documentation can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can review all implemented grants, accounts and roles\nwithin Universal Control Plane and reassign/revoke privileges as\nnecessary. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane users can be assigned to one of a number of\ndifferent permission levels. The permission level assigned to a\nspecific user determines that user''s ability to execute certain\nDocker functions within UCP. Only users mapped to either the \"Full\nControl\" or \"Admin\" roles can execute Docker commands without any\nrestrictions. Users mapped to either the \"View Only\" or \"No Access\"\nroles cannot execute any Docker commands. Users assigned to the\n\"Restricted Control\" role can only run Docker commands under their own\npurview and cannot see other users UCP resources nor run commands that\nrequired privileged access to the host. Furthermore, custom roles can\nbe created for fine-grained access to specific UCP resources and\nfunctionality. Additional documentation regarding the various\npermission levels within UCP can be found at the following resource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nUniversal Control Plane resources and prevent non-privileged users\nfrom executing privileged functions per the requirements of this\ncontrol. By default, no one can make changes to the cluster.\nPermissions can be granted and managed to enforce fine-grained access\ncontrol. Supporting documentation for the configuration of this\nfunctionality can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane includes a logout capability that allows a\nuser to terminate his/her current session.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-14", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, a\nreview of actions allowed by unauthenticated users can be performed\nwithin Universal Control Plane.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nUniversal Control Plane can be configured to allow/prohibit remote\naccess.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Universal Control Plane are protected\nwith Transport Layer Security (TLS) 1.2. This is included at both the\nHTTPS application layer for access to the UCP user interface and for\ncommand-line based connections to the cluster. In addition to this,\nall communication to UCP is enforced by way of two-way mutual TLS\nauthentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'A combination of managed load balancers, firewalls and access control\nlists, and virtual networking resources can be used to ensure traffic\ndestined for Universal Control Plane managers and worker nodes is\nrouted through managed network access control points.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nUniversal Control Plane can be configured to authorize certain\nprivileged functions via remote access.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Built-in firewall technology in Universal Control Plane's underlying\noperating system can be used to force the disconnection of remote\nconnections to the host. In addition, UCP provides the option to pause\nor drain a node in the cluster, which subsequently stops and/or\nremoves sessions to the node. Individual services and/or applications\nrunning on a UCP cluster can also be stopped and/or removed.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "configured by customer" + ], + "statuses": [ + "complete", + "partial" + ], + "references": null + }, + { + "controlId": "AC-20", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Universal Control\nPlane.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-20 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan control which external systems can access Universal Control\nPlane.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-21", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control, one\ncan validate the assigned roles and access levels within Universal\nControl Plane to control information sharing.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by this control are logged by the\nbackend ucp-controller service within Universal Control Plane. In\naddition, each container created on a Universal Control Plane cluster\nlogs event data. Supporting documentation for configuring UCP logging\ncan be referenced at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane generates all of the audit record information\nindicated by this control. A sample audit event has been provided\nbelow:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be used to\ninterpolate the information defined by this control from the logged\naudit records. Additional documentation can be found at the following\nresource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be used to\ninterpolate the information defined by this control from the logged\naudit records. Additional documentation can be found at the following\nresource:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nalert individuals in the event of log processing failures. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider system specific" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nwarn the organization when the allocated log storage is full.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nwarn the organization when audit log failures occur. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-6 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The organization can subsequently centrally review and\nanalyze all of the Docker EE audit records. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be used to\nfacilitate the audit reduction and report generation requirements of\nthis control. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + }, + { + "value": "'The underlying operating system chosen to support Universal Control\nPlane should be certified to ensure that logs are not altered during\ngeneration and transmission to a remote logging stack.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to log data to a remote\nlogging stack. The logging stack can subsequently be configured to\nparse information by organization-defined audit fields. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane uses the system clock of the underlying\noperating system on which it runs. This behavior cannot be modified.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Universal Control Plane runs\nshould be configured such that its system clock uses Coordinated\nUniversal Time (UTC) as indicated by this control. Refer to the\noperating system's instructions for doing so.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-8 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The underlying operating system on which Universal Control Plane runs\nshould be configured such that its system clock compares itself with\nan authoritative time source as indicated by this control. This can be\naccomplished by utilizing the Network Time Protocol (NTP). Refer to\nthe operating system's instructions for doing so.'\n", + "references": null + }, + { + "value": "'The underlying operating system on which Universal Control Plane runs\nshould be configured such that its system clock synchronizes itself to\nan authoritative time source as defined by part (a) of this control\nany time the time difference exceeds that of the organization-defined\ntime period. This can be accomplished by utilizing the Network Time\nProtocol (NTP). Refer to the operating system's instructions for doing\nso.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9", + "subcontrolId": "", + "narratives": [ + { + "value": "'By default, Universal Control Plane is configured to use the\nunderlying logging capabilities of Docker Enterprise Edition. As such,\non the underlying Linux operating system, only root and sudo users and\nusers that have been added to the 'docker' group have the ability to\naccess the logs generated by UCP backend service containers. In\naddition, only UCP Administrator users can change the logging endpoint\nof the system should it be decided that logs be sent to a remote\nlogging stack. In this case, the organization is responsible for\nconfiguring the remote logging stack per the provisions of this\ncontrol.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nback up audit records per the schedule defined by this control.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-9 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. The logging stack can subsequently be configured to\nmeet the encryption mechanisms required by this control. Additional\ninformation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization will be responsible for meeting the requirements of\nthis control. To assist with these requirements, Universal Control\nPlane can be configured to send logs to a remote logging stack. This\nlogging stack can subsequently be configured retain logs for the\nduration required by this control. Additional information can be found\nat the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'All of the event types indicated by AU-2 a. are logged by the backend\nucp-controller service within Universal Control Plane. In addition,\neach container created on a Universal Control Plane cluster logs event\ndata. The underlying Linux operating system supporting UCP can be\nconfigured to audit Docker-specific events with the auditd daemon.\nRefer to the specific Linux distribution in use for instructions on\nconfiguring this service. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + }, + { + "value": "'Using auditd on the Linux operating system supporting UCP, the\norganization can configure audit rules to select which Docker-specific\nevents are to be audited. Refer to the specific Linux distribution in\nuse for instructions on configuring this service.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. This logging stack can subsequently be used to compile\naudit records in to a system-wide audit trail that is time-correlated\nper the requirements of this control. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-12 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane can be configured to send logs to a remote\nlogging stack. This logging stack can subsequently be used to meet the\nrequirements of this control. Additional information can be found at\nthe following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Role-based access control can be configured within Universal Control\nPlane to meet the requirements of this control. Additional information\ncan be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-5 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Content Trust is a capability provided by Docker Enterprise\nEdition that enforces client-side signing and verification of Docker\nimage tags. It provides the ability to use digital signatures for data\nsent to and received from Docker Trusted Registry and the public\nDocker Store. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. All Universal Control\nPlane Docker images are officially signed and verified by Docker, Inc.\n\nWhen configuring Universal Control Plane, you should enforce\napplications to only use Docker images signed by trusted UCP users\nwithin your organization. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/'\n", + "references": null + } + ], + "origins": [ + "service provide hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-6 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nincorporate the use of an external configuration management system to\nmeet the requirements of this control. Universal Control Plane''s\nconfiguration can also be managed, backed up and stored in another\nlocation per the requirements of this control. Additional documentation\ncan be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To help the organization meet the requirements of this control,\nUniversal Control Plane includes a robust access control model to\ndisable any functionality as mandated by this control.'\n", + "references": null + } + ], + "origins": [ + "service provider corporate", + "Docker EE system", + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order to restrict which Docker images can be used to deploy\napplications to Universal Control Plane, the organization can define a\nlist of allowed base Docker images and make them available via Docker\nTrusted Registry. The organization can also prevent users from being\nable to pull Docker images from untrusted sources.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CM-7 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements and in order to restrict\nwhich Docker images can be used to deploy applications to Universal\nControl Plane, the organization must define a list of allowed base\nDocker images and make them available via Docker Trusted Registry. The\norganization must also prevent users from being able to pull Docker\nimages from untrusted sources.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, the organization can\nconfigure its systems to ensure that only approved Docker images\nstored in Docker Trusted Registry can be run on Universal Control\nPlane. This can be accomplished by using Docker Content Trust to sign\nDocker images, and configure UCP to enforce only signed images from\nspecific Teams at runtime. Additional information can be found at the\nfollowing resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "CP-10 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane maintains its cluster state via an internal\nkey-value store. This, and other UCP transactions can be backed up and\nrecovered. Additional information can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, Universal Control\nPlane requires individual users to be authenticated in order to gain\naccess to the system. Any permissions granted to the team(s) that\nwhich the user is a member are subsequently applied.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'In order for nodes to join a Universal Control Plane cluster, they\nmust be identified and authenticated via either a manager or worker\ntoken. Additional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane contains two, built-in root certificate\nauthorities. One CA is used for signing client bundles generated by\nusers. The other CA is used for TLS communication between UCP cluster\nnodes. Should you choose to use certificates signed by an external CA,\nin order to successfully authenticate in to the system, those\ncertificates must include a root CA public certificate, a service\ncertificate and any intermediate CA public certificates (in addition\nto SANs for all addresses used to reach the UCP controller), and a\nprivate key for the server.'\n", + "references": null + }, + { + "value": "'Access to a Universal Control Plane cluster is only granted when a\nuser has a valid certificate bundle. This is enforced with the\npublic/private key pair included with the user's certificate bundle.'\n", + "references": null + }, + { + "value": "'Only after a client bundle has been generated or an existing public\nkey has been added for a particular user is that user able to execute\ncommands against the Universal Control Plane cluster. This bundle maps\nthe authenticated identity to that of the user.'\n", + "references": null + }, + { + "value": "'When a client bundle has been generated or an existing public key has\nbeen added for a particular Universal Control Plane user, it is\nattached to that user''s profile. Bundles/keys can be revoked by an\nAdministrator or the user themselves. The cluster''s internal\ncertificates can also be revoked and updated. Additional information\ncan be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-6", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane obscures all feedback of authentication\ninformation during the authentication process. This includes both\nauthentication via the web UI and the CLI.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'All access to Universal Control Plane is protected with Transport\nLayer Security (TLS) 1.2 with the AES GCM cipher. This includes both\nSSH access to the individual UCP nodes and CLI-/web-based access to\nthe UCP management functions with mutual TLS and HTTPS respectively.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'Users managed by Universal Control Plane can be grouped per the\nrequirements of the organization and as defined by this control. This\ncan include groupings for non-organizational users.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SA-10 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with these requirements, Docker Content Trust gives\nyou the ability to verify both the integrity and the publisher of all\nthe data received from a Docker Trusted Registry over any channel. It\nallows operations with a remote DTR instance to enforce client-side\nsigning and verification of image tags. It provides for the ability to\nuse digital signatures for data sent to and receive from remote DTR\ninstances. These signatures allow client-side verification of the\nintegrity and publisher of specific image tags. Universal Control\nPlane can be configured to only run trusted and signed images.\nAdditional information can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Universal Control Plane is made up of a number of backend services\nthat provide for both user functionality (including user interface\nservices) and system management functionality. Each of these services\noperates independently of one another. Additional information can be\nfound at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Universal Control Plane are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the UCP\nuser interface and for command-line based connections to the cluster.\nIn addition to this, all communication to UCP is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-28 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All remote access sessions to Universal Control Plane are protected\nwith Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This\nis included at both the HTTPS application layer for access to the UCP\nuser interface and for command-line based connections to the cluster.\nIn addition to this, all communication to UCP is enforced by way of\ntwo-way mutual TLS authentication.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SI-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'All error messages generated via the configured logging mechanism of\nUniversal Control Plane are displayed such that they meet the\nrequirements of this control. Only users that are authorized the\nappropriate level of access can view these error messages.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "UCP Documentation", + "description": "", + "url": "https://docs.docker.com/datacenter/ucp/2.2/guides/" + } + ] + }, + { + "name": "Authentication and Authorization Service (eNZi)", + "description": "", + "responsibleRoles": null, + "satisfies": [ + { + "controlId": "AC-1", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, one can control which users and teams are allowed to create\nand manipulate Docker Enterprise Edition resources. By default, no one\ncan make changes to the cluster. Permissions can be granted and\nmanaged to enforce fine-grained access control. Supporting\ndocumentation can found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, an external identity management system (such as Microsoft''s\nActive Directory or an LDAP endpoint) can be configured as mandated by\nthis control and can be integrated with Docker Enterprise Edition.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, an external identity management system (such as Microsoft''s\nActive Directory or an LDAP endpoint) can be configured as mandated by\nthis control and can be integrated with Docker Enterprise Edition.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Using Docker Enterprise Edition''s LDAP integration capabilities, one\ncan disable and/or remove temporary and emergency accounts in a\nconnected directory service (such as Active Directory) after an\norganization-defined time period. When a user is removed from LDAP,\nthat user becomes inactive after the LDAP synchronization runs.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Using Docker Enterprise Edition''s LDAP integration capabilities, one\ncan automatically disable inactive accounts in a connected directory\nservice (such as Active Directory). When a user is removed from LDAP,\nthat user becomes inactive after the LDAP synchronization runs.\nSupporting documentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs various authentication and\nauthorization events to standard log files. One can configure Docker\nEnterprise Edition to direct these event logs to a remote logging\nservice such as an Elasticsearch, Logstash and Kibana (ELK) stack and\nsubsequently alert on specific event types. When integrating Docker\nEnterprise Edition with LDAP, one can refer the the directory\nservice''s logging mechanisms for auditing the events defined by this\ncontrol. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/\n- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Docker Enterprise Edition can be configured to enforce automated\nsession termination of users after an organization-defined time period\nof inactivity. By default, the initial lifetime of a user''s session\nis set to 72 hours and the renewal session for a user''s session is\nset to 24 hours. These values can both be changed in the \"Auth\"\nsection of the \"Admin Settings\" in Universal Control Plane.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (7)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, Docker Enterprise Edition supports various levels of user\npermissions and role-based access control enforcements. Administrator\nusers have permissions to: manage other Docker Enterprise Edition\nusers, manage Docker Trusted Registry repositories and settings, and\nmanage the Universal Control Plane and underlying Docker Swarm Mode\ncluster. Supporting documentation can be found at the following\nresources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC\n- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/\n- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, users and/or groups synchronized to Docker Enterprise Edition\nvia LDAP can be configured at the directory service.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (10)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Users and/or groups synchronized to Docker Enterprise Edition via\nLDAP can be configured at the directory service to ensure shared/group\naccount credentials are terminated when members leave the group.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (11)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Information system accounts synchronized to Docker Enterprise Edition\nvia LDAP can be configured at the directory service to meet this\nrequirement as necessary.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (12)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, when Docker Enterprise Edition is configured for LDAP\nintegration, one can refer to the directory service''s existing\nmonitoring tools.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-2 (13)", + "subcontrolId": "", + "narratives": [ + { + "value": "'To assist the organization in meeting the requirements of this\ncontrol, users and/or groups synchronized to Docker Enterprise Edition\nvia LDAP can be managed at the directory service and disabled if\nposing a significant risk.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'One can control which users and teams can create and manipulate\nDocker Enterprise Edition resources. By default, no one can make\nchanges to the cluster. Permissions can be granted and managed to\nenforce fine-grained access control. The eNZi component facilitates\nauthorizations as dictated by the system''s administrators. Supporting\ndocumentation can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-6 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs privileged user events to standard log\nfiles. One can configure Docker Enterprise Edition to direct these\nevent logs to a remote logging service such as an Elasticsearch,\nLogstash and Kibana (ELK) stack and subsequently alert on specific\nevent types. When integrating Docker Enterprise Edition with LDAP, one\ncan refer the the directory service''s logging mechanisms for auditing\nthe events defined by this control. Supporting documentation regarding\nlogging and monitoring can be found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-7", + "subcontrolId": "", + "narratives": [ + { + "value": "'When Docker Enterprise Edition is integrated to a directory service\nvia LDAP, one can reference the functionality of the directory service\nto configure the enforcement of a limit to the number of conesecutive\ninvalid logon attempts by a user during a specified time period.'\n", + "references": null + }, + { + "value": "'When Docker Enterprise Edition is integrated to a directory service\nvia LDAP, one can reference the functionality of the directory service\nto configure he ability to automatically lock/disable an account for a\nspecified period of time after a consecutive invalid logon attempt\nlimit is reached.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-8", + "subcontrolId": "", + "narratives": [ + { + "value": "'The feature required to satisfy the requirements of this control has\nnot yet been built in to Docker EE but is planned for a future\nrelease.'\n", + "references": null + }, + { + "value": "'The feature required to satisfy the requirements of this control has\nnot yet been built in to Docker EE but is planned for a future\nrelease.'\n", + "references": null + }, + { + "value": "'The feature required to satisfy control has\nnot yet been built in to Docker EE but is planned for a future\nrelease.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "planned" + ], + "references": null + }, + { + "controlId": "AC-10", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to limit the number of\nconcurrent sessions for each account. These options can be found\nwithin the Universal Control Plane Admin Settings under the\n\"Authentication \u0026 Authorization\" section. '\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-11", + "subcontrolId": "", + "narratives": [ + { + "value": "'Per the requirements of AC-2 (5), Docker Enterprise Edition can be\nconfigured to enforce user session lifetime limits and renewal\nthresholds. These options can be found within the Universal Control\nPlane Admin Settings under the \"Authentication \u0026 Authorization\"\nsection. Configurable options include the initial lifetime (in hours)\nof a user''s session and the renewal threshold of a session (in\nhours).'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-11 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Per the requirements of AC-2 (5), Docker Enterprise Edition can be\nconfigured to enforce user session lifetime limits and renewal\nthresholds. These options can be found within the Universal Control\nPlane Admin Settings under the \"Authentication \u0026 Authorization\"\nsection. Configurable options include the initial lifetime (in hours)\nof a user''s session and the renewal threshold of a session (in\nhours). Upon the expiration of the configured session thresholds, a\nuser will be locked out of his/her session per the requirements of\nthis controls.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-12", + "subcontrolId": "", + "narratives": [ + { + "value": "'Per the requirements of AC-2 (5), Docker Enterprise Edition can be\nconfigured to enforce user session lifetime limits and renewal\nthresholds. These options can be found within the Universal Control\nPlane Admin Settings under the \"Authentication \u0026 Authorization\"\nsection. Configurable options include the initial lifetime (in hours)\nof a user''s session and the renewal threshold of a session (in\nhours). Upon the expiration of the configured session thresholds, a\nuser will be locked out of his/her session.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AC-17 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition logs and controls all local and remote\naccess events. In addition, auditing can be configured on the\nunderlying operating system to meet this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "AU-3", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition generates all of the audit record\ninformation indicated by this control. A sample audit event has been\nprovided below:\n\n{\"level\":\"info\",\"license_key\":\"123456789123456789123456789\",\"msg\":\"eNZi:Password\nbased auth\nsuceeded\",\"remote_addr\":\"192.168.33.1:55905\",\"time\":\"2016-11-09T22:41:01Z\",\"type\":\"auth\nok\",\"username\":\"dockeruser\"}'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition can be configured to identify and\nauthenticate users via it''s integrated support for LDAP. Users and\ngroups managed within the organization''s LDAP directory service (e.g.\nActive Directory) can be synchronized to UCP and DTR on a regular\ninterval. When a user is removed from the LDAP-backed directory, that\nuser becomes inactive within UCP and DTR. In addition, UCP and DTR\nteams can be mapped to groups synchronized via LDAP. When a user is\nadded/removed to/from the LDAP group, that same user is automatically\nadded/removed to/from the UCP and DTR team. Additional information can\nbe found at the following resources:\n\n- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/'\n", + "references": null + } + ], + "origins": [ + "Docker EE system", + "shared" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (5)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, Docker Enterprise\nEdition requires individual users to be authenticated in order to gain\naccess to the system. Any permissions granted to the team(s) that\nwhich the user is a member are subsequently applied.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (8)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition integrates with LDAP for authenticating\nusers to an external directory service. You should configure your\nexternal directory service for ensuring that you are protected against\nreplay attacks.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-2 (9)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition integrates with LDAP for authenticating\nusers to an external directory service. You should configure your\nexternal directory service for ensuring that you are protected against\nreplay attacks.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-4", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to prevent the reuse of user identifiers for a\nspecified period of time. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to prevent the reuse of user identifiers for a\nspecified period of time. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to prevent the reuse of user identifiers for a\nspecified period of time. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-4 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to uniquely identify each individual according to\nthe requirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to establish initial authenticator content according\nto the requirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to enforce strength requirements for authenticators\naccording to the requirements of this control. Refer to your directory\nservice''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to distribute, redistribute, and revoke\nauthenticators according to the requirements of this control. Refer to\nyour directory service''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to change default authenticator content according to\nthe requirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to set minimum and maximum lifetime restrictions and\nreuse conditions for authenticators according to the requirements of\nthis control. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to refresh authenticators at a regular cadence\naccording to the requirements of this control. Refer to your directory\nservice''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to protect authenticator content from unauthorized\ndisclosure or modification according to the requirements of this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to implement specific security safeguards to protect\nauthentications according to the requirements of this control. Refer\nto your directory service''s documentation for configuring this.'\n", + "references": null + }, + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to change authenticators for group or role accounts\nwhen membership to those groups or roles changes according to the\nrequirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce minimum password\ncomplexity requirements. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the requirement to\nchange at least one character when changing passwords according to the\nrequirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to store and transmit\ncryptographically protected passwords according to the requirements of\nthis control. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the required minimum and\nmaximum lifetime restrictions according to the requirements of this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the required number of\ngenerations before password reuse according to the requirements of\nthis control. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + }, + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to enforce the requirement to\nchange initial/temporary passwords upon first login according to the\nrequirements of this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, the system validates the certificates per the\nrequirements of this control.'\n", + "references": null + }, + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, the system enforces authorized access to the\ncorresponding private key per the requirements of this control.'\n", + "references": null + }, + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, the system maps the authenticated identity to the\naccount of the individual or group per the requirements of this\ncontrol.'\n", + "references": null + }, + { + "value": "'All users within a Docker Enterprise Edition cluster can create a\nclient certificate bundle for authenticating in to the cluster from\nthe Docker client tooling. When a user attempts to authenticate in to\nthe Docker cluster, it is up to the underlying operating system\nhosting Docker Enterprise Edition to ensure that it implements a local\ncache of revocation data per the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP can be\nconfigured with automation to ensure that password authenticators meet\nstrength requirements as defined by this control. Refer to your\ndirectory service's documentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-5 (6)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to protect authenticators as required by this\ncontrol. Refer to your directory service's documentation for\nconfiguring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8 (2)", + "subcontrolId": "", + "narratives": [ + { + "value": "'An external directory service integrated with Docker Enterprise\nEdition via LDAP can be configured to meet the FICAM requirements as\nindicated by this control. Refer to your directory service''s\ndocumentation for configuring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8 (3)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to meet the FICAM requirements as indicated by this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "IA-8 (4)", + "subcontrolId": "", + "narratives": [ + { + "value": "'The organization is responsible for meeting the requirements of this\ncontrol. To assist with meeting these requirements, an external\ndirectory service integrated with Docker Enterprise Edition via LDAP\ncan be configured to meet the FICAM requirements as indicated by this\ncontrol. Refer to your directory service''s documentation for\nconfiguring this.'\n", + "references": null + } + ], + "origins": [ + "service provider hybrid" + ], + "statuses": [ + "complete" + ], + "references": null + }, + { + "controlId": "SC-23 (1)", + "subcontrolId": "", + "narratives": [ + { + "value": "'Docker Enterprise Edition invalidates session identifiers upon user\nlogout per the requirements of this control.'\n", + "references": null + } + ], + "origins": [ + "Docker EE system" + ], + "statuses": [ + "complete" + ], + "references": null + } + ], + "references": [ + { + "id": "", + "name": "UCP Documentation", + "description": "", + "url": "https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management" + } + ] + } + ], + "policies": null, + "procedures": null, + "params": [ + { + "paramId": "RA-5(2)", + "value": "\"FedRAMP requirement: prior to a new scan\"\n" + }, + { + "paramId": "RA-5(5)-1", + "value": "\"FedRAMP requirement: operating systems, databases, web applications\"\n" + }, + { + "paramId": "RA-5(5)-2", + "value": "\"FedRAMP requirement: all scans\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-4", + "value": "\"customer-defined information flow control policies\"\n" + }, + { + "paramId": "AC-4(8)(a)", + "value": "\"FedRAMP assignment: security policy filters inherent in boundary\nprotection devices such as gateways, routers, guards, encrypted\ntunnels, firewalls\"\n" + }, + { + "paramId": "AC-4(8)(b)", + "value": "\"FedRAMP assignment: information containing PII or organization\nsensitive information types\"\n" + }, + { + "paramId": "AC-4(21)-1", + "value": "\"customer-defined mechanisms and/or techniques\"\n" + }, + { + "paramId": "AC-4(21)-2", + "value": "\"customer-defined required separation by types of information\"\n" + }, + { + "paramId": "AC-5(a)", + "value": "\"customer-defined duties of individuals\"\n" + }, + { + "paramId": "AC-14(a)", + "value": "\"customer-defined user actions\"\n" + }, + { + "paramId": "AC-17(3)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AC-17(9)", + "value": "\"FedRAMP requirement: no greater than fifteen minutes\"\n" + }, + { + "paramId": "AC-21(a)", + "value": "\"customer-defined information sharing circumstances\"\n" + }, + { + "paramId": "AC-21(b)", + "value": "\"customer-defined automated mechanisms or manual processes\"\n" + }, + { + "paramId": "AU-2(a)", + "value": "\"FedRAMP requirement: successful and unsuccessful account logon\nevents, account management events, object access, policy change,\nprivileged functions, process tracking, and system events. For Web\napplications: all administrator activity, authentication checks,\nauthorization checks, data deletions, data access, data changes, and\npermission changes\"\n" + }, + { + "paramId": "AU-2(d)", + "value": "\"FedRAMP requirement: organization-defined subset of the auditable\nevents defined in AU-2-a. to be audited continually for each\nidentified event\"\n" + }, + { + "paramId": "AU-3(1)", + "value": "\"FedRAMP requirement: session, connection, trasaction, or activity\nduration; for client-server transactions, the number of bytes received\nand bytes sent, additional informational messages to diagnose or\nidentify the event, characteristics that describe or identify the\nobject or resource being acted upon\"\n" + }, + { + "paramId": "AU-3(2)", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-5(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-5(b)", + "value": "\"FedRAMP requirement: low-impact: overwrite oldest audit records;\nmoderate-impact: shut down\"\n" + }, + { + "paramId": "AU-5(1)-1", + "value": "\"appropriate service team personnel, customer-defined personnel\"\n" + }, + { + "paramId": "AU-5(1)-2", + "value": "\"24 hours, customer-defined time period\"\n" + }, + { + "paramId": "AU-5(1)-3", + "value": "\"a service team defined percentage, customer-defined percentage\"\n" + }, + { + "paramId": "AU-5(2)-1", + "value": "\"real-time\"\n" + }, + { + "paramId": "AU-5(2)-2", + "value": "\"appropriate service team personnel\"\n" + }, + { + "paramId": "AU-5(2)-3", + "value": "\"events defined by each service team, audit failure events requiring\nreal-time alerts, as defined by organization audit policy\"\n" + }, + { + "paramId": "AU-7(1)", + "value": "\"customer-defined audit fields within audit records\"\n" + }, + { + "paramId": "AU-8(b)", + "value": "\"millisecond precision\"\n" + }, + { + "paramId": "AU-8(1)(a)-1", + "value": "\"FedRAMP requirement: at least hourly\"\n" + }, + { + "paramId": "AU-8(1)(a)-2", + "value": "\"FedRAMP requirement: authoritative time source:\nhttp://tf.nist.gov/tf-cgi/servers.cgi\"\n" + }, + { + "paramId": "AU-8(1)(b)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AU-9(2)", + "value": "\"FedRAMP requirement: at least weekly\"\n" + }, + { + "paramId": "AU-11", + "value": "\"FedRAMP requirement: at least one year\"\n" + }, + { + "paramId": "AU-12(a)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "AU-12(b)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-12(1)-1", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(1)-2", + "value": "\"1 millisecond, organization-defined level of tolerance\"\n" + }, + { + "paramId": "AU-12(3)-1", + "value": "\"service team members with audit configuration responsibilities\"\n" + }, + { + "paramId": "AU-12(3)-2", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(3)-3", + "value": "\"changes to the thread environment, organization-defined threat\nsituations\"\n" + }, + { + "paramId": "AU-12(3)-4", + "value": "\"risk-based assessment, organization-defined time thresholds\"\n" + }, + { + "paramId": "CM-5(3)", + "value": "\"customer-defined software\"\n" + }, + { + "paramId": "CM-6(1)", + "value": "\"customer-defined information system components\"\n" + }, + { + "paramId": "CM-7(5)(a)", + "value": "\"customer-defined software programs authorized to execute on the\ninformation system\"\n" + }, + { + "paramId": "CM-11(a)", + "value": "\"customer-defined policies\"\n" + }, + { + "paramId": "CM-11(b)", + "value": "\"customer-defined methods\"\n" + }, + { + "paramId": "CM-11(c)", + "value": "\"FedRAMP requirement: continuously (via CM-7(5))\"\n" + }, + { + "paramId": "CM-11(1)", + "value": "\"organization-defined personnel or roles\"\n" + }, + { + "paramId": "SC-28(1)-1", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-2", + "value": "\"CSP servers\"\n" + }, + { + "paramId": "SI-11(b)", + "value": "\"authorized service personnel and CSP users\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-4", + "value": "\"customer-defined information flow control policies\"\n" + }, + { + "paramId": "AC-4(8)(a)", + "value": "\"FedRAMP assignment: security policy filters inherent in boundary\nprotection devices such as gateways, routers, guards, encrypted\ntunnels, firewalls\"\n" + }, + { + "paramId": "AC-4(8)(b)", + "value": "\"FedRAMP assignment: information containing PII or organization\nsensitive information types\"\n" + }, + { + "paramId": "AC-4(21)-1", + "value": "\"customer-defined mechanisms and/or techniques\"\n" + }, + { + "paramId": "AC-4(21)-2", + "value": "\"customer-defined required separation by types of information\"\n" + }, + { + "paramId": "AC-14(a)", + "value": "\"customer-defined user actions\"\n" + }, + { + "paramId": "AC-17(3)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AC-17(9)", + "value": "\"FedRAMP requirement: no greater than fifteen minutes\"\n" + }, + { + "paramId": "AU-3(1)", + "value": "\"FedRAMP requirement: session, connection, trasaction, or activity\nduration; for client-server transactions, the number of bytes received\nand bytes sent, additional informational messages to diagnose or\nidentify the event, characteristics that describe or identify the\nobject or resource being acted upon\"\n" + }, + { + "paramId": "AU-3(2)", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-5(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-5(b)", + "value": "\"FedRAMP requirement: low-impact: overwrite oldest audit records;\nmoderate-impact: shut down\"\n" + }, + { + "paramId": "AU-5(1)-1", + "value": "\"appropriate service team personnel, customer-defined personnel\"\n" + }, + { + "paramId": "AU-5(1)-2", + "value": "\"24 hours, customer-defined time period\"\n" + }, + { + "paramId": "AU-5(1)-3", + "value": "\"a service team defined percentage, customer-defined percentage\"\n" + }, + { + "paramId": "AU-5(2)-1", + "value": "\"real-time\"\n" + }, + { + "paramId": "AU-5(2)-2", + "value": "\"appropriate service team personnel\"\n" + }, + { + "paramId": "AU-5(2)-3", + "value": "\"events defined by each service team, audit failure events requiring\nreal-time alerts, as defined by organization audit policy\"\n" + }, + { + "paramId": "AU-7(1)", + "value": "\"customer-defined audit fields within audit records\"\n" + }, + { + "paramId": "AU-8(b)", + "value": "\"millisecond precision\"\n" + }, + { + "paramId": "AU-8(1)(a)-1", + "value": "\"FedRAMP requirement: at least hourly\"\n" + }, + { + "paramId": "AU-8(1)(a)-2", + "value": "\"FedRAMP requirement: authoritative time source:\nhttp://tf.nist.gov/tf-cgi/servers.cgi\"\n" + }, + { + "paramId": "AU-8(1)(b)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AU-9(2)", + "value": "\"FedRAMP requirement: at least weekly\"\n" + }, + { + "paramId": "AU-10", + "value": "\"actions including the addition, modification, deletion, approval,\nsending, or receiving of data\"\n" + }, + { + "paramId": "AU-11", + "value": "\"FedRAMP requirement: at least one year\"\n" + }, + { + "paramId": "AU-12(a)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "AU-12(b)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-12(1)-1", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(1)-2", + "value": "\"1 millisecond, organization-defined level of tolerance\"\n" + }, + { + "paramId": "AU-12(3)-1", + "value": "\"service team members with audit configuration responsibilities\"\n" + }, + { + "paramId": "AU-12(3)-2", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(3)-3", + "value": "\"changes to the thread environment, organization-defined threat\nsituations\"\n" + }, + { + "paramId": "AU-12(3)-4", + "value": "\"risk-based assessment, organization-defined time thresholds\"\n" + }, + { + "paramId": "CM-1(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "CM-1(b)(1)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "CM-1(b)(2)", + "value": "\"FedRAMP requirement: at least annually or whenever a significant\nchange occurs\"\n" + }, + { + "paramId": "CM-2(1)(a)", + "value": "\"FedRAMP requirement: at least annually or when a significant change\noccurs\"\n" + }, + { + "paramId": "CM-2(1)(b)", + "value": "\"FedRAMP requirement: to include when directed by the JAB\"\n" + }, + { + "paramId": "CM-2(3)", + "value": "\"the previously approved baseline configuration of IS components\"\n" + }, + { + "paramId": "CM-3(e)", + "value": "\"customer-defined time period\"\n" + }, + { + "paramId": "CM-3(g)-1", + "value": "\"FedRAMP requirement: CAB\"\n" + }, + { + "paramId": "CM-3(g)-2", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "CM-3(g)-3", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "CM-3(g)-4", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "CM-3(1)(b)", + "value": "\"customer-defined authorized approvers\"\n" + }, + { + "paramId": "CM-3(1)(c)", + "value": "\"organization-defined time period\"\n" + }, + { + "paramId": "CM-3(1)(f)", + "value": "\"organization-defined configuration management approval authorities\"\n" + }, + { + "paramId": "CM-3(6)", + "value": "\"all security safeguards that rely on cryptography\"\n" + }, + { + "paramId": "CM-5(2)-1", + "value": "\"every 30 days\"\n" + }, + { + "paramId": "CM-5(2)-2", + "value": "\"organization-defined circumstance\"\n" + }, + { + "paramId": "CM-5(3)", + "value": "\"customer-defined software\"\n" + }, + { + "paramId": "CM-6(1)", + "value": "\"customer-defined information system components\"\n" + }, + { + "paramId": "CM-7(b)", + "value": "\"FedRAMP assignment: the service provider shall use the Center for\nInternet Security Guidelines (Level 1) to establish list of prohibited\nor restricted functions, ports, protocols, and/or services or\nestablishes its own list of prohibited or restricted functions, ports,\nprotocols, and/or services if USGCB is not available\"\n" + }, + { + "paramId": "CM-7(2)", + "value": "\"customer-defined policies regarding software program usage or\nrestrictions\"\n" + }, + { + "paramId": "CM-7(5)(a)", + "value": "\"customer-defined software programs authorized to execute on the\ninformation system\"\n" + }, + { + "paramId": "SC-7(20", + "value": "\"organization-defined information system components\"\n" + }, + { + "paramId": "SC-12(2)", + "value": "\"FedRAMP requirement: NIST FIPTS compliance\"\n" + }, + { + "paramId": "SC-13", + "value": "\"FedRAMP requirement: FIPS-validated or NSA-approved cryptography\"\n" + }, + { + "paramId": "SC-28-1", + "value": "\"confidentiality and integrity\"\n" + }, + { + "paramId": "SC-28-2", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-1", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-2", + "value": "\"CSP servers\"\n" + }, + { + "paramId": "SI-11(b)", + "value": "\"authorized service personnel and CSP users\"\n" + }, + { + "paramId": "SI-16", + "value": "\"Windows protections, including No Execute, Address Space Layout\nRandomization, and Data Execution Prevention\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-4", + "value": "\"customer-defined information flow control policies\"\n" + }, + { + "paramId": "AC-4(8)(a)", + "value": "\"FedRAMP assignment: security policy filters inherent in boundary\nprotection devices such as gateways, routers, guards, encrypted\ntunnels, firewalls\"\n" + }, + { + "paramId": "AC-4(8)(b)", + "value": "\"FedRAMP assignment: information containing PII or organization\nsensitive information types\"\n" + }, + { + "paramId": "AC-4(21)-1", + "value": "\"customer-defined mechanisms and/or techniques\"\n" + }, + { + "paramId": "AC-4(21)-2", + "value": "\"customer-defined required separation by types of information\"\n" + }, + { + "paramId": "AC-5(a)", + "value": "\"customer-defined duties of individuals\"\n" + }, + { + "paramId": "AC-6(1)", + "value": "\"FedRAMP assignment: all functions not publiclly accessible and all\nsecurity-relevant information not publicly available\"\n" + }, + { + "paramId": "AC-6(2)", + "value": "\"FedRAMP requirement: all security functions\"\n" + }, + { + "paramId": "AC-6(3)-1", + "value": "\"privileged commands used to change/configure network devices\"\n" + }, + { + "paramId": "AC-6(3)-2", + "value": "\"customer-defined operational needs\"\n" + }, + { + "paramId": "AC-6(5)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AC-6(7)(a)-1", + "value": "\"at least annually\"\n" + }, + { + "paramId": "AC-6(7)(a)-2", + "value": "\"all users\"\n" + }, + { + "paramId": "AC-6(8)", + "value": "\"FedRAMP assignment: any software except software explicitly\ndocumented\"\n" + }, + { + "paramId": "AC-12(1)(a)", + "value": "\"customer-defined information resources\"\n" + }, + { + "paramId": "AC-14(a)", + "value": "\"customer-defined user actions\"\n" + }, + { + "paramId": "AC-17(3)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AC-17(4)(a)", + "value": "\"customer-defined needs\"\n" + }, + { + "paramId": "AC-17(9)", + "value": "\"FedRAMP requirement: no greater than fifteen minutes\"\n" + }, + { + "paramId": "AC-21(a)", + "value": "\"customer-defined information sharing circumstances\"\n" + }, + { + "paramId": "AC-21(b)", + "value": "\"customer-defined automated mechanisms or manual processes\"\n" + }, + { + "paramId": "AU-2(a)", + "value": "\"FedRAMP requirement: successful and unsuccessful account logon\nevents, account management events, object access, policy change,\nprivileged functions, process tracking, and system events. For Web\napplications: all administrator activity, authentication checks,\nauthorization checks, data deletions, data access, data changes, and\npermission changes\"\n" + }, + { + "paramId": "AU-2(d)", + "value": "\"FedRAMP requirement: organization-defined subset of the auditable\nevents defined in AU-2-a. to be audited continually for each\nidentified event\"\n" + }, + { + "paramId": "AU-3(1)", + "value": "\"FedRAMP requirement: session, connection, trasaction, or activity\nduration; for client-server transactions, the number of bytes received\nand bytes sent, additional informational messages to diagnose or\nidentify the event, characteristics that describe or identify the\nobject or resource being acted upon\"\n" + }, + { + "paramId": "AU-3(2)", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-5(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-5(b)", + "value": "\"FedRAMP requirement: low-impact: overwrite oldest audit records;\nmoderate-impact: shut down\"\n" + }, + { + "paramId": "AU-5(1)-1", + "value": "\"appropriate service team personnel, customer-defined personnel\"\n" + }, + { + "paramId": "AU-5(1)-2", + "value": "\"24 hours, customer-defined time period\"\n" + }, + { + "paramId": "AU-5(1)-3", + "value": "\"a service team defined percentage, customer-defined percentage\"\n" + }, + { + "paramId": "AU-5(2)-1", + "value": "\"real-time\"\n" + }, + { + "paramId": "AU-5(2)-2", + "value": "\"appropriate service team personnel\"\n" + }, + { + "paramId": "AU-5(2)-3", + "value": "\"events defined by each service team, audit failure events requiring\nreal-time alerts, as defined by organization audit policy\"\n" + }, + { + "paramId": "AU-7(1)", + "value": "\"customer-defined audit fields within audit records\"\n" + }, + { + "paramId": "AU-8(b)", + "value": "\"millisecond precision\"\n" + }, + { + "paramId": "AU-8(1)(a)-1", + "value": "\"FedRAMP requirement: at least hourly\"\n" + }, + { + "paramId": "AU-8(1)(a)-2", + "value": "\"FedRAMP requirement: authoritative time source:\nhttp://tf.nist.gov/tf-cgi/servers.cgi\"\n" + }, + { + "paramId": "AU-8(1)(b)", + "value": "\"customer-defined\"\n" + }, + { + "paramId": "AU-9(2)", + "value": "\"FedRAMP requirement: at least weekly\"\n" + }, + { + "paramId": "AU-11", + "value": "\"FedRAMP requirement: at least one year\"\n" + }, + { + "paramId": "AU-12(a)", + "value": "\"FedRAMP requirement: at least every 3 years\"\n" + }, + { + "paramId": "AU-12(b)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "AU-12(1)-1", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(1)-2", + "value": "\"1 millisecond, organization-defined level of tolerance\"\n" + }, + { + "paramId": "AU-12(3)-1", + "value": "\"service team members with audit configuration responsibilities\"\n" + }, + { + "paramId": "AU-12(3)-2", + "value": "\"all network, data storage, and computing devices\"\n" + }, + { + "paramId": "AU-12(3)-3", + "value": "\"changes to the thread environment, organization-defined threat\nsituations\"\n" + }, + { + "paramId": "AU-12(3)-4", + "value": "\"risk-based assessment, organization-defined time thresholds\"\n" + }, + { + "paramId": "CM-5(3)", + "value": "\"customer-defined software\"\n" + }, + { + "paramId": "CM-6(1)", + "value": "\"customer-defined information system components\"\n" + }, + { + "paramId": "CM-7(1)(b)", + "value": "\"customer-defined functions, ports, protocols, and services within the\ninformation system deemed to be unnecessary and/or nonsecure\"\n" + }, + { + "paramId": "CM-7(2)", + "value": "\"customer-defined policies regarding software program usage or\nrestrictions\"\n" + }, + { + "paramId": "CM-7(5)(a)", + "value": "\"customer-defined software programs authorized to execute on the\ninformation system\"\n" + }, + { + "paramId": "SC-28(1)-1", + "value": "\"customer data\"\n" + }, + { + "paramId": "SC-28(1)-2", + "value": "\"CSP servers\"\n" + }, + { + "paramId": "SI-11(b)", + "value": "\"authorized service personnel and CSP users\"\n" + }, + { + "paramId": "AC-2(2)-1", + "value": "Selection (removes or disables)" + }, + { + "paramId": "AC-2(2)-2", + "value": "\"FedRAMP requirement: no more than 30 days for temporary and emergency\naccount types\"\n" + }, + { + "paramId": "AC-2(3)", + "value": "\"FedRAMP requirement: thirty-five (35) days for user accounts\"\n" + }, + { + "paramId": "AC-2(4)", + "value": "\"organization and/or service provider system owner\"\n" + }, + { + "paramId": "AC-2(5)", + "value": "\"inactivity is anticipated to exceed fifteen (15) minutes\"\n" + }, + { + "paramId": "AC-2(7)(c)", + "value": "\"FedRAMP assignment: disables/revokes access within an\norganization-specified timeframe\"\n" + }, + { + "paramId": "AC-2(9)", + "value": "\"FedRAMP assignment: organization-defined need with justificatino\nstatement that explains why such accounts are necessary\"\n" + }, + { + "paramId": "AC-2(11)-1", + "value": "\"customer-defined circumstances or usage conditions\"\n" + }, + { + "paramId": "AC-2(11)-2", + "value": "\"customer-defined accounts\"\n" + }, + { + "paramId": "AC-2(12)(a)", + "value": "\"customer-defined atypical use\"\n" + }, + { + "paramId": "AC-2(12)(b)", + "value": "\"at a minimum, the ISSO and/or similar role within the organization\"\n" + }, + { + "paramId": "AC-2(13)", + "value": "\"one hour\"\n" + }, + { + "paramId": "AC-7(a)-1", + "value": "\"FedRAMP requirement: not more than three\"\n" + }, + { + "paramId": "AC-7(a)-2", + "value": "\"FedRAMP requirement: fifteen minutes\"\n" + }, + { + "paramId": "AC-7(b)-1", + "value": "\"FedRAMP requirement: locks the account/node for three hours\"\n" + }, + { + "paramId": "AC-7(b)-2", + "value": "\"customer-defined additional actions\"\n" + }, + { + "paramId": "AC-8(a)", + "value": "\"customer-defined system use notification banner\"\n" + }, + { + "paramId": "AC-8(c)(1)", + "value": "\"customer-defined conditions\"\n" + }, + { + "paramId": "AC-10", + "value": "\"customer-defined account and/or account type; FedRAMP requirement:\nthree sessions for privileged access and two sessions for\nnon-privileged access\"\n" + }, + { + "paramId": "AC-11(a)", + "value": "\"FedRAMP requirement: fifteen minutes\"\n" + }, + { + "paramId": "AC-12", + "value": "\"customer-defined conditions or trigger events\"\n" + }, + { + "paramId": "IA-4(a)", + "value": "\"customer-defined personnel or roles\"\n" + }, + { + "paramId": "IA-4(d)", + "value": "\"FedRAMP requirement: at least two years\"\n" + }, + { + "paramId": "IA-4(e)", + "value": "\"FedRAMP requirement: thirty-five (35) days\"\n" + }, + { + "paramId": "IA-4(4)", + "value": "\"FedRAMP requirement: contractors, foreign nationals\"\n" + }, + { + "paramId": "IA-5(g)", + "value": "\"FedRAMP requirement: 60 days for passwords\"\n" + }, + { + "paramId": "IA-5(1)(a)", + "value": "\"FedRAMP requirement: case-sensitive, minimum of fourteen (14)\ncharacters, and at least one (1) each of upper-case letters,\nlower-case letters, numbers, and special characters\"\n" + }, + { + "paramId": "IA-5(1)(b)", + "value": "\"FedRAMP requirement: at least fifty percent (50%)\"\n" + }, + { + "paramId": "IA-5(1)(d)", + "value": "\"FedRAMP requirement: one day minimum, sixty day maximum\"\n" + }, + { + "paramId": "IA-5(1)(e)", + "value": "\"FedRAMP requirement: twenty four\"\n" + }, + { + "paramId": "IA-5(4)", + "value": "\"complexity as identified in IA-05 (1) Control Enhancement Part A\"\n" + }, + { + "paramId": "IA-8(3)", + "value": "\"N/A\"\n" + } + ] +} \ No newline at end of file diff --git a/working/JSON-mapping/enhance.xsl b/working/JSON-mapping/enhance.xsl new file mode 100644 index 0000000000..377c451448 --- /dev/null +++ b/working/JSON-mapping/enhance.xsl @@ -0,0 +1,96 @@ + + + + + + + + + + + + + + + + + + + + + + + <xsl:apply-templates/> + + + + + + + + + + +

                                    + +

                                    + + + + + + + + + + + + + + + + + (com|org|net|gov|mil|edu|io|foundation) + [\w\-_\.] + [\w\-\$:;/:@&=+,_] + + ({$urlchar}+\.) + + (/|(\.(xml|html|htm|gif|jpg|jpeg|pdf|png|svg)))? + (/{$urlchar}+) + + ((http|ftp|https):/?/?)?{$domain}+{$tlds}{$pathstep}*{$tail}(\?{$extraURLchar}+)? + + + + + + +Children of 'component': { string-join(distinct-values(//component/*/name(.)), ',') } + + + + \ No newline at end of file diff --git a/working/JSON-mapping/hyperlink-inferencer.xsl b/working/JSON-mapping/hyperlink-inferencer.xsl new file mode 100644 index 0000000000..b485647afa --- /dev/null +++ b/working/JSON-mapping/hyperlink-inferencer.xsl @@ -0,0 +1,64 @@ + + + + + + + + + + + + + + + + (com|org|net|gov|mil|edu|io|foundation) + [\w\-_\.] + [\w\-\$:;/:@&=+,_] + + ({$urlchar}+\.) + + (/|(\.(xml|html|htm|gif|jpg|jpeg|pdf|png|svg)))? + (/{$urlchar}+) + + ((http|ftp|https):/?/?)?{$domain}+{$tlds}{$pathstep}*{$tail}(\?{$extraURLchar}+)? + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/JSON-mapping/index-to-catalog.xsl b/working/JSON-mapping/index-to-catalog.xsl new file mode 100644 index 0000000000..ed54c7bbe2 --- /dev/null +++ b/working/JSON-mapping/index-to-catalog.xsl @@ -0,0 +1,54 @@ + + + + + + + + file:/home/wendell/Documents/OSCAL/examples/SP800-53/SP800-53-rev4-catalog.xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/JSON-mapping/json-abstract-map.xsl b/working/JSON-mapping/json-abstract-map.xsl new file mode 100644 index 0000000000..0d05d42060 --- /dev/null +++ b/working/JSON-mapping/json-abstract-map.xsl @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/JSON-mapping/json-reader.xsl b/working/JSON-mapping/json-reader.xsl new file mode 100644 index 0000000000..f2ac967278 --- /dev/null +++ b/working/JSON-mapping/json-reader.xsl @@ -0,0 +1,18 @@ + + + + + + file:/home/wendell/Documents/OSCAL/vault/docker-ee-opencontrol-oscal.json + + + + + + + \ No newline at end of file diff --git a/working/JSON-mapping/map-refine.xsl b/working/JSON-mapping/map-refine.xsl new file mode 100644 index 0000000000..4b35790a3c --- /dev/null +++ b/working/JSON-mapping/map-refine.xsl @@ -0,0 +1,128 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

                                    + +

                                    +
                                    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Parents of 'map': { string-join(distinct-values(//map/name(..)), ',') } + +Parents of 'string': { string-join(distinct-values(//string/name(..)), ',') } + + + +
                                    \ No newline at end of file diff --git a/working/JSON-mapping/param-insert.xsl b/working/JSON-mapping/param-insert.xsl new file mode 100644 index 0000000000..2d211094f6 --- /dev/null +++ b/working/JSON-mapping/param-insert.xsl @@ -0,0 +1,46 @@ + + + + + + + + file:/home/wendell/Documents/OSCAL/examples/SP800-53/SP800-53-rev4-catalog.xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/JSON-mapping/readme.md b/working/JSON-mapping/readme.md new file mode 100644 index 0000000000..5f904931df --- /dev/null +++ b/working/JSON-mapping/readme.md @@ -0,0 +1,37 @@ +# Mapping an "Implementation Layer" from JSON into OSCAL + +For this experiment, the source files are the JSON files given in this subdirectory. + +These are each processed through a pipeline of XSLT transformations: this is `acquire-JSON.xpl`. It should be consulted for details. As writing its several transformations include (in order): + +`json-reader.xsl` - simple wrapper for calling the standard XPath 3.0 function `json-to-xml()`. + +`json-abstract-map.xsl` - 'invert' the XML, promoting labels to element names + +`map-refine.xsl`, `enhance.xsl` - as they suggest. From this point forward (more or less) outputs conform to the `oscal-implementation.rnc` schema. + +`index-to-catalog.xsl` - enhances components of an OSCAL 'implementation' document with links to a catalog or profile resource (designated at runtime) + +`param-insert.xsl` - inserts parameter settings from a catalog or profile resource (designated at runtime) - whose results are instructive + +`analysis.xsl` - tells us things about anything resulting from earlier processes (whatever they may be) + +## Lessons Learned + +IDs are everything. Because the FedRAMP examples are not properly tagged wrt IDs for parameters, they (the parameters) are inaccessible / unavailable at higher levels such as an implementation layer. We end up having to go all the way back to SP800-53. Then too, it appears that the coverage of references (to controls/subcontrols in these samples) goes beyond FedRAMP Moderate. It seems certain forensics such as tools showing which components can be sourced where, would be useful. + +However a key point is that if when set-parameter settings resolve correctly to the (ultimate) source catalog, they cannot resolve correctly against a profile that is (itself) in error (which is the case with our "crude" not-yet-complete FedRAMP models). + +The silver lining here is in the lesson that broken parameter links (and control links?) may be something we need to be able to deal with routinely, to detect and correct. Having these settings correct and complete at lower levels (and known to be so) is a sine qua non for any dependent level. Making it easy to correct or work around these needs to be a priority. + +In an editing workflow, this probably means a UI that permits parameter setting (and even control patching) over a mockup of the (expanded and resolved) catalog, followed by a process that reduces this mock-catalog back into a profile (set of selections and settings). Binding the mock-catalog to the catalog it purportedly references, we can validate it as we go. + +A transformation that produces, from a profile, a patchable, editable mock-catalog or worksheet (which could be rendered back down to a profile) might be a goal for a future sprint. + +Another issue exposed by this (very useful!) exercise is how to validate that parameters set in a profile actually apply at a lower level. Setting a parameter whose value is never injected into (included) control/subcontrol content, is a no-op by definition, n'est pas? + + + + + + diff --git a/working/JSON-mapping/test-analysis.xml b/working/JSON-mapping/test-analysis.xml new file mode 100644 index 0000000000..db75b85bb4 --- /dev/null +++ b/working/JSON-mapping/test-analysis.xml @@ -0,0 +1,25 @@ + + +

                                    Source file file:/home/wendell/Documents/OSCAL/vault/docker-ee-opencontrol-oscal.json

                                    +
                                    +

                                    none

                                    +

                                    Counting 279

                                    +

                                    AC-1, AC-2, AC-2 (1), AC-2 (2), AC-2 (3), AC-2 (5), AC-2 (7), AC-2 (9), AC-2 (10), AC-3, AC-4, AC-5, AC-6, AC-6 (1), AC-6 (2), AC-6 (5), AC-6 (9), AC-6 (10), AC-7, AC-8, AC-10, AC-11, AC-11 (1), AC-12, AC-14, AC-17, AC-17 (4), AC-18 (1), AC-18, AC-19 (5), AC-19, AC-20, AC-20 (2), AC-20 (1), AC-21, AC-22, AT-3, AT-1, AT-2, AT-2 (2), AT-4, AU-2 (3), AU-3 (1), AU-4, AU-5, AU-6, AU-7, AU-7 (1), AU-8, AU-8 (1), AU-9, AU-9 (2), AU-9 (4), AU-11, AU-12, CA-1, CA-2 (3), CA-2, CA-2 (2), CA-2 (1), CA-2 (2), CA-2 (3), CA-3, CA-3 (3), CA-3 (5), CA-5, CA-6, CA-7, CA-7 (1), CA-8 (1), CA-8, CA-9, CM-1, CM-2, CM-2 (1), CM-2 (2), CM-2 (3), CM-2 (7), CM-3, CM-6, CM-8, CP-1, CP-2, CP-2 (1), CP-2 (2), CP-2 (3), CP-2 (8), CP-3, CP-4, CP-4 (1), CP-6, CP-6 (1), CP-6 (3), CP-7, CP-7 (1), CP-7 (2), CP-7 (3), CP-8, CP-8 (1), CP-9, CP-9 (1), CP-9 (3), CP-10, CP-10 (2), IA-1, IA-2, IA-2 (1), IA-2 (2), IA-2 (5), IA-2 (3), IA-2 (8), IA-2 (11), IA-2 (12), IA-3, IA-4, IA-4 (4), IA-5, IA-5 (1), IA-5 (2), IA-5 (3), IA-5 (4), IA-5 (6), IA-5 (7), IA-5 (11), IA-7, IA-8, IA-8 (1), IA-8 (2), IA-8 (3), IA-8 (4), IR-1, IR-2, IR-3, IR-3 (2), IR-4, IR-4 (1), IR-5, IR-6, IR-6 (1), IR-7, IR-7 (1), IR-7 (2), IR-8, IR-9, IR-9 (1), IR-9 (2), IR-9 (3), IR-9 (4), MA-1, MA-2, MA-3, MA-3 (1), MA-3 (2), MA-3 (3), MA-4, MA-4 (2), MA-5, MA-5 (1), MA-6, MP-1, MP-2, MP-3, MP-4, MP-5, MP-5 (4), MP-6, MP-6 (2), MP-7, MP-7 (1), PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-6 (1), PE-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-13 (2), PE-13 (3), PE-14, PE-14 (2), PE-15, PE-16, PE-17, PL-1, PL-8, PS-1, PS-2, PS-3, PS-3 (3), PS-4, PS-5, PS-6, PS-7, PS-8, RA-1, RA-5, SA-1, SA-2, SA-3, SA-4, SA-4 (1), SA-4 (2), SA-4 (8), SA-4 (9), SA-4 (10), SA-5, SA-8, SA-9, SA-9 (1), SA-9 (2), SA-9 (4), SA-9 (5), SA-10, SA-22 (1), SC-1, SC-2, SC-4, SC-5, SC-6, SC-7, SC-7 (3), SC-7 (4), SC-7 (5), SC-7 (7), SC-7 (8), SC-7 (12), SC-7 (13), SC-7 (18), SC-8, SC-8 (1), SC-10, SC-12, SC-12 (2), SC-12 (3), SC-13, SC-15, SC-17, SC-18, SC-19, SC-20, SC-21, SC-22, SC-23, SC-28, SC-28 (1), SI-1, SI-2, SI-2 (2), SI-2 (3), SI-3, SI-3 (1), SI-3 (2), SI-3 (7), SI-4, SI-4 (1), SI-4 (2), SI-4 (4), SI-4 (5), SI-4 (14), SI-4 (16), SI-4 (23), SI-5, SI-6, SI-7, SI-7 (1), SI-7 (7), SI-8, SI-8 (1), SI-8 (2), SI-10, SI-11, SI-12, SI-16

                                    +
                                    +
                                    +

                                    complete

                                    +

                                    Counting 224

                                    +

                                    AU-1, AU-2, RA-5 (1), RA-5 (2), RA-5 (3), RA-5 (5), RA-5 (6), RA-5 (8), AC-2 (1), AC-2 (7), AC-2 (12), AC-3, AC-4, AC-4 (8), AC-4 (21), AC-5, AC-6 (10), AC-14, AC-17, AC-17 (1), AC-17 (2), AC-17 (3), AC-17 (9), AC-20, AC-20 (1), AC-21, AU-2, AU-3, AU-3 (1), AU-3 (2), AU-5, AU-5 (1), AU-5 (2), AU-6 (4), AU-7 (1), AU-8, AU-8 (1), AU-9, AU-9 (2), AU-9 (3), AU-11, AU-12, AU-12 (1), AU-12 (3), CM-5 (1), CM-5 (3), CM-6 (1), CM-7 (2), CM-7 (5), CM-11, CM-11 (1), CP-10 (2), IA-2 (5), IA-3, IA-5 (2), IA-6, IA-7, IA-8, RA-5 (1), RA-5 (3), SA-10 (1), SC-2, SC-23, SC-28 (1), SI-11, AC-2 (12), AC-4, AC-4 (8), AC-4 (21), AC-14, AC-17, AC-17 (1), AC-17 (2), AC-17 (3), AC-17 (9), AU-2, AU-3, AU-3 (1), AU-3 (2), AU-5, AU-5 (1), AU-5 (2), AU-6 (4), AU-7, AU-7 (1), AU-8, AU-8 (1), AU-9, AU-9 (2), AU-9 (3), AU-10, AU-11, AU-12, AU-12 (1), AU-12 (3), CM-1, CM-2, CM-2 (1), CM-2 (2), CM-2 (3), CM-3, CM-3 (1), CM-3 (2), CM-3 (6), CM-5 (2), CM-5 (3), CM-6 (1), CM-7, CM-7 (2), CM-7 (5), CM-9, IA-3, SA-10 (1), SC-7 (20), SC-12 (2), SC-13, SC-23, SC-28, SC-28 (1), SI-3 (2), SI-11, SI-16, SC-39, AC-2 (1), AC-2 (7), AC-2 (12), AC-3, AC-4, AC-4 (8), AC-4 (21), AC-5, AC-6, AC-6 (1), AC-6 (2), AC-6 (3), AC-6 (5), AC-6 (7), AC-6 (8), AC-6 (10), AC-12 (1), AC-14, AC-17, AC-17 (1), AC-17 (2), AC-17 (3), AC-17 (4), AC-17 (9), AC-20, AC-20 (1), AC-21, AU-2, AU-3, AU-3 (1), AU-3 (2), AU-5, AU-5 (1), AU-5 (2), AU-6 (4), AU-7, AU-7 (1), AU-8, AU-8 (1), AU-9, AU-9 (2), AU-9 (3), AU-11, AU-12, AU-12 (1), AU-12 (3), CM-5 (1), CM-5 (3), CM-6 (1), CM-7 (1), CM-7 (2), CM-7 (5), CP-10 (2), IA-2 (5), IA-3, IA-5 (2), IA-6, IA-7, IA-8, SA-10 (1), SC-2, SC-23, SC-28 (1), SI-11, AC-1, AC-2, AC-2 (1), AC-2 (2), AC-2 (3), AC-2 (4), AC-2 (5), AC-2 (7), AC-2 (9), AC-2 (10), AC-2 (11), AC-2 (12), AC-2 (13), AC-3, AC-6 (9), AC-7, AC-10, AC-11, AC-11 (1), AC-12, AC-17 (1), AU-3, IA-2, IA-2 (5), IA-2 (8), IA-2 (9), IA-4, IA-4 (4), IA-5, IA-5 (1), IA-5 (2), IA-5 (4), IA-5 (6), IA-8 (2), IA-8 (3), IA-8 (4), SC-23 (1)

                                    +
                                    +
                                    +

                                    partial

                                    +

                                    Counting 1

                                    +

                                    AC-17 (9)

                                    +
                                    +
                                    +

                                    planned

                                    +

                                    Counting 1

                                    +

                                    AC-8

                                    +
                                    + + diff --git a/working/JSON-mapping/test-linked.xml b/working/JSON-mapping/test-linked.xml new file mode 100644 index 0000000000..8e16354749 --- /dev/null +++ b/working/JSON-mapping/test-linked.xml @@ -0,0 +1,7158 @@ + + Moderate SSP for Docker Enterprise Edition Deployment ATO +

                                    Moderate SSP for Docker Enterprise Edition Deployment ATO

                                    + securitylead@agency.gov + + + + Access Control Policy for [Agency_Here] +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES + AC-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCOUNT MANAGEMENT + AC-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT + AC-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS + AC-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DISABLE INACTIVE ACCOUNTS + AC-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INACTIVITY LOGOUT + AC-2 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ROLE-BASED SCHEMES + AC-2 (7) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS + AC-2 (9) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION + AC-2 (10) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS ENFORCEMENT + AC-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION FLOW ENFORCEMENT + AC-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION OF DUTIES + AC-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LEAST PRIVILEGE + AC-6 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS + AC-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS + AC-6 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED ACCOUNTS + AC-6 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS + AC-6 (9) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS + AC-6 (10) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS + AC-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM USE NOTIFICATION + AC-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONCURRENT SESSION CONTROL + AC-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION LOCK + AC-11 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PATTERN-HIDING DISPLAYS + AC-11 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION TERMINATION + AC-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + AC-14 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS + AC-17 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIVILEGED COMMANDS / ACCESS + AC-17 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATION AND ENCRYPTION + AC-18 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS ACCESS + AC-18 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FULL DEVICE / CONTAINER-BASED ENCRYPTION + AC-19 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR MOBILE DEVICES + AC-19 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS + AC-20 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PORTABLE STORAGE DEVICES + AC-20 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LIMITS ON AUTHORIZED USE + AC-20 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SHARING + AC-21 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLICLY ACCESSIBLE CONTENT + AC-22 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Awareness Training Policy for [Agency_Here] +

                                    +

                                    + + ROLE-BASED SECURITY TRAINING + AT-3 +

                                    [Agency's control implementation here] +

                                    + none + + + SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES + AT-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AWARENESS TRAINING + AT-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSIDER THREAT + AT-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY TRAINING RECORDS + AT-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Audit and Accountability Policy for [Agency_Here] +

                                    +

                                    + + AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES + AU-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete + + + AUDIT EVENTS + AU-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete +
                                    + + REVIEWS AND UPDATES + AU-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ADDITIONAL AUDIT INFORMATION + AU-3 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT STORAGE CAPACITY + AU-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES + AU-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT REVIEW, ANALYSIS, AND REPORTING + AU-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS INTEGRATION + AU-6 (1) +

                                    [Agency's control implementation here] +

                                    +
                                    + + CORRELATE AUDIT REPOSITORIES + AU-6 (3) +

                                    [Agency's control implementation here] +

                                    +
                                    + + AUDIT REDUCTION AND REPORT GENERATION + AU-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC PROCESSING + AU-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME STAMPS + AU-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE + AU-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUDIT INFORMATION + AU-9 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS + AU-9 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS BY SUBSET OF PRIVILEGED USERS + AU-9 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT RECORD RETENTION + AU-11 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUDIT GENERATION + AU-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Assessment and Authorization Policy for [Agency_Here] +

                                    +

                                    + + SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES + CA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + EXTERNAL ORGANIZATIONS + CA-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ASSESSMENTS + CA-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPECIALIZED ASSESSMENTS + CA-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSORS + CA-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPECIALIZED ASSESSMENTS + CA-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL ORGANIZATIONS + CA-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM INTERCONNECTIONS + CA-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS + CA-3 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS + CA-3 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PLAN OF ACTION AND MILESTONES + CA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY AUTHORIZATION + CA-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING + CA-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT ASSESSMENT + CA-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDEPENDENT PENETRATION AGENT OR TEAM + CA-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PENETRATION TESTING + CA-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTERNAL SYSTEM CONNECTIONS + CA-9 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Configuration Management Policy for [Agency_Here] +

                                    +

                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES + CM-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + BASELINE CONFIGURATION + CM-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REVIEWS AND UPDATES + CM-2 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR ACCURACY / CURRENCY + CM-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS + CM-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS + CM-2 (7) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION CHANGE CONTROL + CM-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONFIGURATION SETTINGS + CM-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM COMPONENT INVENTORY + CM-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Contingency Planning Policy for [Agency_Here] +

                                    +

                                    + + CONTINGENCY PLANNING POLICY AND PROCEDURES + CP-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTINGENCY PLAN + CP-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS + CP-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CAPACITY PLANNING + CP-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS + CP-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY CRITICAL ASSETS + CP-2 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY TRAINING + CP-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINGENCY PLAN TESTING + CP-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATE WITH RELATED PLANS + CP-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE STORAGE SITE + CP-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE + CP-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY + CP-6 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE PROCESSING SITE + CP-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATION FROM PRIMARY SITE + CP-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESSIBILITY + CP-7 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE + CP-7 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TELECOMMUNICATIONS SERVICES + CP-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PRIORITY OF SERVICE PROVISIONS + CP-8 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM BACKUP + CP-9 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TESTING FOR RELIABILITY / INTEGRITY + CP-9 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SEPARATE STORAGE FOR CRITICAL INFORMATION + CP-9 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM RECOVERY AND RECONSTITUTION + CP-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSACTION RECOVERY + CP-10 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Docker Security Scanning (DSS) +

                                    +

                                    + + UPDATE TOOL CAPABILITY + RA-5 (1) +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning (DSS) component of Docker +Trusted Registry (DTR) that is included with the Docker Enterprise +Edition Advanced tier can be used to scan Docker images for +vulnerabilities against known vulnerability databases. Scans can be +triggered either manually or when Docker images are pushed to DTR.' +

                                    + service provider hybrid + complete + + + UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED + RA-5 (2) +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier compiles a bill of materials (BOM) for each Docker image +that it scans. DSS is also synchronized to an aggregate listing of +known vulnerabilities that is compiled from both the MITRE and NVD CVE +databases. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning' +

                                    + service provider hybrid + complete +
                                    + + BREADTH / DEPTH OF COVERAGE + RA-5 (3) +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier identifies vulnerabilities in a Docker image and marks +them against predefined criticality levels; critical major and minor.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCESS + RA-5 (5) +

                                    'Only the appropriate users that the organization has provided Docker +Trusted Registry access to are able to view and interpret +vulnerability scan results.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED TREND ANALYSES + RA-5 (6) +

                                    'For each Docker image pushed to Docker Trusted Registry at a given +time, Docker Security Scaninng retains a list of vulnerabilities +detected. The DTR API can be queried to retrieve the vulnerability +scan results over a period of time for a given Docker image such that +the results can be compared per the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + REVIEW HISTORIC AUDIT LOGS + RA-5 (8) +

                                    'Docker Security Scanning maintains a historical bill-of-materials +(BOM) for all Docker images that are scanned. Results of previous +vulnerability scans can be reviewed and audited per the requirements +of this control.' +

                                    + service provider hybrid + complete +
                                    + + + DSS Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ + + + + Docker Trusted Registry (DTR) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT + AC-2 (1) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/' +

                                    + service provider hybrid + complete +
                                    + + ROLE-BASED SCHEMES + AC-2 (7) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT + AC-3 +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT + AC-4 +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + Docker EE system + complete +
                                    + + SECURITY POLICY FILTERS + AC-4 (8) +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + shared + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS + AC-4 (21) +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + service provider hybrid + complete +
                                    + + SEPARATION OF DUTIES + AC-5 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Docker Trusted Registry resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS + AC-6 (10) +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + AC-14 +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Docker Trusted Registry.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS + AC-17 +

                                    'To help the organization meet the requirements of this control, +Docker Trusted Registry can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL + AC-17 (1) +

                                    'Docker Trusted Registry logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION + AC-17 (2) +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the DTR user interface and for +command-line based connections to the registry. In addition to this, +all communication to DTR is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS + AC-17 (3) +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Trusted Registry replicas is routed through +managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS + AC-17 (9) +

                                    'Built-in firewall technology in Docker Trusted Registry's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP slave nodes running Docker +Trusted Registry replicas can be paused or drained, which subsequently +stops sessions to the DTR replica.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS + AC-20 +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE + AC-20 (1) +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING + AC-21 +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Docker +Trusted Registry to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS + AU-2 +

                                    'All of the event types indicated by this control are logged by a +combination of the backend ucp-controller service within Universal +Control Plane and the backend services that make up Docker Trusted +Registry. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS + AU-3 +

                                    'Docker Trusted Registry generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION + AU-3 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT + AU-3 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES + AU-5 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to alert individuals in +the event of log processing failures. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT STORAGE CAPACITY + AU-5 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when the allocated log storage is full. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS + AU-5 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS + AU-6 (4) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION + AU-7 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to facilitate the audit +reduction and report generation requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Docker Trusted +Registry should be certified to ensure that logs are not altered +during generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared +
                                    + + AUTOMATIC PROCESSING + AU-7 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS + AU-8 +

                                    'Docker Trusted Registry uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE + AU-8 (1) +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION + AU-9 +

                                    'By default, Docker Trusted Registry is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the ''docker'' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS + AU-9 (2) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION + AU-9 (3) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION + AU-11 +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Trusted +Registry resides as an Application on a Universal Control Plane +cluster, and as such, can be configured to send logs to a remote +logging stack. This logging stack can subsequently be configured to +retain logs for the duration required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION + AU-12 +

                                    'All of the event types indicated by AU-2 a. are logged by a +combination of the backend services within Universal Control Plane and +Docker Trusted Registry. The underlying Linux operating system +supporting DTR can be configured to audit Docker-specific events with +the auditd daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/' +

                                    +

                                    'Using auditd on the Linux operating system supporting DTR, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL + AU-12 (1) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +compile audit records in to a system-wide audit trail that is +time-correlated per the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS + AU-12 (3) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +meet the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATED ACCESS ENFORCEMENT / AUDITING + CM-5 (1) +

                                    'Role-based access control can be configured within Docker Trusted +Registry to meet the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS + CM-5 (3) +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Docker Trusted +Registry Docker images are officially signed and verified by Docker, +Inc. + +When installing Docker Trusted Registry, you should enable Docker +Content Trust and subsequently pull the the signed DTR image tag. +Additional information can be found at teh following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION + CM-6 (1) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Docker Trusted Registry''s +configuration can also be backed up and stored an appropriate location +per the requirements of this control. Additional documenation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION + CM-7 (2) +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry. The organization can +also prevent users from being able to pull Docker images from +untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING + CM-7 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images are +stored in Docker Trusted Registry. This can be accomplished by using +Docker Content Trust to sign Docker images which can subsequently be +stored in Docker Trusted Registry.' +

                                    + service provider hybrid + shared + complete +
                                    + + USER-INSTALLED SOFTWARE + CM-11 +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + ALERTS FOR UNAUTHORIZED INSTALLATIONS + CM-11 (1) +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry to meet the +requirements of this contorl. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY + CP-10 (2) +

                                    'Docker Trusted Registry maintains its cluster state via an internal +key-value store. This, and other DTR transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup' +

                                    + Docker EE system + complete +
                                    + + GROUP AUTHENTICATION + IA-2 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Trusted +Registry requires individual users to be authenticated in order to +gain access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION + IA-3 +

                                    'Docker Trusted Registry replicas reside on Universal Control Plane +worker nodes. In order for UCP worker nodes to join a Universal +Control Plane cluster, they must be identified and authenticated via a +worker token. Additional Docker Trusted Registry replicas can only be +added after a UCP administrator user has authenticated in to the UCP +cluster and when mutual TLS authentication between the UCP worker and +manager nodes has been established. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION + IA-5 (2) +

                                    'Docker Trusted Registry includes a Docker volume which holds the root +key material for the DTR root CA that issues certificats. In addition +Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server. When adding DTR replicas, the UCP nodes on +which they're installed are authenticated to the cluster via the +appropriate built-in CA.' +

                                    +

                                    'Access to Docker Trusted Registry is only granted when a user has a +valid certificate bundle. This is enforced with the public/private key +pair included with the user's certificate bundle in Universal Control +Plane.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against Docker Trusted Registry. This bundle maps the +authenticated identity to that of the user's profile in Universal +Control Plane.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user which +subsequently grants that user access to Docker Trusted Registry, it is +attached to that user''s Universal Control Plane profile. Bundles/keys +can be revoked by an Administrator or the user themselves. The +cluster''s internal certificates can also be revoked and updated. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK + IA-6 +

                                    'Docker Trusted Registry obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION + IA-7 +

                                    'All access to Docker Trusted Registry is protected with Transport +Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) + IA-8 +

                                    'Users managed by Docker Trusted Registry can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + UPDATE TOOL CAPABILITY + RA-5 (1) +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE) dictionary.' +

                                    + service provider hybrid + complete +
                                    + + BREADTH / DEPTH OF COVERAGE + RA-5 (3) +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE).' dictionary. +

                                    + service provider hybrid + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION + SA-10 (1) +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags. Docker Trusted Registry includes an integrated imaging +signing service.' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING + SC-2 +

                                    'Docker Trusted Registry is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY + SC-23 +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION + SC-28 (1) +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING + SI-11 +

                                    'All error messages generated via the configured logging mechanism of +Docker Trusted Registry are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + Docker Trusted Registry Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/ + + + + Docker Enterprise Edition Engine +

                                    +

                                    + + ACCOUNT MONITORING / ATYPICAL USAGE + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to aggregate +container and daemon events via a number of logging drivers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/view_container_logs/ +- https://docs.docker.com/engine/admin/logging/overview/ +- https://docs.docker.com/engine/admin/logging/log_tags/' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION FLOW ENFORCEMENT + AC-4 +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + SECURITY POLICY FILTERS + AC-4 (8) +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers +per organization-defined security policy filters. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks + +There are also third-party behavioral activity monitoring tools (e.g. +Sysdig Falco <http://www.sysdig.org/falco/>) that can be used +alongside Docker Enterprise Edition to satisfy this control''s +requirements.' +

                                    + service provider hybrid + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS + AC-4 (21) +

                                    'Docker Enterprise Edition can be configured to separate the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + AC-14 +

                                    'To help the organization meet the requirements of this control, one +can restrict membership to the 'docker' group on underlying Linux +hosts or the local "Administrators" group (and any other groups +defined within 'daemon.json') on underlying Windows Server 2016 hosts +to only authorized users.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS + AC-17 +

                                    'To help the organization meet the requirements of this control, +Docker Enterprise Edition can be configured to allow/prohibit remote +access to the Engine.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL + AC-17 (1) +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION + AC-17 (2) +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2. In addition to this, all +communication to Docker Enterprise Edition is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS + AC-17 (3) +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Enterprise Edition is routed through managed +network access control points.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS + AC-17 (9) +

                                    'Built-in firewall technology in Docker Enterprise Edition's +underlying operating system can be used to force the disconnection of +remote connections to the host. In addition, Docker Enterprise Edition +provides the option to pause or drain a node in the cluster, which +subsequently stops and/or removes sessions to the node. Individual +services and/or applications running on Docker Enterprise Edition can +also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AUDIT EVENTS + AU-2 +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this control (as explained by +their component narratives). These and other application containers +that reside on Docker Enterprise Edition can be configured to log data +via an appropriate Docker logging driver. Instructions for configuring +logging drivers can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS + AU-3 +

                                    'Both Universal Control Plane and Docker Trusted Registry are +pre-configured to take advantage of Docker Enterprise Edition''s +built-in logging mechanisms. A sample audit event recorded by Docker +Enterprise Edition has been provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"} + +Additional documentation can be referenced at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION + AU-3 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT + AU-3 (2) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES + AU-5 +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can be used to interpolate the information defined by this +control and also be configured to alert on any audit processing +failures. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT STORAGE CAPACITY + AU-5 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to warn the organization when the +allocated log storage is full. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS + AU-5 (2) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS + AU-6 (4) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION + AU-7 +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to facilitate the audit reduction and +report generation requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'The underlying operating system chosen to support Docker Enterprise +Edition should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING + AU-7 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS + AU-8 +

                                    'Docker Enterprise Edition uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE + AU-8 (1) +

                                    'The underlying operating system on which Docker Enterprise Edition runs should +be configured such that its system clock compares itself with an +authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock synchronizes +itself to an authoritative time source as defined by part (a) of this +control any time the time difference exceeds that of the +organization-defined time period. This can be accomplished by +utilizing the Network Time Protocol (NTP). Refer to the operating +system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION + AU-9 +

                                    'On the underlying Linux operating system supporting Docker Enterprise +Edition, only root and sudo users and users that have been added to +the "docker" group have the ability to access the logs generated by +UCP backend service containers. Should the organization decide to +configure Docker Enterprise Edition to use a logging driver other than +the default json-file driver, the organization is subsequently +responsible for configuring the chosen logging stack per the +provisions of this control. In addition, for Linux operating systems +supporting Docker Enterprise Edition that use the systemd daemon, it +is imperative that the Journal is secured per the requirements of this +control. The same applies for Linux operating systems supporting +Docker Enterprise Edition that instead use upstart. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS + AU-9 (2) +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the backup requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION + AU-9 (3) +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the encryption mechanisms required by this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + NON-REPUDIATION + AU-10 +

                                    'Docker Enterprise Edition includes functionality known as Docker +Content Trust which allows one to cryptographically sign Docker +images. It enforces client-side signing and verification of image tags +and provides the ability to use digital signatures for data sent to +and received from Docker Trusted Registry. This ultimately provides +one with the ability to verify both the integrity and the publisher of +all data received from DTR over any channel. With Docker Content +Trust, an organization can enforce signature verification of all +content and prohibit unsigned and unapproved content from being +manipulated; thus supproting the non-repudiation requirements of this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + Docker EE system + complete +
                                    + + AUDIT RECORD RETENTION + AU-11 +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Enterprise +Edition can be configured to use a logging driver that stores data in +a location for the duration specified by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION + AU-12 +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this AU-2 a. These and other +application containers that reside on Docker Enterprise Edition can be +configured to log data via an appropriate Docker logging driver. The +underlying Linux operating system supporting Docker Enterprise Edition +can be configured to audit Docker-specific events with the auditd +daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'Using auditd on the Linux operating system supporting CS Docker +Engine, the organization can configure audit rules to select which +Docker-specific events are to be audited. Refer to the specific Linux +distribution in use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL + AU-12 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to compile audit records in to +a system-wide audit trail that is time-correlated per the requirements +of this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS + AU-12 (3) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to meet the requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT POLICY AND PROCEDURES + CM-1 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + BASELINE CONFIGURATION + CM-2 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing Docker +Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + REVIEWS AND UPDATES + CM-2 (1) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATION SUPPORT FOR ACCURACY / CURRENCY + CM-2 (2) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + RETENTION OF PREVIOUS CONFIGURATIONS + CM-2 (3) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion and can be +rolled back as required by this control. Additional information can be +found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CONFIGURATION CHANGE CONTROL + CM-3 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Additional information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES + CM-3 (1) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + TEST / VALIDATE / DOCUMENT CHANGES + CM-3 (2) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHY MANAGEMENT + CM-3 (6) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +cryptography management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + REVIEW SYSTEM CHANGES + CM-5 (2) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +system change requirements of this control. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS + CM-5 (3) +

                                    'Before installing Docker Enterprise Edition, ensure that your +supporting Linux operating system''s packager manager supports package +signature verification and that it is enabled. It is also required +that you import the Docker public key for EE packages so as to +retrieve the validated and signed package from Docker, Inc. Refer to +your Linux OS documentation for instructions on completing the above +steps. + +In addition, Docker Content Trust is a capability provided by Docker +Engine that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. When enabling Docker +Content Trust in Docker Enterprise Edition you can enforce the use of +signed Docker images. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION + CM-6 (1) +

                                    'The organization can incorporate the use of an external configuration +management system to meet the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + LEAST FUNCTIONALITY + CM-7 +

                                    'To help the organization meet the requirements of this control, the +latest CIS Docker Benchmark can be used as a secure configuration +baseline. Additional information can be found at the following +resources: + +- https://www.cisecurity.org/benchmark/docker/' +

                                    + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION + CM-7 (2) +

                                    'In order to restrict which Docker images can be used to deploy +applications to Docker Enterprise Edition, the organization can define +a list of allowed base Docker images and make them available via +Docker Trusted Registry. The organization can also prevent users from +being able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING + CM-7 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Docker EE +Engine, the organization must define a list of allowed base Docker +images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CONFIGURATION MANAGEMENT PLAN + CM-9 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management plan requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION + IA-3 +

                                    'In order for other Docker EE engine nodes to be able to join a +cluster managed by Universal Control Plane, they must be identified +and authenticated via either a manager or worker token. Use of the +token includes trust on first use mutual TLS.' +

                                    + Docker EE system + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION + SA-10 (1) +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags.' +

                                    + service provider hybrid + complete +
                                    + + DYNAMIC ISOLATION / SEGREGATION + SC-7 (20) +

                                    'Docker Enterprise Edition is designed to run application containers +whose content can be completely isolated/segregated from other +application containers within the same node/cluster. This is +accomplished by way of Linux kernel primitives and various security +profiles that can be applied to the underlying host OS. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/security/security/ +- https://docs.docker.com/engine/userguide/networking/overlay-security-model/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security' +

                                    + Docker EE system + complete +
                                    + + SYMMETRIC KEYS + SC-12 (2) +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION + SC-13 +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SESSION AUTHENTICITY + SC-23 +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF INFORMATION AT REST + SC-28 +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to/from and between Docker +Enterprise Edition nodes is enforced by way of two-way mutual TLS +authentication. All Swarm Mode manager nodes in a Docker Enterprise +Edition cluster store state metadata and user secrets encrypted at +rest using the AES GCM cipher.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION + SC-28 (1) +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATIC UPDATES + SI-3 (2) +

                                    'Docker Enterprise Edition packages for supported underlying operating +systems can only be obtained from Docker, Inc. The Docker EE +repositories from which Docker EE packages are obtained are protected +with official GPG keys. Each Docker package is also validated with a +signature definition.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING + SI-11 +

                                    'All error messages generated via the logging mechanisms of the Docker +Enterprise Edition engine are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + MEMORY PROTECTION + SI-16 +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's security documentation for information regarding the +protection of memory from unauthorized code execution.' +

                                    + service provider hybrid + complete +
                                    + + + Docker Enterprise Edition Engine Installation Documentation +

                                    + https://docs.docker.com/engine/installation/ + + + + Docker Engine Release Notes +

                                    + https://docs.docker.com/release-notes/ + + + + Configuring and Running Docker on Various Distributions +

                                    + https://docs.docker.com/engine/admin/ + + + + Docker Engine Security +

                                    + https://docs.docker.com/engine/security/security/ + + + + Securing Docker Datacenter and Security Best Practices +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices + + + + Identification and Authentication Policy for [Agency_Here] +

                                    +

                                    + + IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES + IA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) + IA-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS + IA-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS + IA-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + GROUP AUTHENTICATION + IA-2 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + LOCAL ACCESS TO PRIVILEGED ACCOUNTS + IA-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT + IA-2 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + REMOTE ACCESS - SEPARATE DEVICE + IA-2 (11) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS + IA-2 (12) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION + IA-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFIER MANAGEMENT + IA-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFY USER STATUS + IA-4 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTHENTICATOR MANAGEMENT + IA-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PASSWORD-BASED AUTHENTICATION + IA-5 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PKI-BASED AUTHENTICATION + IA-5 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION + IA-5 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION + IA-5 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF AUTHENTICATORS + IA-5 (6) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS + IA-5 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HARDWARE TOKEN-BASED AUTHENTICATION + IA-5 (11) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION + IA-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) + IA-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES + IA-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS + IA-8 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-APPROVED PRODUCTS + IA-8 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF FICAM-ISSUED PROFILES + IA-8 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Incident Response for [Agency_Here] +

                                    +

                                    + + INCIDENT RESPONSE POLICY AND PROCEDURES + IR-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INCIDENT RESPONSE TRAINING + IR-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE TESTING + IR-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH RELATED PLANS + IR-3 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT HANDLING + IR-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED INCIDENT HANDLING PROCESSES + IR-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT MONITORING + IR-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT REPORTING + IR-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED REPORTING + IR-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE ASSISTANCE + IR-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT + IR-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COORDINATION WITH EXTERNAL PROVIDERS + IR-7 (2) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INCIDENT RESPONSE PLAN + IR-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SPILLAGE RESPONSE + IR-9 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESPONSIBLE PERSONNEL + IR-9 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRAINING + IR-9 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POST-SPILL OPERATIONS + IR-9 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXPOSURE TO UNAUTHORIZED PERSONNEL + IR-9 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System Maintenance Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM MAINTENANCE POLICY AND PROCEDURES + MA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CONTROLLED MAINTENANCE + MA-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE TOOLS + MA-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT TOOLS + MA-3 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INSPECT MEDIA + MA-3 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT UNAUTHORIZED REMOVAL + MA-3 (3) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONLOCAL MAINTENANCE + MA-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DOCUMENT NONLOCAL MAINTENANCE + MA-4 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MAINTENANCE PERSONNEL + MA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INDIVIDUALS WITHOUT APPROPRIATE ACCESS + MA-5 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIMELY MAINTENANCE + MA-6 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Media Protection Policy for [Agency_Here] +

                                    +

                                    + + MEDIA PROTECTION POLICY AND PROCEDURES + MP-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MEDIA ACCESS + MP-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA MARKING + MP-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA STORAGE + MP-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA TRANSPORT + MP-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION + MP-5 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA SANITIZATION + MP-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EQUIPMENT TESTING + MP-6 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEDIA USE + MP-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROHIBIT USE WITHOUT OWNER + MP-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Physical and Environmental Protection Policy for [Agency_Here] +

                                    +

                                    + + PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES + PE-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PHYSICAL ACCESS AUTHORIZATIONS + PE-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PHYSICAL ACCESS CONTROL + PE-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR TRANSMISSION MEDIUM + PE-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS CONTROL FOR OUTPUT DEVICES + PE-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING PHYSICAL ACCESS + PE-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTRUSION ALARMS / SURVEILLANCE EQUIPMENT + PE-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VISITOR ACCESS RECORDS + PE-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + POWER EQUIPMENT AND CABLING + PE-9 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY SHUTOFF + PE-10 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY POWER + PE-11 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EMERGENCY LIGHTING + PE-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FIRE PROTECTION + PE-13 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SUPPRESSION DEVICES / SYSTEMS + PE-13 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC FIRE SUPPRESSION + PE-13 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TEMPERATURE AND HUMIDITY CONTROLS + PE-14 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MONITORING WITH ALARMS / NOTIFICATIONS + PE-14 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WATER DAMAGE PROTECTION + PE-15 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DELIVERY AND REMOVAL + PE-16 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ALTERNATE WORK SITE + PE-17 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Planning Policy for [Agency_Here] +

                                    +

                                    + + SECURITY PLANNING POLICY AND PROCEDURES + PL-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + INFORMATION SECURITY ARCHITECTURE + PL-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Personnel Security Policy for [Agency_Here] +

                                    +

                                    + + PERSONNEL SECURITY POLICY AND PROCEDURES + PS-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + POSITION RISK DESIGNATION + PS-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SCREENING + PS-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION WITH SPECIAL PROTECTION MEASURES + PS-3 (3) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TERMINATION + PS-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL TRANSFER + PS-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS AGREEMENTS + PS-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + THIRD-PARTY PERSONNEL SECURITY + PS-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PERSONNEL SANCTIONS + PS-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Risk Assessment Policy for [Agency_Here] +

                                    +

                                    + + RISK ASSESSMENT POLICY AND PROCEDURES + RA-1 +

                                    [Agency's control implementation here] +

                                    + none + + + VULNERABILITY SCANNING + RA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Services Acquisition Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES + SA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + ALLOCATION OF RESOURCES + SA-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM DEVELOPMENT LIFE CYCLE + SA-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACQUISITION PROCESS + SA-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONAL PROPERTIES OF SECURITY CONTROLS + SA-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS + SA-4 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONTINUOUS MONITORING PLAN + SA-4 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE + SA-4 (9) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + USE OF APPROVED PIV PRODUCTS + SA-4 (10) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM DOCUMENTATION + SA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ENGINEERING PRINCIPLES + SA-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL INFORMATION SYSTEM SERVICES + SA-9 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS + SA-9 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES + SA-9 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS + SA-9 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESSING, STORAGE, AND SERVICE LOCATION + SA-9 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DEVELOPER CONFIGURATION MANAGEMENT + SA-10 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION + SA-10 (1) +

                                    [Agency's control implementation here] +

                                    +
                                    + + DEVELOPER SECURITY TESTING AND EVALUATION + SA-11 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +
                                    + + STATIC CODE ANALYSIS + SA-11 (1) +

                                    [Agency's control implementation here] +

                                    +
                                    + + THREAT AND VULNERABILITY ANALYSES + SA-11 (2) +

                                    [Agency's control implementation here] +

                                    +
                                    + + DYNAMIC CODE ANALYSIS + SA-11 (8) +

                                    [Agency's control implementation here] +

                                    +
                                    + + ALTERNATIVE SOURCES FOR CONTINUED SUPPORT + SA-22 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Communications Protection Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES + SC-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + APPLICATION PARTITIONING + SC-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION IN SHARED RESOURCES + SC-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENIAL OF SERVICE PROTECTION + SC-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + RESOURCE AVAILABILITY + SC-6 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + BOUNDARY PROTECTION + SC-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ACCESS POINTS + SC-7 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + EXTERNAL TELECOMMUNICATIONS SERVICES + SC-7 (4) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + DENY BY DEFAULT / ALLOW BY EXCEPTION + SC-7 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PREVENT SPLIT TUNNELING FOR REMOTE DEVICES + SC-7 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS + SC-7 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HOST-BASED PROTECTION + SC-7 (12) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS + SC-7 (13) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + FAIL SECURE + SC-7 (18) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TRANSMISSION CONFIDENTIALITY AND INTEGRITY + SC-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION + SC-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NETWORK DISCONNECT + SC-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT + SC-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYMMETRIC KEYS + SC-12 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ASYMMETRIC KEYS + SC-12 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION + SC-13 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + COLLABORATIVE COMPUTING DEVICES + SC-15 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PUBLIC KEY INFRASTRUCTURE CERTIFICATES + SC-17 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MOBILE CODE + SC-18 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + VOICE OVER INTERNET PROTOCOL + SC-19 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) + SC-20 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) + SC-21 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE + SC-22 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SESSION AUTHENTICITY + SC-23 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROTECTION OF INFORMATION AT REST + SC-28 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CRYPTOGRAPHIC PROTECTION + SC-28 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PROCESS ISOLATION + SC-39 +

                                    [Agency's control implementation here] +

                                    + complete +
                                    +
                                    + + System and Information Integrity Policy for [Agency_Here] +

                                    +

                                    + + SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES + SI-1 +

                                    [Agency's control implementation here] +

                                    + none + + + FLAW REMEDIATION + SI-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED FLAW REMEDIATION STATUS + SI-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS + SI-2 (3) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MALICIOUS CODE PROTECTION + SI-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT + SI-3 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES + SI-3 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + NONSIGNATURE-BASED DETECTION + SI-3 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION SYSTEM MONITORING + SI-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-WIDE INTRUSION DETECTION SYSTEM + SI-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATED TOOLS FOR REAL-TIME ANALYSIS + SI-4 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC + SI-4 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SYSTEM-GENERATED ALERTS + SI-4 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + WIRELESS INTRUSION DETECTION + SI-4 (14) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CORRELATE MONITORING INFORMATION + SI-4 (16) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + HOST-BASED DEVICES + SI-4 (23) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY ALERTS, ADVISORIES, AND DIRECTIVES + SI-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SECURITY FUNCTION VERIFICATION + SI-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY + SI-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRITY CHECKS + SI-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INTEGRATION OF DETECTION AND RESPONSE + SI-7 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SPAM PROTECTION + SI-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CENTRAL MANAGEMENT + SI-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AUTOMATIC UPDATES + SI-8 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION INPUT VALIDATION + SI-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + ERROR HANDLING + SI-11 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + INFORMATION HANDLING AND RETENTION + SI-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MEMORY PROTECTION + SI-16 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Universal Control Plane (UCP) +

                                    +

                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT + AC-2 (1) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/' +

                                    + service provider hybrid + complete + + + ROLE-BASED SCHEMES + AC-2 (7) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, Universal Control Plane can be configured to send system +account log data to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack. Supporting documentation can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT + AC-3 +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + INFORMATION FLOW ENFORCEMENT + AC-4 +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + complete +
                                    + + SECURITY POLICY FILTERS + AC-4 (8) +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS + AC-4 (21) +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + SEPARATION OF DUTIES + AC-5 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + LEAST PRIVILEGE + AC-6 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and employ principles of +least privilege. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AUTHORIZE ACCESS TO SECURITY FUNCTIONS + AC-6 (1) +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and explicitly authorize +access as necessary. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS + AC-6 (2) +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED COMMANDS + AC-6 (3) +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources, including Docker +networking components. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED ACCOUNTS + AC-6 (5) +

                                    'To assist the organization in meeting the requirements of this +control, one can restrict privileged accounts within Universal Control +Plane to custom-defined roles. By default, no one can make changes to +the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + REVIEW OF USER PRIVILEGES + AC-6 (7) +

                                    'To assist the organization in meeting the requirements of this +control, one can review all implemented grants, accounts and roles +within Universal Control Plane and reassign/revoke privileges as +necessary. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGE LEVELS FOR CODE EXECUTION + AC-6 (8) +

                                    'Universal Control Plane users can be assigned to one of a number of +different permission levels. The permission level assigned to a +specific user determines that user''s ability to execute certain +Docker functions within UCP. Only users mapped to either the "Full +Control" or "Admin" roles can execute Docker commands without any +restrictions. Users mapped to either the "View Only" or "No Access" +roles cannot execute any Docker commands. Users assigned to the +"Restricted Control" role can only run Docker commands under their own +purview and cannot see other users UCP resources nor run commands that +required privileged access to the host. Furthermore, custom roles can +be created for fine-grained access to specific UCP resources and +functionality. Additional documentation regarding the various +permission levels within UCP can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS + AC-6 (10) +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + USER-INITIATED LOGOUTS / MESSAGE DISPLAYS + AC-12 (1) +

                                    'Universal Control Plane includes a logout capability that allows a +user to terminate his/her current session.' +

                                    + Docker EE system + complete +
                                    + + PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + AC-14 +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Universal Control Plane.' +

                                    + Docker EE system + complete +
                                    + + REMOTE ACCESS + AC-17 +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED MONITORING / CONTROL + AC-17 (1) +

                                    'Universal Control Plane logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION + AC-17 (2) +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the UCP user interface and for +command-line based connections to the cluster. In addition to this, +all communication to UCP is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + MANAGED ACCESS CONTROL POINTS + AC-17 (3) +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Universal Control Plane managers and worker nodes is +routed through managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + PRIVILEGED COMMANDS / ACCESS + AC-17 (4) +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to authorize certain +privileged functions via remote access.' +

                                    + service provider hybrid + complete +
                                    + + DISCONNECT / DISABLE ACCESS + AC-17 (9) +

                                    'Built-in firewall technology in Universal Control Plane's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP provides the option to pause +or drain a node in the cluster, which subsequently stops and/or +removes sessions to the node. Individual services and/or applications +running on a UCP cluster can also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete + partial +
                                    + + USE OF EXTERNAL INFORMATION SYSTEMS + AC-20 +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + LIMITS ON AUTHORIZED USE + AC-20 (1) +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + INFORMATION SHARING + AC-21 +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Universal +Control Plane to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT EVENTS + AU-2 +

                                    'All of the event types indicated by this control are logged by the +backend ucp-controller service within Universal Control Plane. In +addition, each container created on a Universal Control Plane cluster +logs event data. Supporting documentation for configuring UCP logging +can be referenced at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CONTENT OF AUDIT RECORDS + AU-3 +

                                    'Universal Control Plane generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + ADDITIONAL AUDIT INFORMATION + AU-3 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT + AU-3 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + RESPONSE TO AUDIT PROCESSING FAILURES + AU-5 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +alert individuals in the event of log processing failures. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider system specific + complete +
                                    + + AUDIT STORAGE CAPACITY + AU-5 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when the allocated log storage is full. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + REAL-TIME ALERTS + AU-5 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when audit log failures occur. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CENTRAL REVIEW AND ANALYSIS + AU-6 (4) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The organization can subsequently centrally review and +analyze all of the Docker EE audit records. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AUDIT REDUCTION AND REPORT GENERATION + AU-7 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +facilitate the audit reduction and report generation requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Universal Control +Plane should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AUTOMATIC PROCESSING + AU-7 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +parse information by organization-defined audit fields. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + TIME STAMPS + AU-8 +

                                    'Universal Control Plane uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE + AU-8 (1) +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUDIT INFORMATION + AU-9 +

                                    'By default, Universal Control Plane is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the 'docker' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS + AU-9 (2) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + CRYPTOGRAPHIC PROTECTION + AU-9 (3) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AUDIT RECORD RETENTION + AU-11 +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Universal Control +Plane can be configured to send logs to a remote logging stack. This +logging stack can subsequently be configured retain logs for the +duration required by this control. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUDIT GENERATION + AU-12 +

                                    'All of the event types indicated by AU-2 a. are logged by the backend +ucp-controller service within Universal Control Plane. In addition, +each container created on a Universal Control Plane cluster logs event +data. The underlying Linux operating system supporting UCP can be +configured to audit Docker-specific events with the auditd daemon. +Refer to the specific Linux distribution in use for instructions on +configuring this service. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'Using auditd on the Linux operating system supporting UCP, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL + AU-12 (1) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to compile +audit records in to a system-wide audit trail that is time-correlated +per the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + CHANGES BY AUTHORIZED INDIVIDUALS + AU-12 (3) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to meet the +requirements of this control. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AUTOMATED ACCESS ENFORCEMENT / AUDITING + CM-5 (1) +

                                    'Role-based access control can be configured within Universal Control +Plane to meet the requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + SIGNED COMPONENTS + CM-5 (3) +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Universal Control +Plane Docker images are officially signed and verified by Docker, Inc. + +When configuring Universal Control Plane, you should enforce +applications to only use Docker images signed by trusted UCP users +within your organization. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION + CM-6 (1) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Universal Control Plane''s +configuration can also be managed, backed up and stored in another +location per the requirements of this control. Additional documentation +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + PERIODIC REVIEW + CM-7 (1) +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane includes a robust access control model to +disable any functionality as mandated by this control.' +

                                    + service provider corporate + Docker EE system + service provider hybrid + complete +
                                    + + PREVENT PROGRAM EXECUTION + CM-7 (2) +

                                    'In order to restrict which Docker images can be used to deploy +applications to Universal Control Plane, the organization can define a +list of allowed base Docker images and make them available via Docker +Trusted Registry. The organization can also prevent users from being +able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + AUTHORIZED SOFTWARE / WHITELISTING + CM-7 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Universal +Control Plane, the organization must define a list of allowed base +Docker images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images +stored in Docker Trusted Registry can be run on Universal Control +Plane. This can be accomplished by using Docker Content Trust to sign +Docker images, and configure UCP to enforce only signed images from +specific Teams at runtime. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + shared + complete +
                                    + + TRANSACTION RECOVERY + CP-10 (2) +

                                    'Universal Control Plane maintains its cluster state via an internal +key-value store. This, and other UCP transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup' +

                                    + Docker EE system + complete +
                                    + + GROUP AUTHENTICATION + IA-2 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Universal Control +Plane requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + DEVICE IDENTIFICATION AND AUTHENTICATION + IA-3 +

                                    'In order for nodes to join a Universal Control Plane cluster, they +must be identified and authenticated via either a manager or worker +token. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/' +

                                    + Docker EE system + complete +
                                    + + PKI-BASED AUTHENTICATION + IA-5 (2) +

                                    'Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server.' +

                                    +

                                    'Access to a Universal Control Plane cluster is only granted when a +user has a valid certificate bundle. This is enforced with the +public/private key pair included with the user's certificate bundle.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against the Universal Control Plane cluster. This bundle maps +the authenticated identity to that of the user.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user, it is +attached to that user''s profile. Bundles/keys can be revoked by an +Administrator or the user themselves. The cluster''s internal +certificates can also be revoked and updated. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + AUTHENTICATOR FEEDBACK + IA-6 +

                                    'Universal Control Plane obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC MODULE AUTHENTICATION + IA-7 +

                                    'All access to Universal Control Plane is protected with Transport +Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) + IA-8 +

                                    'Users managed by Universal Control Plane can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + SOFTWARE / FIRMWARE INTEGRITY VERIFICATION + SA-10 (1) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, Docker Content Trust gives +you the ability to verify both the integrity and the publisher of all +the data received from a Docker Trusted Registry over any channel. It +allows operations with a remote DTR instance to enforce client-side +signing and verification of image tags. It provides for the ability to +use digital signatures for data sent to and receive from remote DTR +instances. These signatures allow client-side verification of the +integrity and publisher of specific image tags. Universal Control +Plane can be configured to only run trusted and signed images. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + complete +
                                    + + APPLICATION PARTITIONING + SC-2 +

                                    'Universal Control Plane is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane' +

                                    + Docker EE system + complete +
                                    + + SESSION AUTHENTICITY + SC-23 +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + CRYPTOGRAPHIC PROTECTION + SC-28 (1) +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + ERROR HANDLING + SI-11 +

                                    'All error messages generated via the configured logging mechanism of +Universal Control Plane are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://docs.docker.com/datacenter/ucp/2.2/guides/ + + + + Authentication and Authorization Service (eNZi) +

                                    +

                                    + + ACCESS CONTROL POLICY AND PROCEDURES + AC-1 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams are allowed to create +and manipulate Docker Enterprise Edition resources. By default, no one +can make changes to the cluster. Permissions can be granted and +managed to enforce fine-grained access control. Supporting +documentation can found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MANAGEMENT + AC-2 +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED SYSTEM ACCOUNT MANAGEMENT + AC-2 (1) +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS + AC-2 (2) +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can disable and/or remove temporary and emergency accounts in a +connected directory service (such as Active Directory) after an +organization-defined time period. When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + DISABLE INACTIVE ACCOUNTS + AC-2 (3) +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can automatically disable inactive accounts in a connected directory +service (such as Active Directory). When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AUTOMATED AUDIT ACTIONS + AC-2 (4) +

                                    'Docker Enterprise Edition logs various authentication and +authorization events to standard log files. One can configure Docker +Enterprise Edition to direct these event logs to a remote logging +service such as an Elasticsearch, Logstash and Kibana (ELK) stack and +subsequently alert on specific event types. When integrating Docker +Enterprise Edition with LDAP, one can refer the the directory +service''s logging mechanisms for auditing the events defined by this +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + INACTIVITY LOGOUT + AC-2 (5) +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to enforce automated +session termination of users after an organization-defined time period +of inactivity. By default, the initial lifetime of a user''s session +is set to 72 hours and the renewal session for a user''s session is +set to 24 hours. These values can both be changed in the "Auth" +section of the "Admin Settings" in Universal Control Plane.' +

                                    + service provider hybrid + complete +
                                    + + ROLE-BASED SCHEMES + AC-2 (7) +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition supports various levels of user +permissions and role-based access control enforcements. Administrator +users have permissions to: manage other Docker Enterprise Edition +users, manage Docker Trusted Registry repositories and settings, and +manage the Universal Control Plane and underlying Docker Swarm Mode +cluster. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS + AC-2 (9) +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service.' +

                                    + service provider hybrid + complete +
                                    + + SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION + AC-2 (10) +

                                    'Users and/or groups synchronized to Docker Enterprise Edition via +LDAP can be configured at the directory service to ensure shared/group +account credentials are terminated when members leave the group.' +

                                    + service provider hybrid + complete +
                                    + + USAGE CONDITIONS + AC-2 (11) +

                                    'Information system accounts synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service to meet this +requirement as necessary.' +

                                    + service provider hybrid + complete +
                                    + + ACCOUNT MONITORING / ATYPICAL USAGE + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, when Docker Enterprise Edition is configured for LDAP +integration, one can refer to the directory service''s existing +monitoring tools.' +

                                    + service provider hybrid + complete +
                                    + + DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS + AC-2 (13) +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be managed at the directory service and disabled if +posing a significant risk.' +

                                    + service provider hybrid + complete +
                                    + + ACCESS ENFORCEMENT + AC-3 +

                                    'One can control which users and teams can create and manipulate +Docker Enterprise Edition resources. By default, no one can make +changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. The eNZi component facilitates +authorizations as dictated by the system''s administrators. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AUDITING USE OF PRIVILEGED FUNCTIONS + AC-6 (9) +

                                    'Docker Enterprise Edition logs privileged user events to standard log +files. One can configure Docker Enterprise Edition to direct these +event logs to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack and subsequently alert on specific +event types. When integrating Docker Enterprise Edition with LDAP, one +can refer the the directory service''s logging mechanisms for auditing +the events defined by this control. Supporting documentation regarding +logging and monitoring can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + complete +
                                    + + UNSUCCESSFUL LOGON ATTEMPTS + AC-7 +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure the enforcement of a limit to the number of conesecutive +invalid logon attempts by a user during a specified time period.' +

                                    +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure he ability to automatically lock/disable an account for a +specified period of time after a consecutive invalid logon attempt +limit is reached.' +

                                    + service provider hybrid + complete +
                                    + + SYSTEM USE NOTIFICATION + AC-8 +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    + Docker EE system + planned +
                                    + + CONCURRENT SESSION CONTROL + AC-10 +

                                    'Docker Enterprise Edition can be configured to limit the number of +concurrent sessions for each account. These options can be found +within the Universal Control Plane Admin Settings under the +"Authentication & Authorization" section. ' +

                                    + Docker EE system + complete +
                                    + + SESSION LOCK + AC-11 +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours).' +

                                    + Docker EE system + complete +
                                    + + PATTERN-HIDING DISPLAYS + AC-11 (1) +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session per the requirements of +this controls.' +

                                    + Docker EE system + complete +
                                    + + SESSION TERMINATION + AC-12 +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED MONITORING / CONTROL + AC-17 (1) +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + CONTENT OF AUDIT RECORDS + AU-3 +

                                    'Docker Enterprise Edition generates all of the audit record +information indicated by this control. A sample audit event has been +provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) + IA-2 +

                                    'Docker Enterprise Edition can be configured to identify and +authenticate users via it''s integrated support for LDAP. Users and +groups managed within the organization''s LDAP directory service (e.g. +Active Directory) can be synchronized to UCP and DTR on a regular +interval. When a user is removed from the LDAP-backed directory, that +user becomes inactive within UCP and DTR. In addition, UCP and DTR +teams can be mapped to groups synchronized via LDAP. When a user is +added/removed to/from the LDAP group, that same user is automatically +added/removed to/from the UCP and DTR team. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + Docker EE system + shared + complete +
                                    + + GROUP AUTHENTICATION + IA-2 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Enterprise +Edition requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT + IA-2 (8) +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT + IA-2 (9) +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IDENTIFIER MANAGEMENT + IA-4 +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IDENTIFY USER STATUS + IA-4 (4) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to uniquely identify each individual according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + AUTHENTICATOR MANAGEMENT + IA-5 +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to establish initial authenticator content according +to the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to enforce strength requirements for authenticators +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to distribute, redistribute, and revoke +authenticators according to the requirements of this control. Refer to +your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change default authenticator content according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to set minimum and maximum lifetime restrictions and +reuse conditions for authenticators according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to refresh authenticators at a regular cadence +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticator content from unauthorized +disclosure or modification according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to implement specific security safeguards to protect +authentications according to the requirements of this control. Refer +to your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change authenticators for group or role accounts +when membership to those groups or roles changes according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PASSWORD-BASED AUTHENTICATION + IA-5 (1) +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce minimum password +complexity requirements. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change at least one character when changing passwords according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to store and transmit +cryptographically protected passwords according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required minimum and +maximum lifetime restrictions according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required number of +generations before password reuse according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change initial/temporary passwords upon first login according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PKI-BASED AUTHENTICATION + IA-5 (2) +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system validates the certificates per the +requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system enforces authorized access to the +corresponding private key per the requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system maps the authenticated identity to the +account of the individual or group per the requirements of this +control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, it is up to the underlying operating system +hosting Docker Enterprise Edition to ensure that it implements a local +cache of revocation data per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION + IA-5 (4) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP can be +configured with automation to ensure that password authenticators meet +strength requirements as defined by this control. Refer to your +directory service's documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + PROTECTION OF AUTHENTICATORS + IA-5 (6) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticators as required by this +control. Refer to your directory service's documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + ACCEPTANCE OF THIRD-PARTY CREDENTIALS + IA-8 (2) +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to meet the FICAM requirements as +indicated by this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-APPROVED PRODUCTS + IA-8 (3) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + USE OF FICAM-ISSUED PROFILES + IA-8 (4) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + INVALIDATE SESSION IDENTIFIERS AT LOGOUT + SC-23 (1) +

                                    'Docker Enterprise Edition invalidates session identifiers upon user +logout per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management + + + + + + + + RA-5(2) + "FedRAMP requirement: prior to a new scan" + + + + RA-5(5)-1 + "FedRAMP requirement: operating systems, databases, web applications" + + + + RA-5(5)-2 + "FedRAMP requirement: all scans" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-11(a) + "customer-defined policies" + + + + CM-11(b) + "customer-defined methods" + + + + CM-11(c) + "FedRAMP requirement: continuously (via CM-7(5))" + + + + CM-11(1) + "organization-defined personnel or roles" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-10 + "actions including the addition, modification, deletion, approval, +sending, or receiving of data" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-1(a) + "customer-defined personnel or roles" + + + + CM-1(b)(1) + "FedRAMP requirement: at least every 3 years" + + + + CM-1(b)(2) + "FedRAMP requirement: at least annually or whenever a significant +change occurs" + + + + CM-2(1)(a) + "FedRAMP requirement: at least annually or when a significant change +occurs" + + + + CM-2(1)(b) + "FedRAMP requirement: to include when directed by the JAB" + + + + CM-2(3) + "the previously approved baseline configuration of IS components" + + + + CM-3(e) + "customer-defined time period" + + + + CM-3(g)-1 + "FedRAMP requirement: CAB" + + + + CM-3(g)-2 + "customer-defined" + + + + CM-3(g)-3 + "customer-defined" + + + + CM-3(g)-4 + "customer-defined" + + + + CM-3(1)(b) + "customer-defined authorized approvers" + + + + CM-3(1)(c) + "organization-defined time period" + + + + CM-3(1)(f) + "organization-defined configuration management approval authorities" + + + + CM-3(6) + "all security safeguards that rely on cryptography" + + + + CM-5(2)-1 + "every 30 days" + + + + CM-5(2)-2 + "organization-defined circumstance" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(b) + "FedRAMP assignment: the service provider shall use the Center for +Internet Security Guidelines (Level 1) to establish list of prohibited +or restricted functions, ports, protocols, and/or services or +establishes its own list of prohibited or restricted functions, ports, +protocols, and/or services if USGCB is not available" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-7(20 + "organization-defined information system components" + + + + SC-12(2) + "FedRAMP requirement: NIST FIPTS compliance" + + + + SC-13 + "FedRAMP requirement: FIPS-validated or NSA-approved cryptography" + + + + SC-28-1 + "confidentiality and integrity" + + + + SC-28-2 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-16 + "Windows protections, including No Execute, Address Space Layout +Randomization, and Data Execution Prevention" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-6(1) + "FedRAMP assignment: all functions not publiclly accessible and all +security-relevant information not publicly available" + + + + AC-6(2) + "FedRAMP requirement: all security functions" + + + + AC-6(3)-1 + "privileged commands used to change/configure network devices" + + + + AC-6(3)-2 + "customer-defined operational needs" + + + + AC-6(5) + "customer-defined personnel or roles" + + + + AC-6(7)(a)-1 + "at least annually" + + + + AC-6(7)(a)-2 + "all users" + + + + AC-6(8) + "FedRAMP assignment: any software except software explicitly +documented" + + + + AC-12(1)(a) + "customer-defined information resources" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(4)(a) + "customer-defined needs" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(1)(b) + "customer-defined functions, ports, protocols, and services within the +information system deemed to be unnecessary and/or nonsecure" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(2)-1 + Selection (removes or disables) + + + AC-2(2)-2 + "FedRAMP requirement: no more than 30 days for temporary and emergency +account types" + + + + AC-2(3) + "FedRAMP requirement: thirty-five (35) days for user accounts" + + + + AC-2(4) + "organization and/or service provider system owner" + + + + AC-2(5) + "inactivity is anticipated to exceed fifteen (15) minutes" + + + + AC-2(7)(c) + "FedRAMP assignment: disables/revokes access within an +organization-specified timeframe" + + + + AC-2(9) + "FedRAMP assignment: organization-defined need with justificatino +statement that explains why such accounts are necessary" + + + + AC-2(11)-1 + "customer-defined circumstances or usage conditions" + + + + AC-2(11)-2 + "customer-defined accounts" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(13) + "one hour" + + + + AC-7(a)-1 + "FedRAMP requirement: not more than three" + + + + AC-7(a)-2 + "FedRAMP requirement: fifteen minutes" + + + + AC-7(b)-1 + "FedRAMP requirement: locks the account/node for three hours" + + + + AC-7(b)-2 + "customer-defined additional actions" + + + + AC-8(a) + "customer-defined system use notification banner" + + + + AC-8(c)(1) + "customer-defined conditions" + + + + AC-10 + "customer-defined account and/or account type; FedRAMP requirement: +three sessions for privileged access and two sessions for +non-privileged access" + + + + AC-11(a) + "FedRAMP requirement: fifteen minutes" + + + + AC-12 + "customer-defined conditions or trigger events" + + + + IA-4(a) + "customer-defined personnel or roles" + + + + IA-4(d) + "FedRAMP requirement: at least two years" + + + + IA-4(e) + "FedRAMP requirement: thirty-five (35) days" + + + + IA-4(4) + "FedRAMP requirement: contractors, foreign nationals" + + + + IA-5(g) + "FedRAMP requirement: 60 days for passwords" + + + + IA-5(1)(a) + "FedRAMP requirement: case-sensitive, minimum of fourteen (14) +characters, and at least one (1) each of upper-case letters, +lower-case letters, numbers, and special characters" + + + + IA-5(1)(b) + "FedRAMP requirement: at least fifty percent (50%)" + + + + IA-5(1)(d) + "FedRAMP requirement: one day minimum, sixty day maximum" + + + + IA-5(1)(e) + "FedRAMP requirement: twenty four" + + + + IA-5(4) + "complexity as identified in IA-05 (1) Control Enhancement Part A" + + + + IA-8(3) + "N/A" + + + + diff --git a/working/JSON-mapping/test-out.xml b/working/JSON-mapping/test-out.xml new file mode 100644 index 0000000000..ddbf7d9acc --- /dev/null +++ b/working/JSON-mapping/test-out.xml @@ -0,0 +1,6647 @@ + + + Moderate SSP for Docker Enterprise Edition Deployment ATO +

                                    Moderate SSP for Docker Enterprise Edition Deployment ATO

                                    + securitylead@agency.gov + + + + Access Control Policy for [Agency_Here] +

                                    +

                                    + + AC-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 (7) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 (9) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-2 (10) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-6 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-6 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-6 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-6 (9) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-6 (10) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-11 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-11 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-14 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-17 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-17 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-18 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-18 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-19 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-19 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-20 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-20 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-20 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-21 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AC-22 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Awareness Training Policy for [Agency_Here] +

                                    +

                                    + + AT-3 +

                                    [Agency's control implementation here] +

                                    + none + + + AT-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AT-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AT-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AT-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Audit and Accountability Policy for [Agency_Here] +

                                    +

                                    + + AU-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete + + + AU-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + complete +
                                    + + AU-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-3 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-6 (1) +

                                    [Agency's control implementation here] +

                                    +
                                    + + AU-6 (3) +

                                    [Agency's control implementation here] +

                                    +
                                    + + AU-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-9 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-9 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-9 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-11 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + AU-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Assessment and Authorization Policy for [Agency_Here] +

                                    +

                                    + + CA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CA-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-3 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-3 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CA-9 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Configuration Management Policy for [Agency_Here] +

                                    +

                                    + + CM-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CM-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CM-2 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CM-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CM-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CM-2 (7) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CM-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CM-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CM-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Contingency Planning Policy for [Agency_Here] +

                                    +

                                    + + CP-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + CP-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-2 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-6 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-7 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-7 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-8 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-9 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-9 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-9 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + CP-10 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Docker Security Scanning (DSS) +

                                    +

                                    + + RA-5 (1) +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning (DSS) component of Docker +Trusted Registry (DTR) that is included with the Docker Enterprise +Edition Advanced tier can be used to scan Docker images for +vulnerabilities against known vulnerability databases. Scans can be +triggered either manually or when Docker images are pushed to DTR.' +

                                    + service provider hybrid + complete + + + RA-5 (2) +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier compiles a bill of materials (BOM) for each Docker image +that it scans. DSS is also synchronized to an aggregate listing of +known vulnerabilities that is compiled from both the MITRE and NVD CVE +databases. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Image_Scanning' +

                                    + service provider hybrid + complete +
                                    + + RA-5 (3) +

                                    'To assist the orgnization in meeting the requirements of this +control, the Docker Security Scanning component of Docker Trusted +Registry (DTR) that is included with the Docker Enterprise Edition +Advanced tier identifies vulnerabilities in a Docker image and marks +them against predefined criticality levels; critical major and minor.' +

                                    + service provider hybrid + complete +
                                    + + RA-5 (5) +

                                    'Only the appropriate users that the organization has provided Docker +Trusted Registry access to are able to view and interpret +vulnerability scan results.' +

                                    + service provider hybrid + complete +
                                    + + RA-5 (6) +

                                    'For each Docker image pushed to Docker Trusted Registry at a given +time, Docker Security Scaninng retains a list of vulnerabilities +detected. The DTR API can be queried to retrieve the vulnerability +scan results over a period of time for a given Docker image such that +the results can be compared per the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + RA-5 (8) +

                                    'Docker Security Scanning maintains a historical bill-of-materials +(BOM) for all Docker images that are scanned. Results of previous +vulnerability scans can be reviewed and audited per the requirements +of this control.' +

                                    + service provider hybrid + complete +
                                    + + + DSS Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/set-up-vulnerability-scans/ + + + + Docker Trusted Registry (DTR) +

                                    +

                                    + + AC-2 (1) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/create-and-manage-teams/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (7) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/' +

                                    + service provider hybrid + complete +
                                    + + AC-3 +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + AC-4 +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + Docker EE system + complete +
                                    + + AC-4 (8) +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + shared + complete +
                                    + + AC-4 (21) +

                                    'Supporting documentation to configure Docker Trusted Registry to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/system-requirements/#/ports-used +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations' +

                                    + service provider hybrid + complete +
                                    + + AC-5 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Docker Trusted Registry resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 (10) +

                                    'One can control which users and teams can create and manipulate +Docker Trusted Registry resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/' +

                                    + Docker EE system + complete +
                                    + + AC-14 +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Docker Trusted Registry.' +

                                    + Docker EE system + complete +
                                    + + AC-17 +

                                    'To help the organization meet the requirements of this control, +Docker Trusted Registry can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AC-17 (1) +

                                    'Docker Trusted Registry logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + AC-17 (2) +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the DTR user interface and for +command-line based connections to the registry. In addition to this, +all communication to DTR is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + AC-17 (3) +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Trusted Registry replicas is routed through +managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + AC-17 (9) +

                                    'Built-in firewall technology in Docker Trusted Registry's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP slave nodes running Docker +Trusted Registry replicas can be paused or drained, which subsequently +stops sessions to the DTR replica.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AC-20 +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + AC-20 (1) +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Docker Trusted Registry.' +

                                    + service provider hybrid + complete +
                                    + + AC-21 +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Docker +Trusted Registry to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AU-2 +

                                    'All of the event types indicated by this control are logged by a +combination of the backend ucp-controller service within Universal +Control Plane and the backend services that make up Docker Trusted +Registry. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/#dtr-internal-components +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#ucp-internal-components' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AU-3 +

                                    'Docker Trusted Registry generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + AU-3 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-3 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to interpolate the information +defined by this control from the logged audit records. Additional +information can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to alert individuals in +the event of log processing failures. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when the allocated log storage is full. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-6 (4) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-7 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be used to facilitate the audit +reduction and report generation requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Docker Trusted +Registry should be certified to ensure that logs are not altered +during generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared +
                                    + + AU-7 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack, which in turn, sends the Docker Trusted Registry +backend container audit records to the remote logging stack. The +logging stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-8 +

                                    'Docker Trusted Registry uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + AU-8 (1) +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Trusted Registry runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + AU-9 +

                                    'By default, Docker Trusted Registry is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the ''docker'' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AU-9 (2) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AU-9 (3) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AU-11 +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Trusted +Registry resides as an Application on a Universal Control Plane +cluster, and as such, can be configured to send logs to a remote +logging stack. This logging stack can subsequently be configured to +retain logs for the duration required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider corporate + Docker EE system + service provider hybrid + shared + complete +
                                    + + AU-12 +

                                    'All of the event types indicated by AU-2 a. are logged by a +combination of the backend services within Universal Control Plane and +Docker Trusted Registry. The underlying Linux operating system +supporting DTR can be configured to audit Docker-specific events with +the auditd daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/monitor-and-troubleshoot/' +

                                    +

                                    'Using auditd on the Linux operating system supporting DTR, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + AU-12 (1) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +compile audit records in to a system-wide audit trail that is +time-correlated per the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-12 (3) +

                                    'Docker Trusted Registry resides as an Application on a Universal +Control Plane cluster, and as such, can be configured to send logs to +a remote logging stack. This logging stack can subsequently be used to +meet the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-5 (1) +

                                    'Role-based access control can be configured within Docker Trusted +Registry to meet the requirements of this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + Docker EE system + complete +
                                    + + CM-5 (3) +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Docker Trusted +Registry Docker images are officially signed and verified by Docker, +Inc. + +When installing Docker Trusted Registry, you should enable Docker +Content Trust and subsequently pull the the signed DTR image tag. +Additional information can be found at teh following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/manage-trusted-repositories/' +

                                    + service provide hybrid + shared + complete +
                                    + + CM-6 (1) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Docker Trusted Registry''s +configuration can also be backed up and stored an appropriate location +per the requirements of this control. Additional documenation can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + CM-7 (2) +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry. The organization can +also prevent users from being able to pull Docker images from +untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + CM-7 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images are +stored in Docker Trusted Registry. This can be accomplished by using +Docker Content Trust to sign Docker images which can subsequently be +stored in Docker Trusted Registry.' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-11 +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +define a list of allowed base Docker images and make them available +via Docker Trusted Registry. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-11 (1) +

                                    'The organization can define a list of allowed base Docker images and +make them available via Docker Trusted Registry to meet the +requirements of this contorl. The organization can also prevent users +from being able to pull Docker images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CP-10 (2) +

                                    'Docker Trusted Registry maintains its cluster state via an internal +key-value store. This, and other DTR transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup' +

                                    + Docker EE system + complete +
                                    + + IA-2 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Trusted +Registry requires individual users to be authenticated in order to +gain access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + IA-3 +

                                    'Docker Trusted Registry replicas reside on Universal Control Plane +worker nodes. In order for UCP worker nodes to join a Universal +Control Plane cluster, they must be identified and authenticated via a +worker token. Additional Docker Trusted Registry replicas can only be +added after a UCP administrator user has authenticated in to the UCP +cluster and when mutual TLS authentication between the UCP worker and +manager nodes has been established. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/install/#step-7-join-replicas-to-the-cluster' +

                                    + Docker EE system + complete +
                                    + + IA-5 (2) +

                                    'Docker Trusted Registry includes a Docker volume which holds the root +key material for the DTR root CA that issues certificats. In addition +Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server. When adding DTR replicas, the UCP nodes on +which they're installed are authenticated to the cluster via the +appropriate built-in CA.' +

                                    +

                                    'Access to Docker Trusted Registry is only granted when a user has a +valid certificate bundle. This is enforced with the public/private key +pair included with the user's certificate bundle in Universal Control +Plane.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against Docker Trusted Registry. This bundle maps the +authenticated identity to that of the user's profile in Universal +Control Plane.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user which +subsequently grants that user access to Docker Trusted Registry, it is +attached to that user''s Universal Control Plane profile. Bundles/keys +can be revoked by an Administrator or the user themselves. The +cluster''s internal certificates can also be revoked and updated. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + IA-6 +

                                    'Docker Trusted Registry obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + IA-7 +

                                    'All access to Docker Trusted Registry is protected with Transport +Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IA-8 +

                                    'Users managed by Docker Trusted Registry can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + RA-5 (1) +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE) dictionary.' +

                                    + service provider hybrid + complete +
                                    + + RA-5 (3) +

                                    'The Docker Security Scanning tool allows for the scanning of Docker +images in Docker Trusted Registry against the Common Vulnerabilities +and Exposures (CVE).' dictionary. +

                                    + service provider hybrid + complete +
                                    + + SA-10 (1) +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags. Docker Trusted Registry includes an integrated imaging +signing service.' +

                                    + service provider hybrid + complete +
                                    + + SC-2 +

                                    'Docker Trusted Registry is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/dtr/2.3/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry' +

                                    + Docker EE system + complete +
                                    + + SC-23 +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + SC-28 (1) +

                                    'All remote access sessions to Docker Trusted Registry are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the DTR +user interface and for command-line based connections to the registry. +In addition to this, all communication to DTR is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + SI-11 +

                                    'All error messages generated via the configured logging mechanism of +Docker Trusted Registry are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + Docker Trusted Registry Documentation +

                                    + https://docs.docker.com/datacenter/dtr/2.3/guides/ + + + + Docker Enterprise Edition Engine +

                                    +

                                    + + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to aggregate +container and daemon events via a number of logging drivers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/view_container_logs/ +- https://docs.docker.com/engine/admin/logging/overview/ +- https://docs.docker.com/engine/admin/logging/log_tags/' +

                                    + service provider hybrid + complete +
                                    + + AC-4 +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + AC-4 (8) +

                                    'Docker Enterprise Edition can be configured to control the flow of +information that originates from applications running in containers +per organization-defined security policy filters. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks + +There are also third-party behavioral activity monitoring tools (e.g. +Sysdig Falco <http://www.sysdig.org/falco/>) that can be used +alongside Docker Enterprise Edition to satisfy this control''s +requirements.' +

                                    + service provider hybrid + complete +
                                    + + AC-4 (21) +

                                    'Docker Enterprise Edition can be configured to separate the flow of +information that originates from applications running in containers. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/engine/userguide/networking/ +- http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks' +

                                    + service provider hybrid + complete +
                                    + + AC-14 +

                                    'To help the organization meet the requirements of this control, one +can restrict membership to the 'docker' group on underlying Linux +hosts or the local "Administrators" group (and any other groups +defined within 'daemon.json') on underlying Windows Server 2016 hosts +to only authorized users.' +

                                    + Docker EE system + complete +
                                    + + AC-17 +

                                    'To help the organization meet the requirements of this control, +Docker Enterprise Edition can be configured to allow/prohibit remote +access to the Engine.' +

                                    + service provider hybrid + complete +
                                    + + AC-17 (1) +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + AC-17 (2) +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2. In addition to this, all +communication to Docker Enterprise Edition is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + AC-17 (3) +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Docker Enterprise Edition is routed through managed +network access control points.' +

                                    + service provider hybrid + complete +
                                    + + AC-17 (9) +

                                    'Built-in firewall technology in Docker Enterprise Edition's +underlying operating system can be used to force the disconnection of +remote connections to the host. In addition, Docker Enterprise Edition +provides the option to pause or drain a node in the cluster, which +subsequently stops and/or removes sessions to the node. Individual +services and/or applications running on Docker Enterprise Edition can +also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete +
                                    + + AU-2 +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this control (as explained by +their component narratives). These and other application containers +that reside on Docker Enterprise Edition can be configured to log data +via an appropriate Docker logging driver. Instructions for configuring +logging drivers can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AU-3 +

                                    'Both Universal Control Plane and Docker Trusted Registry are +pre-configured to take advantage of Docker Enterprise Edition''s +built-in logging mechanisms. A sample audit event recorded by Docker +Enterprise Edition has been provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"} + +Additional documentation can be referenced at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-3 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-3 (2) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to interpolate the information defined +by this control from the logged audit records. Additional +documentation can be found at the following resource: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can be used to interpolate the information defined by this +control and also be configured to alert on any audit processing +failures. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to warn the organization when the +allocated log storage is full. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 (2) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +logging stack can subsequently be configured to warn the organization +when audit log failures occur. Additional information can be found at +the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-6 (4) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The +organization can subsequently centrally review and analyze all of the +Docker EE audit records. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-7 +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be used to facilitate the audit reduction and +report generation requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'The underlying operating system chosen to support Docker Enterprise +Edition should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AU-7 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. The logging +stack can subsequently be configured to parse information by +organization-defined audit fields. Additional information can be found +at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-8 +

                                    'Docker Enterprise Edition uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + AU-8 (1) +

                                    'The underlying operating system on which Docker Enterprise Edition runs should +be configured such that its system clock compares itself with an +authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Docker Enterprise Edition +runs should be configured such that its system clock synchronizes +itself to an authoritative time source as defined by part (a) of this +control any time the time difference exceeds that of the +organization-defined time period. This can be accomplished by +utilizing the Network Time Protocol (NTP). Refer to the operating +system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + AU-9 +

                                    'On the underlying Linux operating system supporting Docker Enterprise +Edition, only root and sudo users and users that have been added to +the "docker" group have the ability to access the logs generated by +UCP backend service containers. Should the organization decide to +configure Docker Enterprise Edition to use a logging driver other than +the default json-file driver, the organization is subsequently +responsible for configuring the chosen logging stack per the +provisions of this control. In addition, for Linux operating systems +supporting Docker Enterprise Edition that use the systemd daemon, it +is imperative that the Journal is secured per the requirements of this +control. The same applies for Linux operating systems supporting +Docker Enterprise Edition that instead use upstart. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + AU-9 (2) +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the backup requirements of this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + AU-9 (3) +

                                    'Docker Enterprise Edition can be configured to use a logging driver +that can subsequently meet the encryption mechanisms required by this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + complete +
                                    + + AU-10 +

                                    'Docker Enterprise Edition includes functionality known as Docker +Content Trust which allows one to cryptographically sign Docker +images. It enforces client-side signing and verification of image tags +and provides the ability to use digital signatures for data sent to +and received from Docker Trusted Registry. This ultimately provides +one with the ability to verify both the integrity and the publisher of +all data received from DTR over any channel. With Docker Content +Trust, an organization can enforce signature verification of all +content and prohibit unsigned and unapproved content from being +manipulated; thus supproting the non-repudiation requirements of this +control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + Docker EE system + complete +
                                    + + AU-11 +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Docker Enterprise +Edition can be configured to use a logging driver that stores data in +a location for the duration specified by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + AU-12 +

                                    'Both Universal Control Plane and Docker Trusted Registry backend +service containers, all of which reside on Docker Enterprise Edition, +log all of the event types indicated by this AU-2 a. These and other +application containers that reside on Docker Enterprise Edition can be +configured to log data via an appropriate Docker logging driver. The +underlying Linux operating system supporting Docker Enterprise Edition +can be configured to audit Docker-specific events with the auditd +daemon. Refer to the specific Linux distribution in use for +instructions on configuring this service. Additional information can +be found at the following resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    +

                                    'Using auditd on the Linux operating system supporting CS Docker +Engine, the organization can configure audit rules to select which +Docker-specific events are to be audited. Refer to the specific Linux +distribution in use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + AU-12 (1) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to compile audit records in to +a system-wide audit trail that is time-correlated per the requirements +of this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-12 (3) +

                                    'Docker Enterprise Edition can be configured with various logging +drivers to send audit events to an external logging stack. This +logging stack can subsequently be used to meet the requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/engine/admin/logging/overview/' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-1 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-2 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing Docker +Enterprise Edition and for helping the organization meet the +configuration management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-2 (1) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-2 (2) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CM-2 (3) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management requirements of this control. CIS regularly +updates their benchmark to reflect the latest updates in the stable +release of Docker Engine. Various configuration management tools such +as Inspec (http://inspec.io/) can be used to audit Docker Enterprise +Edition system configuration to ensure that the secure baseline +configurations have been applied in an automated fashion and can be +rolled back as required by this control. Additional information can be +found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CM-3 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Additional information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CM-3 (1) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CM-3 (2) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configurmation management change control requirements of this control. +Various configuration management tools such as Inspec +(http://inspec.io/) can be used to audit Docker Enterprise Edition +system configuration to ensure that the secure baseline configurations +have been applied in an automated fashion. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CM-3 (6) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +cryptography management requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + CM-5 (2) +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +system change requirements of this control. Additional information can +be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + Docker EE system + complete +
                                    + + CM-5 (3) +

                                    'Before installing Docker Enterprise Edition, ensure that your +supporting Linux operating system''s packager manager supports package +signature verification and that it is enabled. It is also required +that you import the Docker public key for EE packages so as to +retrieve the validated and signed package from Docker, Inc. Refer to +your Linux OS documentation for instructions on completing the above +steps. + +In addition, Docker Content Trust is a capability provided by Docker +Engine that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. When enabling Docker +Content Trust in Docker Enterprise Edition you can enforce the use of +signed Docker images. Additional information can be found at the +following resources: + +- https://docs.docker.com/engine/security/trust/content_trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + CM-6 (1) +

                                    'The organization can incorporate the use of an external configuration +management system to meet the requirements of this control.' +

                                    + service provider hybrid + complete +
                                    + + CM-7 +

                                    'To help the organization meet the requirements of this control, the +latest CIS Docker Benchmark can be used as a secure configuration +baseline. Additional information can be found at the following +resources: + +- https://www.cisecurity.org/benchmark/docker/' +

                                    + service provider hybrid + complete +
                                    + + CM-7 (2) +

                                    'In order to restrict which Docker images can be used to deploy +applications to Docker Enterprise Edition, the organization can define +a list of allowed base Docker images and make them available via +Docker Trusted Registry. The organization can also prevent users from +being able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + CM-7 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Docker EE +Engine, the organization must define a list of allowed base Docker +images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-9 +

                                    'The CIS Docker Benchmark can be used as a baseline for securing +Docker Enterprise Edition and for helping the organization meet the +configuration management plan requirements of this control. Additional +information can be found at the following resources: + +- https://www.cisecurity.org/benchmark/docker/ +- http://www.cisecurity.org/critical-controls/tools/CISControlsv4_MaptoNIST800-53rev4.xlsx +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Controls_from_the_CIS_Benchmark' +

                                    + service provider hybrid + complete +
                                    + + IA-3 +

                                    'In order for other Docker EE engine nodes to be able to join a +cluster managed by Universal Control Plane, they must be identified +and authenticated via either a manager or worker token. Use of the +token includes trust on first use mutual TLS.' +

                                    + Docker EE system + complete +
                                    + + SA-10 (1) +

                                    'Docker Content Trust gives you the ability to verify both the +integrity and the publisher of all the data received from a Docker +Trusted Registry over any channel. It allows operations with a remote +DTR instance to enforce client-side signing and verification of image +tags. It provides for the ability to use digital signatures for data +sent to and receive from remote DTR instances. These signatures allow +client-side verification of the integrity and publisher of specific +image tags.' +

                                    + service provider hybrid + complete +
                                    + + SC-7 (20) +

                                    'Docker Enterprise Edition is designed to run application containers +whose content can be completely isolated/segregated from other +application containers within the same node/cluster. This is +accomplished by way of Linux kernel primitives and various security +profiles that can be applied to the underlying host OS. Additional +information can be found at the following resources: + +- https://docs.docker.com/engine/security/security/ +- https://docs.docker.com/engine/userguide/networking/overlay-security-model/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Engine_and_Node_Security' +

                                    + Docker EE system + complete +
                                    + + SC-12 (2) +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SC-13 +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's documentation to ensure it is configured in FIPS mode.' +

                                    + service provider hybrid + complete +
                                    + + SC-23 +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + SC-28 +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to/from and between Docker +Enterprise Edition nodes is enforced by way of two-way mutual TLS +authentication. All Swarm Mode manager nodes in a Docker Enterprise +Edition cluster store state metadata and user secrets encrypted at +rest using the AES GCM cipher.' +

                                    + Docker EE system + complete +
                                    + + SC-28 (1) +

                                    'All remote access sessions to Docker Enterprise Edition are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In +addition to this, all communication to and between Docker Enterprise +Editions is enforced by way of two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + SI-3 (2) +

                                    'Docker Enterprise Edition packages for supported underlying operating +systems can only be obtained from Docker, Inc. The Docker EE +repositories from which Docker EE packages are obtained are protected +with official GPG keys. Each Docker package is also validated with a +signature definition.' +

                                    + Docker EE system + complete +
                                    + + SI-11 +

                                    'All error messages generated via the logging mechanisms of the Docker +Enterprise Edition engine are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + SI-16 +

                                    'Docker Enterprise Edition can be installed on the following operating +systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 +LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to +meet the requirements of this control, reference the chosen operating +system's security documentation for information regarding the +protection of memory from unauthorized code execution.' +

                                    + service provider hybrid + complete +
                                    + + + Docker Enterprise Edition Engine Installation Documentation +

                                    + https://docs.docker.com/engine/installation/ + + + + Docker Engine Release Notes +

                                    + https://docs.docker.com/release-notes/ + + + + Configuring and Running Docker on Various Distributions +

                                    + https://docs.docker.com/engine/admin/ + + + + Docker Engine Security +

                                    + https://docs.docker.com/engine/security/security/ + + + + Securing Docker Datacenter and Security Best Practices +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices + + + + Identification and Authentication Policy for [Agency_Here] +

                                    +

                                    + + IA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 (11) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-2 (12) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-4 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 (6) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-5 (11) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-8 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-8 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IA-8 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Incident Response for [Agency_Here] +

                                    +

                                    + + IR-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + IR-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-3 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-7 (2) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-9 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-9 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-9 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-9 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + IR-9 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System Maintenance Policy for [Agency_Here] +

                                    +

                                    + + MA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MA-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-3 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-3 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-3 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-3 (3) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-4 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-5 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MA-6 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Media Protection Policy for [Agency_Here] +

                                    +

                                    + + MP-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + MP-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-5 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-6 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + MP-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Physical and Environmental Protection Policy for [Agency_Here] +

                                    +

                                    + + PE-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PE-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-6 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-9 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-10 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-11 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-13 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-13 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-13 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-14 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-14 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-15 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-16 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PE-17 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Security Planning Policy for [Agency_Here] +

                                    +

                                    + + PL-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PL-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Personnel Security Policy for [Agency_Here] +

                                    +

                                    + + PS-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + PS-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PS-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PS-3 (3) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PS-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PS-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PS-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PS-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + PS-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Risk Assessment Policy for [Agency_Here] +

                                    +

                                    + + RA-1 +

                                    [Agency's control implementation here] +

                                    + none + + + RA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Services Acquisition Policy for [Agency_Here] +

                                    +

                                    + + SA-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + SA-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-4 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-4 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-4 (9) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-4 (10) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-9 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-9 (1) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-9 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-9 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-9 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-10 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SA-10 (1) +

                                    [Agency's control implementation here] +

                                    +
                                    + + SA-11 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +
                                    + + SA-11 (1) +

                                    [Agency's control implementation here] +

                                    +
                                    + + SA-11 (2) +

                                    [Agency's control implementation here] +

                                    +
                                    + + SA-11 (8) +

                                    [Agency's control implementation here] +

                                    +
                                    + + SA-22 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + System and Communications Protection Policy for [Agency_Here] +

                                    +

                                    + + SC-1 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none + + + SC-2 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-4 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-5 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-6 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (4) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (8) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (12) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (13) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-7 (18) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-8 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-12 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-12 (3) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-13 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-15 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-17 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-18 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-19 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-20 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-21 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-22 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-23 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-28 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-28 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SC-39 +

                                    [Agency's control implementation here] +

                                    + complete +
                                    +
                                    + + System and Information Integrity Policy for [Agency_Here] +

                                    +

                                    + + SI-1 +

                                    [Agency's control implementation here] +

                                    + none + + + SI-2 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-2 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-2 (3) +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-3 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-3 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-3 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-3 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 (4) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 (5) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 (14) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 (16) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-4 (23) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-5 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-6 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-7 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-7 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-7 (7) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-8 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-8 (1) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-8 (2) +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-10 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-11 +

                                    [Agency's control implementation here] +

                                    +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-12 +

                                    [Agency's control implementation here] +

                                    + none +
                                    + + SI-16 +

                                    [Agency's control implementation here] +

                                    + none +
                                    +
                                    + + Universal Control Plane (UCP) +

                                    +

                                    + + AC-2 (1) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation for managing users and teams can +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-teams/' +

                                    + service provider hybrid + complete + + + AC-2 (7) +

                                    'To assist the organization in meeting the requirements of this +control, supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, Universal Control Plane can be configured to send system +account log data to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack. Supporting documentation can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-task-state/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + AC-3 +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources. By default, no one can make changes +to the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/deploy-view-only-service/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-nodes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/isolate-volumes-between-teams/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/access-control-node/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + AC-4 +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + complete +
                                    + + AC-4 (8) +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + AC-4 (21) +

                                    'Supporting documentation to configure Universal Control Plane to meet +the requirements of this control can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#/ports-used +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Universal_Control_Plane_2.0_Service_Discovery_and_Load_Balancing +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Networking' +

                                    + Docker EE system + shared + complete +
                                    + + AC-5 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and employ principles of +least privilege. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 (1) +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources and explicitly authorize +access as necessary. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 (2) +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources. By default, no one can +make changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. Supporting documentation can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 (3) +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams can create and +manipulate Universal Control Plane resources, including Docker +networking components. By default, no one can make changes to the +cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 (5) +

                                    'To assist the organization in meeting the requirements of this +control, one can restrict privileged accounts within Universal Control +Plane to custom-defined roles. By default, no one can make changes to +the cluster. Permissions can be granted and managed to enforce +fine-grained access control. Supporting documentation can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 (7) +

                                    'To assist the organization in meeting the requirements of this +control, one can review all implemented grants, accounts and roles +within Universal Control Plane and reassign/revoke privileges as +necessary. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-6 (8) +

                                    'Universal Control Plane users can be assigned to one of a number of +different permission levels. The permission level assigned to a +specific user determines that user''s ability to execute certain +Docker functions within UCP. Only users mapped to either the "Full +Control" or "Admin" roles can execute Docker commands without any +restrictions. Users mapped to either the "View Only" or "No Access" +roles cannot execute any Docker commands. Users assigned to the +"Restricted Control" role can only run Docker commands under their own +purview and cannot see other users UCP resources nor run commands that +required privileged access to the host. Furthermore, custom roles can +be created for fine-grained access to specific UCP resources and +functionality. Additional documentation regarding the various +permission levels within UCP can be found at the following resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/permission-levels/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + AC-6 (10) +

                                    'One can control which users and teams can create and manipulate +Universal Control Plane resources and prevent non-privileged users +from executing privileged functions per the requirements of this +control. By default, no one can make changes to the cluster. +Permissions can be granted and managed to enforce fine-grained access +control. Supporting documentation for the configuration of this +functionality can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AC-12 (1) +

                                    'Universal Control Plane includes a logout capability that allows a +user to terminate his/her current session.' +

                                    + Docker EE system + complete +
                                    + + AC-14 +

                                    'To help the organization meet the requirements of this control, a +review of actions allowed by unauthenticated users can be performed +within Universal Control Plane.' +

                                    + Docker EE system + complete +
                                    + + AC-17 +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to allow/prohibit remote +access.' +

                                    + service provider hybrid + complete +
                                    + + AC-17 (1) +

                                    'Universal Control Plane logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + AC-17 (2) +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2. This is included at both the +HTTPS application layer for access to the UCP user interface and for +command-line based connections to the cluster. In addition to this, +all communication to UCP is enforced by way of two-way mutual TLS +authentication.' +

                                    + Docker EE system + complete +
                                    + + AC-17 (3) +

                                    'A combination of managed load balancers, firewalls and access control +lists, and virtual networking resources can be used to ensure traffic +destined for Universal Control Plane managers and worker nodes is +routed through managed network access control points.' +

                                    + service provider hybrid + complete +
                                    + + AC-17 (4) +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane can be configured to authorize certain +privileged functions via remote access.' +

                                    + service provider hybrid + complete +
                                    + + AC-17 (9) +

                                    'Built-in firewall technology in Universal Control Plane's underlying +operating system can be used to force the disconnection of remote +connections to the host. In addition, UCP provides the option to pause +or drain a node in the cluster, which subsequently stops and/or +removes sessions to the node. Individual services and/or applications +running on a UCP cluster can also be stopped and/or removed.' +

                                    + service provider hybrid + configured by customer + complete + partial +
                                    + + AC-20 +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + AC-20 (1) +

                                    'To help the organization meet the requirements of this control, one +can control which external systems can access Universal Control +Plane.' +

                                    + service provider hybrid + complete +
                                    + + AC-21 +

                                    'To help the organization meet the requirements of this control, one +can validate the assigned roles and access levels within Universal +Control Plane to control information sharing.' +

                                    + service provider hybrid + shared + complete +
                                    + + AU-2 +

                                    'All of the event types indicated by this control are logged by the +backend ucp-controller service within Universal Control Plane. In +addition, each container created on a Universal Control Plane cluster +logs event data. Supporting documentation for configuring UCP logging +can be referenced at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AU-3 +

                                    'Universal Control Plane generates all of the audit record information +indicated by this control. A sample audit event has been provided +below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + AU-3 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-3 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +interpolate the information defined by this control from the logged +audit records. Additional documentation can be found at the following +resource: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +alert individuals in the event of log processing failures. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider system specific + complete +
                                    + + AU-5 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when the allocated log storage is full. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-5 (2) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +warn the organization when audit log failures occur. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-6 (4) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The organization can subsequently centrally review and +analyze all of the Docker EE audit records. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-7 +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be used to +facilitate the audit reduction and report generation requirements of +this control. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'The underlying operating system chosen to support Universal Control +Plane should be certified to ensure that logs are not altered during +generation and transmission to a remote logging stack.' +

                                    + Docker EE system + shared + complete +
                                    + + AU-7 (1) +

                                    'Universal Control Plane can be configured to log data to a remote +logging stack. The logging stack can subsequently be configured to +parse information by organization-defined audit fields. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-8 +

                                    'Universal Control Plane uses the system clock of the underlying +operating system on which it runs. This behavior cannot be modified.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock uses Coordinated +Universal Time (UTC) as indicated by this control. Refer to the +operating system's instructions for doing so.' +

                                    + service provider hybrid + complete +
                                    + + AU-8 (1) +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock compares itself with +an authoritative time source as indicated by this control. This can be +accomplished by utilizing the Network Time Protocol (NTP). Refer to +the operating system's instructions for doing so.' +

                                    +

                                    'The underlying operating system on which Universal Control Plane runs +should be configured such that its system clock synchronizes itself to +an authoritative time source as defined by part (a) of this control +any time the time difference exceeds that of the organization-defined +time period. This can be accomplished by utilizing the Network Time +Protocol (NTP). Refer to the operating system's instructions for doing +so.' +

                                    + service provider hybrid + complete +
                                    + + AU-9 +

                                    'By default, Universal Control Plane is configured to use the +underlying logging capabilities of Docker Enterprise Edition. As such, +on the underlying Linux operating system, only root and sudo users and +users that have been added to the 'docker' group have the ability to +access the logs generated by UCP backend service containers. In +addition, only UCP Administrator users can change the logging endpoint +of the system should it be decided that logs be sent to a remote +logging stack. In this case, the organization is responsible for +configuring the remote logging stack per the provisions of this +control.' +

                                    + service provider hybrid + complete +
                                    + + AU-9 (2) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +back up audit records per the schedule defined by this control. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AU-9 (3) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. The logging stack can subsequently be configured to +meet the encryption mechanisms required by this control. Additional +information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + complete +
                                    + + AU-11 +

                                    'The organization will be responsible for meeting the requirements of +this control. To assist with these requirements, Universal Control +Plane can be configured to send logs to a remote logging stack. This +logging stack can subsequently be configured retain logs for the +duration required by this control. Additional information can be found +at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + AU-12 +

                                    'All of the event types indicated by AU-2 a. are logged by the backend +ucp-controller service within Universal Control Plane. In addition, +each container created on a Universal Control Plane cluster logs event +data. The underlying Linux operating system supporting UCP can be +configured to audit Docker-specific events with the auditd daemon. +Refer to the specific Linux distribution in use for instructions on +configuring this service. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    +

                                    'Using auditd on the Linux operating system supporting UCP, the +organization can configure audit rules to select which Docker-specific +events are to be audited. Refer to the specific Linux distribution in +use for instructions on configuring this service.' +

                                    + Docker EE system + shared + complete +
                                    + + AU-12 (1) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to compile +audit records in to a system-wide audit trail that is time-correlated +per the requirements of this control. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + shared + complete +
                                    + + AU-12 (3) +

                                    'Universal Control Plane can be configured to send logs to a remote +logging stack. This logging stack can subsequently be used to meet the +requirements of this control. Additional information can be found at +the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + service provider hybrid + shared + complete +
                                    + + CM-5 (1) +

                                    'Role-based access control can be configured within Universal Control +Plane to meet the requirements of this control. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC' +

                                    + Docker EE system + complete +
                                    + + CM-5 (3) +

                                    'Docker Content Trust is a capability provided by Docker Enterprise +Edition that enforces client-side signing and verification of Docker +image tags. It provides the ability to use digital signatures for data +sent to and received from Docker Trusted Registry and the public +Docker Store. These signatures allow client-side verification of the +integrity and publisher of specific image tags. All Universal Control +Plane Docker images are officially signed and verified by Docker, Inc. + +When configuring Universal Control Plane, you should enforce +applications to only use Docker images signed by trusted UCP users +within your organization. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provide hybrid + shared + complete +
                                    + + CM-6 (1) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +incorporate the use of an external configuration management system to +meet the requirements of this control. Universal Control Plane''s +configuration can also be managed, backed up and stored in another +location per the requirements of this control. Additional documentation +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/' +

                                    + service provider hybrid + complete +
                                    + + CM-7 (1) +

                                    'To help the organization meet the requirements of this control, +Universal Control Plane includes a robust access control model to +disable any functionality as mandated by this control.' +

                                    + service provider corporate + Docker EE system + service provider hybrid + complete +
                                    + + CM-7 (2) +

                                    'In order to restrict which Docker images can be used to deploy +applications to Universal Control Plane, the organization can define a +list of allowed base Docker images and make them available via Docker +Trusted Registry. The organization can also prevent users from being +able to pull Docker images from untrusted sources.' +

                                    + Docker EE system + complete +
                                    + + CM-7 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements and in order to restrict +which Docker images can be used to deploy applications to Universal +Control Plane, the organization must define a list of allowed base +Docker images and make them available via Docker Trusted Registry. The +organization must also prevent users from being able to pull Docker +images from untrusted sources.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, the organization can +configure its systems to ensure that only approved Docker images +stored in Docker Trusted Registry can be run on Universal Control +Plane. This can be accomplished by using Docker Content Trust to sign +Docker images, and configure UCP to enforce only signed images from +specific Teams at runtime. Additional information can be found at the +following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + shared + complete +
                                    + + CP-10 (2) +

                                    'Universal Control Plane maintains its cluster state via an internal +key-value store. This, and other UCP transactions can be backed up and +recovered. Additional information can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#UCP_Backup' +

                                    + Docker EE system + complete +
                                    + + IA-2 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Universal Control +Plane requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + IA-3 +

                                    'In order for nodes to join a Universal Control Plane cluster, they +must be identified and authenticated via either a manager or worker +token. Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/' +

                                    + Docker EE system + complete +
                                    + + IA-5 (2) +

                                    'Universal Control Plane contains two, built-in root certificate +authorities. One CA is used for signing client bundles generated by +users. The other CA is used for TLS communication between UCP cluster +nodes. Should you choose to use certificates signed by an external CA, +in order to successfully authenticate in to the system, those +certificates must include a root CA public certificate, a service +certificate and any intermediate CA public certificates (in addition +to SANs for all addresses used to reach the UCP controller), and a +private key for the server.' +

                                    +

                                    'Access to a Universal Control Plane cluster is only granted when a +user has a valid certificate bundle. This is enforced with the +public/private key pair included with the user's certificate bundle.' +

                                    +

                                    'Only after a client bundle has been generated or an existing public +key has been added for a particular user is that user able to execute +commands against the Universal Control Plane cluster. This bundle maps +the authenticated identity to that of the user.' +

                                    +

                                    'When a client bundle has been generated or an existing public key has +been added for a particular Universal Control Plane user, it is +attached to that user''s profile. Bundles/keys can be revoked by an +Administrator or the user themselves. The cluster''s internal +certificates can also be revoked and updated. Additional information +can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/' +

                                    + Docker EE system + complete +
                                    + + IA-6 +

                                    'Universal Control Plane obscures all feedback of authentication +information during the authentication process. This includes both +authentication via the web UI and the CLI.' +

                                    + Docker EE system + complete +
                                    + + IA-7 +

                                    'All access to Universal Control Plane is protected with Transport +Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both +SSH access to the individual UCP nodes and CLI-/web-based access to +the UCP management functions with mutual TLS and HTTPS respectively.' +

                                    + Docker EE system + complete +
                                    + + IA-8 +

                                    'Users managed by Universal Control Plane can be grouped per the +requirements of the organization and as defined by this control. This +can include groupings for non-organizational users.' +

                                    + Docker EE system + complete +
                                    + + SA-10 (1) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with these requirements, Docker Content Trust gives +you the ability to verify both the integrity and the publisher of all +the data received from a Docker Trusted Registry over any channel. It +allows operations with a remote DTR instance to enforce client-side +signing and verification of image tags. It provides for the ability to +use digital signatures for data sent to and receive from remote DTR +instances. These signatures allow client-side verification of the +integrity and publisher of specific image tags. Universal Control +Plane can be configured to only run trusted and signed images. +Additional information can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/' +

                                    + service provider hybrid + complete +
                                    + + SC-2 +

                                    'Universal Control Plane is made up of a number of backend services +that provide for both user functionality (including user interface +services) and system management functionality. Each of these services +operates independently of one another. Additional information can be +found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Universal_Control_Plane' +

                                    + Docker EE system + complete +
                                    + + SC-23 +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + SC-28 (1) +

                                    'All remote access sessions to Universal Control Plane are protected +with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This +is included at both the HTTPS application layer for access to the UCP +user interface and for command-line based connections to the cluster. +In addition to this, all communication to UCP is enforced by way of +two-way mutual TLS authentication.' +

                                    + Docker EE system + complete +
                                    + + SI-11 +

                                    'All error messages generated via the configured logging mechanism of +Universal Control Plane are displayed such that they meet the +requirements of this control. Only users that are authorized the +appropriate level of access can view these error messages.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://docs.docker.com/datacenter/ucp/2.2/guides/ + + + + Authentication and Authorization Service (eNZi) +

                                    +

                                    + + AC-1 +

                                    'To assist the organization in meeting the requirements of this +control, one can control which users and teams are allowed to create +and manipulate Docker Enterprise Edition resources. By default, no one +can make changes to the cluster. Permissions can be granted and +managed to enforce fine-grained access control. Supporting +documentation can found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (1) +

                                    'To assist the organization in meeting the requirements of this +control, an external identity management system (such as Microsoft''s +Active Directory or an LDAP endpoint) can be configured as mandated by +this control and can be integrated with Docker Enterprise Edition. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (2) +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can disable and/or remove temporary and emergency accounts in a +connected directory service (such as Active Directory) after an +organization-defined time period. When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (3) +

                                    'Using Docker Enterprise Edition''s LDAP integration capabilities, one +can automatically disable inactive accounts in a connected directory +service (such as Active Directory). When a user is removed from LDAP, +that user becomes inactive after the LDAP synchronization runs. +Supporting documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (4) +

                                    'Docker Enterprise Edition logs various authentication and +authorization events to standard log files. One can configure Docker +Enterprise Edition to direct these event logs to a remote logging +service such as an Elasticsearch, Logstash and Kibana (ELK) stack and +subsequently alert on specific event types. When integrating Docker +Enterprise Edition with LDAP, one can refer the the directory +service''s logging mechanisms for auditing the events defined by this +control. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/ +- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_Logging_Design_and_Best_Practices' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (5) +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition can be configured to enforce automated +session termination of users after an organization-defined time period +of inactivity. By default, the initial lifetime of a user''s session +is set to 72 hours and the renewal session for a user''s session is +set to 24 hours. These values can both be changed in the "Auth" +section of the "Admin Settings" in Universal Control Plane.' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (7) +

                                    'To assist the organization in meeting the requirements of this +control, Docker Enterprise Edition supports various levels of user +permissions and role-based access control enforcements. Administrator +users have permissions to: manage other Docker Enterprise Edition +users, manage Docker Trusted Registry repositories and settings, and +manage the Universal Control Plane and underlying Docker Swarm Mode +cluster. Supporting documentation can be found at the following +resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC +- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/ +- https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (9) +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service.' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (10) +

                                    'Users and/or groups synchronized to Docker Enterprise Edition via +LDAP can be configured at the directory service to ensure shared/group +account credentials are terminated when members leave the group.' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (11) +

                                    'Information system accounts synchronized to Docker Enterprise Edition +via LDAP can be configured at the directory service to meet this +requirement as necessary.' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (12) +

                                    'To assist the organization in meeting the requirements of this +control, when Docker Enterprise Edition is configured for LDAP +integration, one can refer to the directory service''s existing +monitoring tools.' +

                                    + service provider hybrid + complete +
                                    + + AC-2 (13) +

                                    'To assist the organization in meeting the requirements of this +control, users and/or groups synchronized to Docker Enterprise Edition +via LDAP can be managed at the directory service and disabled if +posing a significant risk.' +

                                    + service provider hybrid + complete +
                                    + + AC-3 +

                                    'One can control which users and teams can create and manipulate +Docker Enterprise Edition resources. By default, no one can make +changes to the cluster. Permissions can be granted and managed to +enforce fine-grained access control. The eNZi component facilitates +authorizations as dictated by the system''s administrators. Supporting +documentation can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/' +

                                    + Docker EE system + complete +
                                    + + AC-6 (9) +

                                    'Docker Enterprise Edition logs privileged user events to standard log +files. One can configure Docker Enterprise Edition to direct these +event logs to a remote logging service such as an Elasticsearch, +Logstash and Kibana (ELK) stack and subsequently alert on specific +event types. When integrating Docker Enterprise Edition with LDAP, one +can refer the the directory service''s logging mechanisms for auditing +the events defined by this control. Supporting documentation regarding +logging and monitoring can be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/ +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/' +

                                    + Docker EE system + complete +
                                    + + AC-7 +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure the enforcement of a limit to the number of conesecutive +invalid logon attempts by a user during a specified time period.' +

                                    +

                                    'When Docker Enterprise Edition is integrated to a directory service +via LDAP, one can reference the functionality of the directory service +to configure he ability to automatically lock/disable an account for a +specified period of time after a consecutive invalid logon attempt +limit is reached.' +

                                    + service provider hybrid + complete +
                                    + + AC-8 +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy the requirements of this control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    +

                                    'The feature required to satisfy control has +not yet been built in to Docker EE but is planned for a future +release.' +

                                    + Docker EE system + planned +
                                    + + AC-10 +

                                    'Docker Enterprise Edition can be configured to limit the number of +concurrent sessions for each account. These options can be found +within the Universal Control Plane Admin Settings under the +"Authentication & Authorization" section. ' +

                                    + Docker EE system + complete +
                                    + + AC-11 +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours).' +

                                    + Docker EE system + complete +
                                    + + AC-11 (1) +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session per the requirements of +this controls.' +

                                    + Docker EE system + complete +
                                    + + AC-12 +

                                    'Per the requirements of AC-2 (5), Docker Enterprise Edition can be +configured to enforce user session lifetime limits and renewal +thresholds. These options can be found within the Universal Control +Plane Admin Settings under the "Authentication & Authorization" +section. Configurable options include the initial lifetime (in hours) +of a user''s session and the renewal threshold of a session (in +hours). Upon the expiration of the configured session thresholds, a +user will be locked out of his/her session.' +

                                    + Docker EE system + complete +
                                    + + AC-17 (1) +

                                    'Docker Enterprise Edition logs and controls all local and remote +access events. In addition, auditing can be configured on the +underlying operating system to meet this control.' +

                                    + Docker EE system + complete +
                                    + + AU-3 +

                                    'Docker Enterprise Edition generates all of the audit record +information indicated by this control. A sample audit event has been +provided below: + +{"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password +based auth +suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth +ok","username":"dockeruser"}' +

                                    + Docker EE system + shared + complete +
                                    + + IA-2 +

                                    'Docker Enterprise Edition can be configured to identify and +authenticate users via it''s integrated support for LDAP. Users and +groups managed within the organization''s LDAP directory service (e.g. +Active Directory) can be synchronized to UCP and DTR on a regular +interval. When a user is removed from the LDAP-backed directory, that +user becomes inactive within UCP and DTR. In addition, UCP and DTR +teams can be mapped to groups synchronized via LDAP. When a user is +added/removed to/from the LDAP group, that same user is automatically +added/removed to/from the UCP and DTR team. Additional information can +be found at the following resources: + +- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/' +

                                    + Docker EE system + shared + complete +
                                    + + IA-2 (5) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, Docker Enterprise +Edition requires individual users to be authenticated in order to gain +access to the system. Any permissions granted to the team(s) that +which the user is a member are subsequently applied.' +

                                    + service provider hybrid + complete +
                                    + + IA-2 (8) +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IA-2 (9) +

                                    'Docker Enterprise Edition integrates with LDAP for authenticating +users to an external directory service. You should configure your +external directory service for ensuring that you are protected against +replay attacks.' +

                                    + Docker EE system + complete +
                                    + + IA-4 +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to prevent the reuse of user identifiers for a +specified period of time. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-4 (4) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to uniquely identify each individual according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-5 +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to establish initial authenticator content according +to the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to enforce strength requirements for authenticators +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to distribute, redistribute, and revoke +authenticators according to the requirements of this control. Refer to +your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change default authenticator content according to +the requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to set minimum and maximum lifetime restrictions and +reuse conditions for authenticators according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to refresh authenticators at a regular cadence +according to the requirements of this control. Refer to your directory +service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticator content from unauthorized +disclosure or modification according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to implement specific security safeguards to protect +authentications according to the requirements of this control. Refer +to your directory service''s documentation for configuring this.' +

                                    +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to change authenticators for group or role accounts +when membership to those groups or roles changes according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-5 (1) +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce minimum password +complexity requirements. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change at least one character when changing passwords according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to store and transmit +cryptographically protected passwords according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required minimum and +maximum lifetime restrictions according to the requirements of this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the required number of +generations before password reuse according to the requirements of +this control. Refer to your directory service''s documentation for +configuring this.' +

                                    +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to enforce the requirement to +change initial/temporary passwords upon first login according to the +requirements of this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-5 (2) +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system validates the certificates per the +requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system enforces authorized access to the +corresponding private key per the requirements of this control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, the system maps the authenticated identity to the +account of the individual or group per the requirements of this +control.' +

                                    +

                                    'All users within a Docker Enterprise Edition cluster can create a +client certificate bundle for authenticating in to the cluster from +the Docker client tooling. When a user attempts to authenticate in to +the Docker cluster, it is up to the underlying operating system +hosting Docker Enterprise Edition to ensure that it implements a local +cache of revocation data per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + IA-5 (4) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP can be +configured with automation to ensure that password authenticators meet +strength requirements as defined by this control. Refer to your +directory service's documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-5 (6) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to protect authenticators as required by this +control. Refer to your directory service's documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-8 (2) +

                                    'An external directory service integrated with Docker Enterprise +Edition via LDAP can be configured to meet the FICAM requirements as +indicated by this control. Refer to your directory service''s +documentation for configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-8 (3) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + IA-8 (4) +

                                    'The organization is responsible for meeting the requirements of this +control. To assist with meeting these requirements, an external +directory service integrated with Docker Enterprise Edition via LDAP +can be configured to meet the FICAM requirements as indicated by this +control. Refer to your directory service''s documentation for +configuring this.' +

                                    + service provider hybrid + complete +
                                    + + SC-23 (1) +

                                    'Docker Enterprise Edition invalidates session identifiers upon user +logout per the requirements of this control.' +

                                    + Docker EE system + complete +
                                    + + + UCP Documentation +

                                    + https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Identity_Management + + + + + + + + RA-5(2) + "FedRAMP requirement: prior to a new scan" + + + + RA-5(5)-1 + "FedRAMP requirement: operating systems, databases, web applications" + + + + RA-5(5)-2 + "FedRAMP requirement: all scans" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + CM-11(a) + "customer-defined policies" + + + + CM-11(b) + "customer-defined methods" + + + + CM-11(c) + "FedRAMP requirement: continuously (via CM-7(5))" + + + + CM-11(1) + "organization-defined personnel or roles" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-10 + "actions including the addition, modification, deletion, approval, +sending, or receiving of data" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-1(a) + "customer-defined personnel or roles" + + + + CM-1(b)(1) + "FedRAMP requirement: at least every 3 years" + + + + CM-1(b)(2) + "FedRAMP requirement: at least annually or whenever a significant +change occurs" + + + + CM-2(1)(a) + "FedRAMP requirement: at least annually or when a significant change +occurs" + + + + CM-2(1)(b) + "FedRAMP requirement: to include when directed by the JAB" + + + + CM-2(3) + "the previously approved baseline configuration of IS components" + + + + CM-3(e) + "customer-defined time period" + + + + CM-3(g)-1 + "FedRAMP requirement: CAB" + + + + CM-3(g)-2 + "customer-defined" + + + + CM-3(g)-3 + "customer-defined" + + + + CM-3(g)-4 + "customer-defined" + + + + CM-3(1)(b) + "customer-defined authorized approvers" + + + + CM-3(1)(c) + "organization-defined time period" + + + + CM-3(1)(f) + "organization-defined configuration management approval authorities" + + + + CM-3(6) + "all security safeguards that rely on cryptography" + + + + CM-5(2)-1 + "every 30 days" + + + + CM-5(2)-2 + "organization-defined circumstance" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(b) + "FedRAMP assignment: the service provider shall use the Center for +Internet Security Guidelines (Level 1) to establish list of prohibited +or restricted functions, ports, protocols, and/or services or +establishes its own list of prohibited or restricted functions, ports, +protocols, and/or services if USGCB is not available" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-7(20 + "organization-defined information system components" + + + + SC-12(2) + "FedRAMP requirement: NIST FIPTS compliance" + + + + SC-13 + "FedRAMP requirement: FIPS-validated or NSA-approved cryptography" + + + + SC-28-1 + "confidentiality and integrity" + + + + SC-28-2 + "customer data" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + SI-16 + "Windows protections, including No Execute, Address Space Layout +Randomization, and Data Execution Prevention" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-4 + "customer-defined information flow control policies" + + + + AC-4(8)(a) + "FedRAMP assignment: security policy filters inherent in boundary +protection devices such as gateways, routers, guards, encrypted +tunnels, firewalls" + + + + AC-4(8)(b) + "FedRAMP assignment: information containing PII or organization +sensitive information types" + + + + AC-4(21)-1 + "customer-defined mechanisms and/or techniques" + + + + AC-4(21)-2 + "customer-defined required separation by types of information" + + + + AC-5(a) + "customer-defined duties of individuals" + + + + AC-6(1) + "FedRAMP assignment: all functions not publiclly accessible and all +security-relevant information not publicly available" + + + + AC-6(2) + "FedRAMP requirement: all security functions" + + + + AC-6(3)-1 + "privileged commands used to change/configure network devices" + + + + AC-6(3)-2 + "customer-defined operational needs" + + + + AC-6(5) + "customer-defined personnel or roles" + + + + AC-6(7)(a)-1 + "at least annually" + + + + AC-6(7)(a)-2 + "all users" + + + + AC-6(8) + "FedRAMP assignment: any software except software explicitly +documented" + + + + AC-12(1)(a) + "customer-defined information resources" + + + + AC-14(a) + "customer-defined user actions" + + + + AC-17(3) + "customer-defined" + + + + AC-17(4)(a) + "customer-defined needs" + + + + AC-17(9) + "FedRAMP requirement: no greater than fifteen minutes" + + + + AC-21(a) + "customer-defined information sharing circumstances" + + + + AC-21(b) + "customer-defined automated mechanisms or manual processes" + + + + AU-2(a) + "FedRAMP requirement: successful and unsuccessful account logon +events, account management events, object access, policy change, +privileged functions, process tracking, and system events. For Web +applications: all administrator activity, authentication checks, +authorization checks, data deletions, data access, data changes, and +permission changes" + + + + AU-2(d) + "FedRAMP requirement: organization-defined subset of the auditable +events defined in AU-2-a. to be audited continually for each +identified event" + + + + AU-3(1) + "FedRAMP requirement: session, connection, trasaction, or activity +duration; for client-server transactions, the number of bytes received +and bytes sent, additional informational messages to diagnose or +identify the event, characteristics that describe or identify the +object or resource being acted upon" + + + + AU-3(2) + "all network, data storage, and computing devices" + + + + AU-5(a) + "customer-defined personnel or roles" + + + + AU-5(b) + "FedRAMP requirement: low-impact: overwrite oldest audit records; +moderate-impact: shut down" + + + + AU-5(1)-1 + "appropriate service team personnel, customer-defined personnel" + + + + AU-5(1)-2 + "24 hours, customer-defined time period" + + + + AU-5(1)-3 + "a service team defined percentage, customer-defined percentage" + + + + AU-5(2)-1 + "real-time" + + + + AU-5(2)-2 + "appropriate service team personnel" + + + + AU-5(2)-3 + "events defined by each service team, audit failure events requiring +real-time alerts, as defined by organization audit policy" + + + + AU-7(1) + "customer-defined audit fields within audit records" + + + + AU-8(b) + "millisecond precision" + + + + AU-8(1)(a)-1 + "FedRAMP requirement: at least hourly" + + + + AU-8(1)(a)-2 + "FedRAMP requirement: authoritative time source: +http://tf.nist.gov/tf-cgi/servers.cgi" + + + + AU-8(1)(b) + "customer-defined" + + + + AU-9(2) + "FedRAMP requirement: at least weekly" + + + + AU-11 + "FedRAMP requirement: at least one year" + + + + AU-12(a) + "FedRAMP requirement: at least every 3 years" + + + + AU-12(b) + "customer-defined personnel or roles" + + + + AU-12(1)-1 + "all network, data storage, and computing devices" + + + + AU-12(1)-2 + "1 millisecond, organization-defined level of tolerance" + + + + AU-12(3)-1 + "service team members with audit configuration responsibilities" + + + + AU-12(3)-2 + "all network, data storage, and computing devices" + + + + AU-12(3)-3 + "changes to the thread environment, organization-defined threat +situations" + + + + AU-12(3)-4 + "risk-based assessment, organization-defined time thresholds" + + + + CM-5(3) + "customer-defined software" + + + + CM-6(1) + "customer-defined information system components" + + + + CM-7(1)(b) + "customer-defined functions, ports, protocols, and services within the +information system deemed to be unnecessary and/or nonsecure" + + + + CM-7(2) + "customer-defined policies regarding software program usage or +restrictions" + + + + CM-7(5)(a) + "customer-defined software programs authorized to execute on the +information system" + + + + SC-28(1)-1 + "customer data" + + + + SC-28(1)-2 + "CSP servers" + + + + SI-11(b) + "authorized service personnel and CSP users" + + + + AC-2(2)-1 + Selection (removes or disables) + + + AC-2(2)-2 + "FedRAMP requirement: no more than 30 days for temporary and emergency +account types" + + + + AC-2(3) + "FedRAMP requirement: thirty-five (35) days for user accounts" + + + + AC-2(4) + "organization and/or service provider system owner" + + + + AC-2(5) + "inactivity is anticipated to exceed fifteen (15) minutes" + + + + AC-2(7)(c) + "FedRAMP assignment: disables/revokes access within an +organization-specified timeframe" + + + + AC-2(9) + "FedRAMP assignment: organization-defined need with justificatino +statement that explains why such accounts are necessary" + + + + AC-2(11)-1 + "customer-defined circumstances or usage conditions" + + + + AC-2(11)-2 + "customer-defined accounts" + + + + AC-2(12)(a) + "customer-defined atypical use" + + + + AC-2(12)(b) + "at a minimum, the ISSO and/or similar role within the organization" + + + + AC-2(13) + "one hour" + + + + AC-7(a)-1 + "FedRAMP requirement: not more than three" + + + + AC-7(a)-2 + "FedRAMP requirement: fifteen minutes" + + + + AC-7(b)-1 + "FedRAMP requirement: locks the account/node for three hours" + + + + AC-7(b)-2 + "customer-defined additional actions" + + + + AC-8(a) + "customer-defined system use notification banner" + + + + AC-8(c)(1) + "customer-defined conditions" + + + + AC-10 + "customer-defined account and/or account type; FedRAMP requirement: +three sessions for privileged access and two sessions for +non-privileged access" + + + + AC-11(a) + "FedRAMP requirement: fifteen minutes" + + + + AC-12 + "customer-defined conditions or trigger events" + + + + IA-4(a) + "customer-defined personnel or roles" + + + + IA-4(d) + "FedRAMP requirement: at least two years" + + + + IA-4(e) + "FedRAMP requirement: thirty-five (35) days" + + + + IA-4(4) + "FedRAMP requirement: contractors, foreign nationals" + + + + IA-5(g) + "FedRAMP requirement: 60 days for passwords" + + + + IA-5(1)(a) + "FedRAMP requirement: case-sensitive, minimum of fourteen (14) +characters, and at least one (1) each of upper-case letters, +lower-case letters, numbers, and special characters" + + + + IA-5(1)(b) + "FedRAMP requirement: at least fifty percent (50%)" + + + + IA-5(1)(d) + "FedRAMP requirement: one day minimum, sixty day maximum" + + + + IA-5(1)(e) + "FedRAMP requirement: twenty four" + + + + IA-5(4) + "complexity as identified in IA-05 (1) Control Enhancement Part A" + + + + IA-8(3) + "N/A" + + + + diff --git a/working/README.md b/working/README.md index cb5a97cff7..a53661a35b 100644 --- a/working/README.md +++ b/working/README.md @@ -2,15 +2,15 @@ This part of the repository contains artifacts that comprise the implementation of the OSCAL catalog and profile layers. -The 'working' subdirectory contains the following: +The 'working' subdirectory contains the following, produced in various sprints: - * '[lib](lib)' - schemas along with Schematron, CSS, and XSLT files - * '[doc](doc)' - documentation including mapping documentation plus supporting code; any tag set docs will also be here - * '[COBIT5](COBIT5)' - OSCAL demo files for COBIT 5 (e.g., XML files for representing COBIT 5 excerpts in OSCAL format for demonstration purposes) - * '[ISO27002](ISO27002)' - OSCAL demo files for ISO 27002 - * '[SP800-53](SP800-53)' - OSCAL demo files for NIST SP 800-53 (rev 4) - * '[FedRAMP](FedRAMP) - prototype heading towards representing FedRAMP spreadsheet as a profile (customization) of a baseline derived from SP800-53: currently, we have a profile calling SP800-53; working towards a profile calling an SP800-53 baseline (profile) - * '[CSF](CSF)' - represented as an OSCAL framework (valid to our schema). Working from a YAML representation of a Cybersecurity Framework document (cf Issue #5) + * [lib](lib) - schemas along with Schematron, CSS, and XSLT files + * [ISO-27002](ISO-27002) - OSCAL demo files for ISO 27002 + * [SP800-53](SP800-53) - OSCAL demo files for NIST SP 800-53 (revs 4 and 5) with derivation pipelines (conversion from NVD XML) + * [FedRAMP](FedRAMP) - prototype heading towards representing FedRAMP spreadsheet as a profile (customization) of a baseline derived from SP800-53: currently, we have a profile calling SP800-53; working towards a profile calling an SP800-53 baseline (profile) + * [COBIT5](COBIT5) - OSCAL demo files for COBIT 5 (e.g., XML files for representing COBIT 5 excerpts in OSCAL format for demonstration purposes) + * [CSF](CSF) - represented as an OSCAL framework (valid to our schema). Working from a YAML representation of a Cybersecurity Framework document (cf Issue #5) + * [JSON-mapping](JSON-mapping) - prototype pathway from JSON representation of 'implementation' layer data, into an OSCAL format, and its coordination/integration with extant catalogs. Validations and "prettified" (formal) editing are configured for oXygen XML Editor, and sample documents are provided with the necessary glue code. However, software components invoked by these bindings, including XSLTs and CSSs, are standards-based, and everything done here with oXygen could be done on a different platform. Likewise, demonstrations we have produced thus far only *scratched the surface* of what is possible with OSCAL. diff --git a/working/SP800-53/SP800-53-LOW-baselineimpact-profile.xml b/working/SP800-53/SP800-53-LOW-baselineimpact-profile.xml new file mode 100644 index 0000000000..3cccc178f2 --- /dev/null +++ b/working/SP800-53/SP800-53-LOW-baselineimpact-profile.xml @@ -0,0 +1,936 @@ + + + + SP800-53 LOW BASELINE IMPACT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + + organization-defined user actions + organization-defined user actions + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + + organization-defined token quality requirements + organization-defined token quality requirements + + + organization-defined information systems + organization-defined information systems + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system components + organization-defined types of information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined document + organization-defined document + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined system development life cycle + organization-defined system development life cycle + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + diff --git a/working/SP800-53/profile-with-filter.xsl b/working/SP800-53/profile-with-filter.xsl index 51eaeae53c..766f4d2680 100644 --- a/working/SP800-53/profile-with-filter.xsl +++ b/working/SP800-53/profile-with-filter.xsl @@ -33,12 +33,16 @@ SP800-53 { $value } BASELINE IMPACT - + - - + + + + + + @@ -63,7 +67,7 @@ + subcontrol[prop[@class=$property]=$value]/param" mode="param"> inserted into {$insertions/(ancestor::part | ancestor::subcontrol | ancestor::control)[last()]/prop[@class='name']} diff --git a/working/SP800-53/rev4/HIGH-baseline-profile-oscal.json b/working/SP800-53/rev4/HIGH-baseline-profile-oscal.json deleted file mode 100644 index ddf9904406..0000000000 --- a/working/SP800-53/rev4/HIGH-baseline-profile-oscal.json +++ /dev/null @@ -1,1040 +0,0 @@ -{ - "invocations": [ - { - "href": "file:/home/wendell/Documents/OSCAL/working/SP800-53/SP800-53-OSCAL-refined.json", - "include": { - "calls": [ - { - "controlId": "ac.1" - }, - { - "controlId": "ac.2" - }, - { - "subcontrolId": "ac.2.1." - }, - { - "subcontrolId": "ac.2.2." - }, - { - "subcontrolId": "ac.2.3." - }, - { - "subcontrolId": "ac.2.4." - }, - { - "subcontrolId": "ac.2.5." - }, - { - "subcontrolId": "ac.2.11." - }, - { - "subcontrolId": "ac.2.12." - }, - { - "subcontrolId": "ac.2.13." - }, - { - "controlId": "ac.3" - }, - { - "controlId": "ac.4" - }, - { - "controlId": "ac.5" - }, - { - "controlId": "ac.6" - }, - { - "subcontrolId": "ac.6.1." - }, - { - "subcontrolId": "ac.6.2." - }, - { - "subcontrolId": "ac.6.3." - }, - { - "subcontrolId": "ac.6.5." - }, - { - "subcontrolId": "ac.6.9." - }, - { - "subcontrolId": "ac.6.10." - }, - { - "controlId": "ac.7" - }, - { - "controlId": "ac.8" - }, - { - "controlId": "ac.10" - }, - { - "controlId": "ac.11" - }, - { - "subcontrolId": "ac.11.1." - }, - { - "controlId": "ac.12" - }, - { - "controlId": "ac.14" - }, - { - "controlId": "ac.17" - }, - { - "subcontrolId": "ac.17.1." - }, - { - "subcontrolId": "ac.17.2." - }, - { - "subcontrolId": "ac.17.3." - }, - { - "subcontrolId": "ac.17.4." - }, - { - "controlId": "ac.18" - }, - { - "subcontrolId": "ac.18.1." - }, - { - "subcontrolId": "ac.18.4." - }, - { - "subcontrolId": "ac.18.5." - }, - { - "controlId": "ac.19" - }, - { - "subcontrolId": "ac.19.5." - }, - { - "controlId": "ac.20" - }, - { - "subcontrolId": "ac.20.1." - }, - { - "subcontrolId": "ac.20.2." - }, - { - "controlId": "ac.21" - }, - { - "controlId": "ac.22" - }, - { - "controlId": "at.1" - }, - { - "controlId": "at.2" - }, - { - "subcontrolId": "at.2.2." - }, - { - "controlId": "at.3" - }, - { - "controlId": "at.4" - }, - { - "controlId": "au.1" - }, - { - "controlId": "au.2" - }, - { - "subcontrolId": "au.2.3." - }, - { - "controlId": "au.3" - }, - { - "subcontrolId": "au.3.1." - }, - { - "subcontrolId": "au.3.2." - }, - { - "controlId": "au.4" - }, - { - "controlId": "au.5" - }, - { - "subcontrolId": "au.5.1." - }, - { - "subcontrolId": "au.5.2." - }, - { - "controlId": "au.6" - }, - { - "subcontrolId": "au.6.1." - }, - { - "subcontrolId": "au.6.3." - }, - { - "subcontrolId": "au.6.5." - }, - { - "subcontrolId": "au.6.6." - }, - { - "controlId": "au.7" - }, - { - "subcontrolId": "au.7.1." - }, - { - "controlId": "au.8" - }, - { - "subcontrolId": "au.8.1." - }, - { - "controlId": "au.9" - }, - { - "subcontrolId": "au.9.2." - }, - { - "subcontrolId": "au.9.3." - }, - { - "subcontrolId": "au.9.4." - }, - { - "controlId": "au.10" - }, - { - "controlId": "au.11" - }, - { - "controlId": "au.12" - }, - { - "subcontrolId": "au.12.1." - }, - { - "subcontrolId": "au.12.3." - }, - { - "controlId": "ca.1" - }, - { - "controlId": "ca.2" - }, - { - "subcontrolId": "ca.2.1." - }, - { - "subcontrolId": "ca.2.2." - }, - { - "controlId": "ca.3" - }, - { - "subcontrolId": "ca.3.5." - }, - { - "controlId": "ca.5" - }, - { - "controlId": "ca.6" - }, - { - "controlId": "ca.7" - }, - { - "subcontrolId": "ca.7.1." - }, - { - "controlId": "ca.8" - }, - { - "controlId": "ca.9" - }, - { - "controlId": "cm.1" - }, - { - "controlId": "cm.2" - }, - { - "subcontrolId": "cm.2.1." - }, - { - "subcontrolId": "cm.2.2." - }, - { - "subcontrolId": "cm.2.3." - }, - { - "subcontrolId": "cm.2.7." - }, - { - "controlId": "cm.3" - }, - { - "subcontrolId": "cm.3.1." - }, - { - "subcontrolId": "cm.3.2." - }, - { - "controlId": "cm.4" - }, - { - "subcontrolId": "cm.4.1." - }, - { - "controlId": "cm.5" - }, - { - "subcontrolId": "cm.5.1." - }, - { - "subcontrolId": "cm.5.2." - }, - { - "subcontrolId": "cm.5.3." - }, - { - "controlId": "cm.6" - }, - { - "subcontrolId": "cm.6.1." - }, - { - "subcontrolId": "cm.6.2." - }, - { - "controlId": "cm.7" - }, - { - "subcontrolId": "cm.7.1." - }, - { - "subcontrolId": "cm.7.2." - }, - { - "subcontrolId": "cm.7.5." - }, - { - "controlId": "cm.8" - }, - { - "subcontrolId": "cm.8.1." - }, - { - "subcontrolId": "cm.8.2." - }, - { - "subcontrolId": "cm.8.3." - }, - { - "subcontrolId": "cm.8.4." - }, - { - "subcontrolId": "cm.8.5." - }, - { - "controlId": "cm.9" - }, - { - "controlId": "cm.10" - }, - { - "controlId": "cm.11" - }, - { - "controlId": "cp.1" - }, - { - "controlId": "cp.2" - }, - { - "subcontrolId": "cp.2.1." - }, - { - "subcontrolId": "cp.2.2." - }, - { - "subcontrolId": "cp.2.3." - }, - { - "subcontrolId": "cp.2.4." - }, - { - "subcontrolId": "cp.2.5." - }, - { - "subcontrolId": "cp.2.8." - }, - { - "controlId": "cp.3" - }, - { - "subcontrolId": "cp.3.1." - }, - { - "controlId": "cp.4" - }, - { - "subcontrolId": "cp.4.1." - }, - { - "subcontrolId": "cp.4.2." - }, - { - "controlId": "cp.6" - }, - { - "subcontrolId": "cp.6.1." - }, - { - "subcontrolId": "cp.6.2." - }, - { - "subcontrolId": "cp.6.3." - }, - { - "controlId": "cp.7" - }, - { - "subcontrolId": "cp.7.1." - }, - { - "subcontrolId": "cp.7.2." - }, - { - "subcontrolId": "cp.7.3." - }, - { - "subcontrolId": "cp.7.4." - }, - { - "controlId": "cp.8" - }, - { - "subcontrolId": "cp.8.1." - }, - { - "subcontrolId": "cp.8.2." - }, - { - "subcontrolId": "cp.8.3." - }, - { - "subcontrolId": "cp.8.4." - }, - { - "controlId": "cp.9" - }, - { - "subcontrolId": "cp.9.1." - }, - { - "subcontrolId": "cp.9.2." - }, - { - "subcontrolId": "cp.9.3." - }, - { - "subcontrolId": "cp.9.5." - }, - { - "controlId": "cp.10" - }, - { - "subcontrolId": "cp.10.2." - }, - { - "subcontrolId": "cp.10.4." - }, - { - "controlId": "ia.1" - }, - { - "controlId": "ia.2" - }, - { - "subcontrolId": "ia.2.1." - }, - { - "subcontrolId": "ia.2.2." - }, - { - "subcontrolId": "ia.2.3." - }, - { - "subcontrolId": "ia.2.4." - }, - { - "subcontrolId": "ia.2.8." - }, - { - "subcontrolId": "ia.2.9." - }, - { - "subcontrolId": "ia.2.11." - }, - { - "subcontrolId": "ia.2.12." - }, - { - "controlId": "ia.3" - }, - { - "controlId": "ia.4" - }, - { - "controlId": "ia.5" - }, - { - "subcontrolId": "ia.5.1." - }, - { - "subcontrolId": "ia.5.2." - }, - { - "subcontrolId": "ia.5.3." - }, - { - "subcontrolId": "ia.5.11." - }, - { - "controlId": "ia.6" - }, - { - "controlId": "ia.7" - }, - { - "controlId": "ia.8" - }, - { - "subcontrolId": "ia.8.1." - }, - { - "subcontrolId": "ia.8.2." - }, - { - "subcontrolId": "ia.8.3." - }, - { - "subcontrolId": "ia.8.4." - }, - { - "controlId": "ir.1" - }, - { - "controlId": "ir.2" - }, - { - "subcontrolId": "ir.2.1." - }, - { - "subcontrolId": "ir.2.2." - }, - { - "controlId": "ir.3" - }, - { - "subcontrolId": "ir.3.2." - }, - { - "controlId": "ir.4" - }, - { - "subcontrolId": "ir.4.1." - }, - { - "subcontrolId": "ir.4.4." - }, - { - "controlId": "ir.5" - }, - { - "subcontrolId": "ir.5.1." - }, - { - "controlId": "ir.6" - }, - { - "subcontrolId": "ir.6.1." - }, - { - "controlId": "ir.7" - }, - { - "subcontrolId": "ir.7.1." - }, - { - "controlId": "ir.8" - }, - { - "controlId": "ma.1" - }, - { - "controlId": "ma.2" - }, - { - "subcontrolId": "ma.2.2." - }, - { - "controlId": "ma.3" - }, - { - "subcontrolId": "ma.3.1." - }, - { - "subcontrolId": "ma.3.2." - }, - { - "subcontrolId": "ma.3.3." - }, - { - "controlId": "ma.4" - }, - { - "subcontrolId": "ma.4.2." - }, - { - "subcontrolId": "ma.4.3." - }, - { - "controlId": "ma.5" - }, - { - "subcontrolId": "ma.5.1." - }, - { - "controlId": "ma.6" - }, - { - "controlId": "mp.1" - }, - { - "controlId": "mp.2" - }, - { - "controlId": "mp.3" - }, - { - "controlId": "mp.4" - }, - { - "controlId": "mp.5" - }, - { - "subcontrolId": "mp.5.4." - }, - { - "controlId": "mp.6" - }, - { - "subcontrolId": "mp.6.1." - }, - { - "subcontrolId": "mp.6.2." - }, - { - "subcontrolId": "mp.6.3." - }, - { - "controlId": "mp.7" - }, - { - "subcontrolId": "mp.7.1." - }, - { - "controlId": "pe.1" - }, - { - "controlId": "pe.2" - }, - { - "controlId": "pe.3" - }, - { - "subcontrolId": "pe.3.1." - }, - { - "controlId": "pe.4" - }, - { - "controlId": "pe.5" - }, - { - "controlId": "pe.6" - }, - { - "subcontrolId": "pe.6.1." - }, - { - "subcontrolId": "pe.6.4." - }, - { - "controlId": "pe.8" - }, - { - "subcontrolId": "pe.8.1." - }, - { - "controlId": "pe.9" - }, - { - "controlId": "pe.10" - }, - { - "controlId": "pe.11" - }, - { - "subcontrolId": "pe.11.1." - }, - { - "controlId": "pe.12" - }, - { - "controlId": "pe.13" - }, - { - "subcontrolId": "pe.13.1." - }, - { - "subcontrolId": "pe.13.2." - }, - { - "subcontrolId": "pe.13.3." - }, - { - "controlId": "pe.14" - }, - { - "controlId": "pe.15" - }, - { - "subcontrolId": "pe.15.1." - }, - { - "controlId": "pe.16" - }, - { - "controlId": "pe.17" - }, - { - "controlId": "pe.18" - }, - { - "controlId": "pl.1" - }, - { - "controlId": "pl.2" - }, - { - "subcontrolId": "pl.2.3." - }, - { - "controlId": "pl.4" - }, - { - "subcontrolId": "pl.4.1." - }, - { - "controlId": "pl.8" - }, - { - "controlId": "ps.1" - }, - { - "controlId": "ps.2" - }, - { - "controlId": "ps.3" - }, - { - "controlId": "ps.4" - }, - { - "subcontrolId": "ps.4.2." - }, - { - "controlId": "ps.5" - }, - { - "controlId": "ps.6" - }, - { - "controlId": "ps.7" - }, - { - "controlId": "ps.8" - }, - { - "controlId": "ra.1" - }, - { - "controlId": "ra.2" - }, - { - "controlId": "ra.3" - }, - { - "controlId": "ra.5" - }, - { - "subcontrolId": "ra.5.1." - }, - { - "subcontrolId": "ra.5.2." - }, - { - "subcontrolId": "ra.5.4." - }, - { - "subcontrolId": "ra.5.5." - }, - { - "controlId": "sa.1" - }, - { - "controlId": "sa.2" - }, - { - "controlId": "sa.3" - }, - { - "controlId": "sa.4" - }, - { - "subcontrolId": "sa.4.1." - }, - { - "subcontrolId": "sa.4.2." - }, - { - "subcontrolId": "sa.4.9." - }, - { - "subcontrolId": "sa.4.10." - }, - { - "controlId": "sa.5" - }, - { - "controlId": "sa.8" - }, - { - "controlId": "sa.9" - }, - { - "subcontrolId": "sa.9.2." - }, - { - "controlId": "sa.10" - }, - { - "controlId": "sa.11" - }, - { - "controlId": "sa.12" - }, - { - "controlId": "sa.15" - }, - { - "controlId": "sa.16" - }, - { - "controlId": "sa.17" - }, - { - "controlId": "sc.1" - }, - { - "controlId": "sc.2" - }, - { - "controlId": "sc.3" - }, - { - "controlId": "sc.4" - }, - { - "controlId": "sc.5" - }, - { - "controlId": "sc.7" - }, - { - "subcontrolId": "sc.7.3." - }, - { - "subcontrolId": "sc.7.4." - }, - { - "subcontrolId": "sc.7.5." - }, - { - "subcontrolId": "sc.7.7." - }, - { - "subcontrolId": "sc.7.8." - }, - { - "subcontrolId": "sc.7.18." - }, - { - "subcontrolId": "sc.7.21." - }, - { - "controlId": "sc.8" - }, - { - "subcontrolId": "sc.8.1." - }, - { - "controlId": "sc.10" - }, - { - "controlId": "sc.12" - }, - { - "subcontrolId": "sc.12.1." - }, - { - "controlId": "sc.13" - }, - { - "controlId": "sc.15" - }, - { - "controlId": "sc.17" - }, - { - "controlId": "sc.18" - }, - { - "controlId": "sc.19" - }, - { - "controlId": "sc.20" - }, - { - "controlId": "sc.21" - }, - { - "controlId": "sc.22" - }, - { - "controlId": "sc.23" - }, - { - "controlId": "sc.24" - }, - { - "controlId": "sc.28" - }, - { - "controlId": "sc.39" - }, - { - "controlId": "si.1" - }, - { - "controlId": "si.2" - }, - { - "subcontrolId": "si.2.1." - }, - { - "subcontrolId": "si.2.2." - }, - { - "controlId": "si.3" - }, - { - "subcontrolId": "si.3.1." - }, - { - "subcontrolId": "si.3.2." - }, - { - "controlId": "si.4" - }, - { - "subcontrolId": "si.4.2." - }, - { - "subcontrolId": "si.4.4." - }, - { - "subcontrolId": "si.4.5." - }, - { - "controlId": "si.5" - }, - { - "subcontrolId": "si.5.1." - }, - { - "controlId": "si.6" - }, - { - "controlId": "si.7" - }, - { - "subcontrolId": "si.7.1." - }, - { - "subcontrolId": "si.7.2." - }, - { - "subcontrolId": "si.7.5." - }, - { - "subcontrolId": "si.7.7." - }, - { - "subcontrolId": "si.7.14." - }, - { - "controlId": "si.8" - }, - { - "subcontrolId": "si.8.1." - }, - { - "subcontrolId": "si.8.2." - }, - { - "controlId": "si.10" - }, - { - "controlId": "si.11" - }, - { - "controlId": "si.12" - }, - { - "controlId": "si.16" - } - ] - } - } - ] -} \ No newline at end of file diff --git a/working/SP800-53/rev4/HIGH-baseline-profile-oscal.xml b/working/SP800-53/rev4/HIGH-baseline-profile-oscal.xml deleted file mode 100644 index dfabdddd8f..0000000000 --- a/working/SP800-53/rev4/HIGH-baseline-profile-oscal.xml +++ /dev/null @@ -1,2210 +0,0 @@ - - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined information system account types - - - - organization-defined personnel or roles - - - - organization-defined procedures or conditions - - - - organization-defined frequency - - - - - - - - organization-defined time period for each type of account - - - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - - - organization-defined time-period of expected inactivity or description of when to - log out - - - - - - organization-defined circumstances and/or usage conditions - - - - organization-defined information system accounts - - - - - - organization-defined atypical usage - - - - organization-defined personnel or roles - - - - - - organization-defined time period - - - - - - - - organization-defined information flow control policies - - - - - - organization-defined duties of individuals - - - - - - - - organization-defined security functions (deployed in hardware, software, and - firmware) and security-relevant information - - - - - - organization-defined security functions or security-relevant information - - - - - - organization-defined privileged commands - - - - organization-defined compelling operational needs - - - - - - organization-defined personnel or roles - - - - - - - - - - organization-defined number - - - - organization-defined time period - - - - organization-defined time period - - - - organization-defined delay algorithm - - - - - - organization-defined system use notification message or banner - - - - organization-defined conditions - - - - - - organization-defined account and/or account type - - - - organization-defined number - - - - - - organization-defined time period - - - - - - - - organization-defined conditions or trigger events requiring session - disconnect - - - - - - organization-defined user actions - - - - - - - - - - - - organization-defined number - - - - - - organization-defined needs - - - - - - - - - - - - - - - - organization-defined mobile devices - - - - - - - - - - - - organization-defined information sharing circumstances where user discretion is - required - - - - organization-defined automated mechanisms or manual processes - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined auditable events - - - - organization-defined audited events (the subset of the auditable events defined - in AU-2 a.) along with the frequency of (or situation requiring) auditing for each - identified event - - - - - - organization-defined frequency - - - - - - - - organization-defined additional, more detailed information - - - - - - organization-defined information system components - - - - - - organization-defined audit record storage requirements - - - - - - organization-defined personnel or roles - - - - organization-defined actions to be taken (e.g., shut down information system, - overwrite oldest audit records, stop generating audit records) - - - - - - organization-defined personnel, roles, and/or locations - - - - organization-defined time period - - - - organization-defined percentage - - - - - - organization-defined real-time period - - - - organization-defined personnel, roles, and/or locations - - - - organization-defined audit failure events requiring real-time alerts - - - - - - organization-defined frequency - - - - organization-defined inappropriate or unusual activity - - - - organization-defined personnel or roles - - - - - - - - - - organization-defined data/information collected from other sources - - - - - - - - - - organization-defined audit fields within audit records - - - - - - organization-defined granularity of time measurement - - - - - - organization-defined frequency - - - - organization-defined authoritative time source - - - - organization-defined time period - - - - - - - - organization-defined frequency - - - - - - - - organization-defined subset of privileged users - - - - - - organization-defined actions to be covered by non-repudiation - - - - - - organization-defined time period consistent with records retention policy - - - - - - organization-defined information system components - - - - organization-defined personnel or roles - - - - - - organization-defined information system components - - - - organization-defined level of tolerance for the relationship between time stamps - of individual records in the audit trail - - - - - - organization-defined individuals or roles - - - - organization-defined information system components - - - - organization-defined selectable event criteria - - - - organization-defined time thresholds - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined individuals or roles - - - - - - organization-defined level of independence - - - - - - organization-defined frequency - - - - organization-defined other forms of security assessment - - - - - - organization-defined frequency - - - - - - organization-defined information systems - - - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined metrics - - - - organization-defined frequencies - - - - organization-defined frequencies - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined level of independence - - - - - - organization-defined frequency - - - - organization-defined information systems or system components - - - - - - organization-defined information system components or classes of - components - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - Assignment organization-defined circumstances - - - - - - - - organization-defined previous versions of baseline configurations of the - information system - - - - - - organization-defined information systems, system components, or devices - - - - organization-defined configurations - - - - organization-defined security safeguards - - - - - - organization-defined time period - - - - organization-defined configuration change control element (e.g., committee, - board) - - - - organization-defined frequency - - - - organization-defined configuration change conditions - - - - - - organized-defined approval authorities - - - - organization-defined time period - - - - organization-defined personnel - - - - - - - - - - - - - - - - organization-defined frequency - - - - organization-defined circumstances - - - - - - organization-defined software and firmware components - - - - - - organization-defined security configuration checklists - - - - organization-defined information system components - - - - organization-defined operational requirements - - - - - - organization-defined information system components - - - - - - organization-defined security safeguards - - - - organization-defined configuration settings - - - - - - organization-defined prohibited or restricted functions, ports, protocols, and/or - services - - - - - - organization-defined frequency - - - - organization-defined functions, ports, protocols, and services within the - information system deemed to be unnecessary and/or nonsecure - - - - - - organization-defined policies regarding software program usage and - restrictions - - - - - - organization-defined software programs authorized to execute on the information - system - - - - organization-defined frequency - - - - - - organization-defined information deemed necessary to achieve effective - information system component accountability - - - - organization-defined frequency - - - - - - - - - - organization-defined frequency - - - - organization-defined personnel or roles - - - - - - - - - - - - - - organization-defined policies - - - - organization-defined methods - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined key contingency personnel (identified by name and/or by - role) and organizational elements - - - - organization-defined frequency - - - - organization-defined key contingency personnel (identified by name and/or by - role) and organizational elements - - - - - - - - - - organization-defined time period - - - - - - organization-defined time period - - - - - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - organization-defined tests - - - - - - - - - - - - - - - - - - organization-defined information system operations - - - - organization-defined time period consistent with recovery time and recovery point - objectives - - - - - - - - - - - - - - organization-defined information system operations - - - - organization-defined time period - - - - - - - - - - - - organization-defined frequency - - - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - - - organization-defined frequency - - - - - - - - organization-defined critical information system software and other - security-related information - - - - - - organization-defined time period and transfer rate consistent with the recovery - time and recovery point objectives - - - - - - - - - - organization-defined restoration time-periods - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - - - - - - - - - - - - - organization-defined strength of mechanism requirements - - - - - - - - organization-defined specific and/or types of devices - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - organization-defined time period of inactivity - - - - - - organization-defined time period by authenticator type - - - - - - organization-defined requirements for case sensitivity, number of characters, mix - of upper-case letters, lower-case letters, numbers, and special characters, including - minimum requirements for each type - - - - organization-defined number - - - - organization-defined numbers for lifetime minimum, lifetime maximum - - - - organization-defined number - - - - - - - - organization-defined types of and/or specific authenticators - - - - organization-defined registration authority - - - - organization-defined personnel or roles - - - - - - organization-defined token quality requirements - - - - - - - - - - - - - - - - organization-defined information systems - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - - - - - organization-defined frequency - - - - organization-defined tests - - - - - - - - - - - - - - - - - - organization-defined time period - - - - organization-defined authorities - - - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined incident response personnel (identified by name and/or by - role) and organizational elements - - - - organization-defined frequency - - - - organization-defined incident response personnel (identified by name and/or by - role) and organizational elements - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined maintenance-related information - - - - - - - - - - - - - - organization-defined personnel or roles - - - - - - - - - - - - - - - - organization-defined information system components - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined types of digital and/or non-digital media - - - - organization-defined personnel or roles - - - - - - organization-defined types of information system media - - - - organization-defined controlled areas - - - - - - organization-defined types of digital and/or non-digital media - - - - organization-defined controlled areas - - - - - - organization-defined types of information system media - - - - organization-defined security safeguards - - - - - - - - organization-defined information system media - - - - organization-defined sanitization techniques and procedures - - - - - - - - organization-defined frequency - - - - - - organization-defined circumstances requiring sanitization of portable storage - devices - - - - - - organization-defined types of information system media - - - - organization-defined information systems or system components - - - - organization-defined security safeguards - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined entry/exit points to the facility where the information - system resides - - - - organization-defined physical access control systems/devices - - - - organization-defined entry/exit points - - - - organization-defined security safeguards - - - - organization-defined circumstances requiring visitor escorts and - monitoring - - - - organization-defined physical access devices - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined physical spaces containing one or more components of the - information system - - - - - - organization-defined information system distribution and transmission - lines - - - - organization-defined security safeguards - - - - - - - - organization-defined frequency - - - - organization-defined events or potential indications of events - - - - - - - - organization-defined physical spaces containing one or more components of the - information system - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - - - - - organization-defined location by information system or system component - - - - - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined emergency responders - - - - - - organization-defined emergency responders - - - - - - - - organization-defined acceptable levels - - - - organization-defined frequency - - - - - - - - organization-defined personnel or roles - - - - - - organization-defined types of information system components - - - - - - organization-defined security controls - - - - - - organization-defined physical and environmental hazards - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined individuals or groups - - - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined conditions requiring rescreening and, where rescreening is - so indicated, the frequency of such rescreening - - - - - - organization-defined time period - - - - organization-defined information security topics - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - - - organization-defined transfer or reassignment actions - - - - organization-defined time period following the formal transfer action - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined document - - - - organization-defined frequency - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined frequency and/or randomly in accordance with - organization-defined process - - - - organization-defined response times - - - - organization-defined personnel or roles - - - - - - - - organization-defined frequency - - - - - - organization-defined corrective actions - - - - - - organization-identified information system components - - - - organization-defined vulnerability scanning activities - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined system development life cycle - - - - - - - - - - organization-defined design/implementation information - - - - organization-defined level of detail - - - - - - - - - - organization-defined actions - - - - organization-defined personnel or roles - - - - - - - - organization-defined security controls - - - - organization-defined processes, methods, and techniques - - - - - - organization-defined external information system services - - - - - - organization-defined configuration items under configuration management - - - - organization-defined personnel - - - - - - organization-defined depth and coverage - - - - - - organization-defined security safeguards - - - - - - organization-defined frequency - - - - organization-defined security requirements - - - - - - organization-defined training - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - - - - - organization-defined types of denial of service attacks or references to sources - for such information - - - - organization-defined security safeguards - - - - - - - - - - organization-defined frequency - - - - - - - - - - organization-defined internal communications traffic - - - - organization-defined external networks - - - - - - - - organization-defined information system components - - - - organization-defined missions and/or business functions - - - - - - - - organization-defined alternative physical safeguards - - - - - - organization-defined time period - - - - - - organization-defined requirements for key generation, distribution, storage, - access, and destruction - - - - - - - - organization-defined cryptographic uses and type of cryptography required for - each use - - - - - - organization-defined exceptions where remote activation is to be allowed - - - - - - organization-defined certificate policy - - - - - - - - - - - - - - - - - - organization-defined known-state - - - - organization-defined types of failures - - - - organization-defined system state information - - - - - - organization-defined information at rest - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined time period - - - - - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined action - - - - - - - - - - organization-defined monitoring objectives - - - - organization-defined techniques and methods - - - - organization-defined information system monitoring information - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined compromise indicators - - - - - - organization-defined external organizations - - - - organization-defined personnel or roles - - - - organization-defined elements within the organization - - - - organization-defined external organizations - - - - - - - - organization-defined security functions - - - - organization-defined system transitional states - - - - organization-defined frequency - - - - organization-defined personnel or roles - - - - organization-defined alternative action(s) - - - - - - organization-defined software, firmware, and information - - - - - - organization-defined software, firmware, and information - - - - organization-defined transitional states or security-relevant events - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - - - organization-defined security safeguards - - - - - - organization-defined security-relevant changes to the information system - - - - - - - - - - - - - - organization-defined information inputs - - - - - - organization-defined personnel or roles - - - - - - - - organization-defined security safeguards - - - - diff --git a/working/SP800-53/rev4/LOW-baseline-profile-oscal.json b/working/SP800-53/rev4/LOW-baseline-profile-oscal.json deleted file mode 100644 index 5dd9db1a34..0000000000 --- a/working/SP800-53/rev4/LOW-baseline-profile-oscal.json +++ /dev/null @@ -1,383 +0,0 @@ -{ - "invocations": [ - { - "href": "file:/home/wendell/Documents/OSCAL/working/SP800-53/SP800-53-OSCAL-refined.json", - "include": { - "calls": [ - { - "controlId": "ac.1" - }, - { - "controlId": "ac.2" - }, - { - "controlId": "ac.3" - }, - { - "controlId": "ac.7" - }, - { - "controlId": "ac.8" - }, - { - "controlId": "ac.14" - }, - { - "controlId": "ac.17" - }, - { - "controlId": "ac.18" - }, - { - "controlId": "ac.19" - }, - { - "controlId": "ac.20" - }, - { - "controlId": "ac.22" - }, - { - "controlId": "at.1" - }, - { - "controlId": "at.2" - }, - { - "controlId": "at.3" - }, - { - "controlId": "at.4" - }, - { - "controlId": "au.1" - }, - { - "controlId": "au.2" - }, - { - "controlId": "au.3" - }, - { - "controlId": "au.4" - }, - { - "controlId": "au.5" - }, - { - "controlId": "au.6" - }, - { - "controlId": "au.8" - }, - { - "controlId": "au.9" - }, - { - "controlId": "au.11" - }, - { - "controlId": "au.12" - }, - { - "controlId": "ca.1" - }, - { - "controlId": "ca.2" - }, - { - "controlId": "ca.3" - }, - { - "controlId": "ca.5" - }, - { - "controlId": "ca.6" - }, - { - "controlId": "ca.7" - }, - { - "controlId": "ca.9" - }, - { - "controlId": "cm.1" - }, - { - "controlId": "cm.2" - }, - { - "controlId": "cm.4" - }, - { - "controlId": "cm.6" - }, - { - "controlId": "cm.7" - }, - { - "controlId": "cm.8" - }, - { - "controlId": "cm.10" - }, - { - "controlId": "cm.11" - }, - { - "controlId": "cp.1" - }, - { - "controlId": "cp.2" - }, - { - "controlId": "cp.3" - }, - { - "controlId": "cp.4" - }, - { - "controlId": "cp.9" - }, - { - "controlId": "cp.10" - }, - { - "controlId": "ia.1" - }, - { - "controlId": "ia.2" - }, - { - "subcontrolId": "ia.2.1." - }, - { - "subcontrolId": "ia.2.12." - }, - { - "controlId": "ia.4" - }, - { - "controlId": "ia.5" - }, - { - "subcontrolId": "ia.5.1." - }, - { - "subcontrolId": "ia.5.11." - }, - { - "controlId": "ia.6" - }, - { - "controlId": "ia.7" - }, - { - "controlId": "ia.8" - }, - { - "subcontrolId": "ia.8.1." - }, - { - "subcontrolId": "ia.8.2." - }, - { - "subcontrolId": "ia.8.3." - }, - { - "subcontrolId": "ia.8.4." - }, - { - "controlId": "ir.1" - }, - { - "controlId": "ir.2" - }, - { - "controlId": "ir.4" - }, - { - "controlId": "ir.5" - }, - { - "controlId": "ir.6" - }, - { - "controlId": "ir.7" - }, - { - "controlId": "ir.8" - }, - { - "controlId": "ma.1" - }, - { - "controlId": "ma.2" - }, - { - "controlId": "ma.4" - }, - { - "controlId": "ma.5" - }, - { - "controlId": "mp.1" - }, - { - "controlId": "mp.2" - }, - { - "controlId": "mp.6" - }, - { - "controlId": "mp.7" - }, - { - "controlId": "pe.1" - }, - { - "controlId": "pe.2" - }, - { - "controlId": "pe.3" - }, - { - "controlId": "pe.6" - }, - { - "controlId": "pe.8" - }, - { - "controlId": "pe.12" - }, - { - "controlId": "pe.13" - }, - { - "controlId": "pe.14" - }, - { - "controlId": "pe.15" - }, - { - "controlId": "pe.16" - }, - { - "controlId": "pl.1" - }, - { - "controlId": "pl.2" - }, - { - "controlId": "pl.4" - }, - { - "controlId": "ps.1" - }, - { - "controlId": "ps.2" - }, - { - "controlId": "ps.3" - }, - { - "controlId": "ps.4" - }, - { - "controlId": "ps.5" - }, - { - "controlId": "ps.6" - }, - { - "controlId": "ps.7" - }, - { - "controlId": "ps.8" - }, - { - "controlId": "ra.1" - }, - { - "controlId": "ra.2" - }, - { - "controlId": "ra.3" - }, - { - "controlId": "ra.5" - }, - { - "controlId": "sa.1" - }, - { - "controlId": "sa.2" - }, - { - "controlId": "sa.3" - }, - { - "controlId": "sa.4" - }, - { - "subcontrolId": "sa.4.10." - }, - { - "controlId": "sa.5" - }, - { - "controlId": "sa.9" - }, - { - "controlId": "sc.1" - }, - { - "controlId": "sc.5" - }, - { - "controlId": "sc.7" - }, - { - "controlId": "sc.12" - }, - { - "controlId": "sc.13" - }, - { - "controlId": "sc.15" - }, - { - "controlId": "sc.20" - }, - { - "controlId": "sc.21" - }, - { - "controlId": "sc.22" - }, - { - "controlId": "sc.39" - }, - { - "controlId": "si.1" - }, - { - "controlId": "si.2" - }, - { - "controlId": "si.3" - }, - { - "controlId": "si.4" - }, - { - "controlId": "si.5" - }, - { - "controlId": "si.12" - } - ] - } - } - ] -} \ No newline at end of file diff --git a/working/SP800-53/rev4/LOW-baseline-profile-oscal.xml b/working/SP800-53/rev4/LOW-baseline-profile-oscal.xml deleted file mode 100644 index d550725e26..0000000000 --- a/working/SP800-53/rev4/LOW-baseline-profile-oscal.xml +++ /dev/null @@ -1,1080 +0,0 @@ - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined information system account types - - - - organization-defined personnel or roles - - - - organization-defined procedures or conditions - - - - organization-defined frequency - - - - - - - - organization-defined number - - - - organization-defined time period - - - - organization-defined time period - - - - organization-defined delay algorithm - - - - - - organization-defined system use notification message or banner - - - - organization-defined conditions - - - - - - organization-defined user actions - - - - - - - - - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined auditable events - - - - organization-defined audited events (the subset of the auditable events defined - in AU-2 a.) along with the frequency of (or situation requiring) auditing for each - identified event - - - - - - - - organization-defined audit record storage requirements - - - - - - organization-defined personnel or roles - - - - organization-defined actions to be taken (e.g., shut down information system, - overwrite oldest audit records, stop generating audit records) - - - - - - organization-defined frequency - - - - organization-defined inappropriate or unusual activity - - - - organization-defined personnel or roles - - - - - - organization-defined granularity of time measurement - - - - - - - - organization-defined time period consistent with records retention policy - - - - - - organization-defined information system components - - - - organization-defined personnel or roles - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined individuals or roles - - - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined metrics - - - - organization-defined frequencies - - - - organization-defined frequencies - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined information system components or classes of - components - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - - - organization-defined security configuration checklists - - - - organization-defined information system components - - - - organization-defined operational requirements - - - - - - organization-defined prohibited or restricted functions, ports, protocols, and/or - services - - - - - - organization-defined information deemed necessary to achieve effective - information system component accountability - - - - organization-defined frequency - - - - - - - - organization-defined policies - - - - organization-defined methods - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined key contingency personnel (identified by name and/or by - role) and organizational elements - - - - organization-defined frequency - - - - organization-defined key contingency personnel (identified by name and/or by - role) and organizational elements - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined tests - - - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - organization-defined time period of inactivity - - - - - - organization-defined time period by authenticator type - - - - - - organization-defined requirements for case sensitivity, number of characters, mix - of upper-case letters, lower-case letters, numbers, and special characters, including - minimum requirements for each type - - - - organization-defined number - - - - organization-defined numbers for lifetime minimum, lifetime maximum - - - - organization-defined number - - - - - - organization-defined token quality requirements - - - - - - - - - - - - - - - - organization-defined information systems - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - - - - - organization-defined time period - - - - organization-defined authorities - - - - - - - - organization-defined personnel or roles - - - - organization-defined incident response personnel (identified by name and/or by - role) and organizational elements - - - - organization-defined frequency - - - - organization-defined incident response personnel (identified by name and/or by - role) and organizational elements - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined maintenance-related information - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined types of digital and/or non-digital media - - - - organization-defined personnel or roles - - - - - - organization-defined information system media - - - - organization-defined sanitization techniques and procedures - - - - - - organization-defined types of information system media - - - - organization-defined information systems or system components - - - - organization-defined security safeguards - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined entry/exit points to the facility where the information - system resides - - - - organization-defined physical access control systems/devices - - - - organization-defined entry/exit points - - - - organization-defined security safeguards - - - - organization-defined circumstances requiring visitor escorts and - monitoring - - - - organization-defined physical access devices - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined events or potential indications of events - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - - - - - organization-defined acceptable levels - - - - organization-defined frequency - - - - - - - - organization-defined types of information system components - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined conditions requiring rescreening and, where rescreening is - so indicated, the frequency of such rescreening - - - - - - organization-defined time period - - - - organization-defined information security topics - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined transfer or reassignment actions - - - - organization-defined time period following the formal transfer action - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined document - - - - organization-defined frequency - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined frequency and/or randomly in accordance with - organization-defined process - - - - organization-defined response times - - - - organization-defined personnel or roles - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined system development life cycle - - - - - - - - - - organization-defined actions - - - - organization-defined personnel or roles - - - - - - organization-defined security controls - - - - organization-defined processes, methods, and techniques - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined types of denial of service attacks or references to sources - for such information - - - - organization-defined security safeguards - - - - - - - - organization-defined requirements for key generation, distribution, storage, - access, and destruction - - - - - - organization-defined cryptographic uses and type of cryptography required for - each use - - - - - - organization-defined exceptions where remote activation is to be allowed - - - - - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined time period - - - - - - organization-defined frequency - - - - organization-defined action - - - - - - organization-defined monitoring objectives - - - - organization-defined techniques and methods - - - - organization-defined information system monitoring information - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined external organizations - - - - organization-defined personnel or roles - - - - organization-defined elements within the organization - - - - organization-defined external organizations - - - - - - diff --git a/working/SP800-53/rev4/MODERATE-baseline-profile-oscal.json b/working/SP800-53/rev4/MODERATE-baseline-profile-oscal.json deleted file mode 100644 index e1adbb0522..0000000000 --- a/working/SP800-53/rev4/MODERATE-baseline-profile-oscal.json +++ /dev/null @@ -1,794 +0,0 @@ -{ - "invocations": [ - { - "href": "file:/home/wendell/Documents/OSCAL/working/SP800-53/SP800-53-OSCAL-refined.json", - "include": { - "calls": [ - { - "controlId": "ac.1" - }, - { - "controlId": "ac.2" - }, - { - "subcontrolId": "ac.2.1." - }, - { - "subcontrolId": "ac.2.2." - }, - { - "subcontrolId": "ac.2.3." - }, - { - "subcontrolId": "ac.2.4." - }, - { - "controlId": "ac.3" - }, - { - "controlId": "ac.4" - }, - { - "controlId": "ac.5" - }, - { - "controlId": "ac.6" - }, - { - "subcontrolId": "ac.6.1." - }, - { - "subcontrolId": "ac.6.2." - }, - { - "subcontrolId": "ac.6.5." - }, - { - "subcontrolId": "ac.6.9." - }, - { - "subcontrolId": "ac.6.10." - }, - { - "controlId": "ac.7" - }, - { - "controlId": "ac.8" - }, - { - "controlId": "ac.11" - }, - { - "subcontrolId": "ac.11.1." - }, - { - "controlId": "ac.12" - }, - { - "controlId": "ac.14" - }, - { - "controlId": "ac.17" - }, - { - "subcontrolId": "ac.17.1." - }, - { - "subcontrolId": "ac.17.2." - }, - { - "subcontrolId": "ac.17.3." - }, - { - "subcontrolId": "ac.17.4." - }, - { - "controlId": "ac.18" - }, - { - "subcontrolId": "ac.18.1." - }, - { - "controlId": "ac.19" - }, - { - "subcontrolId": "ac.19.5." - }, - { - "controlId": "ac.20" - }, - { - "subcontrolId": "ac.20.1." - }, - { - "subcontrolId": "ac.20.2." - }, - { - "controlId": "ac.21" - }, - { - "controlId": "ac.22" - }, - { - "controlId": "at.1" - }, - { - "controlId": "at.2" - }, - { - "subcontrolId": "at.2.2." - }, - { - "controlId": "at.3" - }, - { - "controlId": "at.4" - }, - { - "controlId": "au.1" - }, - { - "controlId": "au.2" - }, - { - "subcontrolId": "au.2.3." - }, - { - "controlId": "au.3" - }, - { - "subcontrolId": "au.3.1." - }, - { - "controlId": "au.4" - }, - { - "controlId": "au.5" - }, - { - "controlId": "au.6" - }, - { - "subcontrolId": "au.6.1." - }, - { - "subcontrolId": "au.6.3." - }, - { - "controlId": "au.7" - }, - { - "subcontrolId": "au.7.1." - }, - { - "controlId": "au.8" - }, - { - "subcontrolId": "au.8.1." - }, - { - "controlId": "au.9" - }, - { - "subcontrolId": "au.9.4." - }, - { - "controlId": "au.11" - }, - { - "controlId": "au.12" - }, - { - "controlId": "ca.1" - }, - { - "controlId": "ca.2" - }, - { - "subcontrolId": "ca.2.1." - }, - { - "controlId": "ca.3" - }, - { - "subcontrolId": "ca.3.5." - }, - { - "controlId": "ca.5" - }, - { - "controlId": "ca.6" - }, - { - "controlId": "ca.7" - }, - { - "subcontrolId": "ca.7.1." - }, - { - "controlId": "ca.9" - }, - { - "controlId": "cm.1" - }, - { - "controlId": "cm.2" - }, - { - "subcontrolId": "cm.2.1." - }, - { - "subcontrolId": "cm.2.3." - }, - { - "subcontrolId": "cm.2.7." - }, - { - "controlId": "cm.3" - }, - { - "subcontrolId": "cm.3.2." - }, - { - "controlId": "cm.4" - }, - { - "controlId": "cm.5" - }, - { - "controlId": "cm.6" - }, - { - "controlId": "cm.7" - }, - { - "subcontrolId": "cm.7.1." - }, - { - "subcontrolId": "cm.7.2." - }, - { - "subcontrolId": "cm.7.4." - }, - { - "controlId": "cm.8" - }, - { - "subcontrolId": "cm.8.1." - }, - { - "subcontrolId": "cm.8.3." - }, - { - "subcontrolId": "cm.8.5." - }, - { - "controlId": "cm.9" - }, - { - "controlId": "cm.10" - }, - { - "controlId": "cm.11" - }, - { - "controlId": "cp.1" - }, - { - "controlId": "cp.2" - }, - { - "subcontrolId": "cp.2.1." - }, - { - "subcontrolId": "cp.2.3." - }, - { - "subcontrolId": "cp.2.8." - }, - { - "controlId": "cp.3" - }, - { - "controlId": "cp.4" - }, - { - "subcontrolId": "cp.4.1." - }, - { - "controlId": "cp.6" - }, - { - "subcontrolId": "cp.6.1." - }, - { - "subcontrolId": "cp.6.3." - }, - { - "controlId": "cp.7" - }, - { - "subcontrolId": "cp.7.1." - }, - { - "subcontrolId": "cp.7.2." - }, - { - "subcontrolId": "cp.7.3." - }, - { - "controlId": "cp.8" - }, - { - "subcontrolId": "cp.8.1." - }, - { - "subcontrolId": "cp.8.2." - }, - { - "controlId": "cp.9" - }, - { - "subcontrolId": "cp.9.1." - }, - { - "controlId": "cp.10" - }, - { - "subcontrolId": "cp.10.2." - }, - { - "controlId": "ia.1" - }, - { - "controlId": "ia.2" - }, - { - "subcontrolId": "ia.2.1." - }, - { - "subcontrolId": "ia.2.2." - }, - { - "subcontrolId": "ia.2.3." - }, - { - "subcontrolId": "ia.2.8." - }, - { - "subcontrolId": "ia.2.11." - }, - { - "subcontrolId": "ia.2.12." - }, - { - "controlId": "ia.3" - }, - { - "controlId": "ia.4" - }, - { - "controlId": "ia.5" - }, - { - "subcontrolId": "ia.5.1." - }, - { - "subcontrolId": "ia.5.2." - }, - { - "subcontrolId": "ia.5.3." - }, - { - "subcontrolId": "ia.5.11." - }, - { - "controlId": "ia.6" - }, - { - "controlId": "ia.7" - }, - { - "controlId": "ia.8" - }, - { - "subcontrolId": "ia.8.1." - }, - { - "subcontrolId": "ia.8.2." - }, - { - "subcontrolId": "ia.8.3." - }, - { - "subcontrolId": "ia.8.4." - }, - { - "controlId": "ir.1" - }, - { - "controlId": "ir.2" - }, - { - "controlId": "ir.3" - }, - { - "subcontrolId": "ir.3.2." - }, - { - "controlId": "ir.4" - }, - { - "subcontrolId": "ir.4.1." - }, - { - "controlId": "ir.5" - }, - { - "controlId": "ir.6" - }, - { - "subcontrolId": "ir.6.1." - }, - { - "controlId": "ir.7" - }, - { - "subcontrolId": "ir.7.1." - }, - { - "controlId": "ir.8" - }, - { - "controlId": "ma.1" - }, - { - "controlId": "ma.2" - }, - { - "controlId": "ma.3" - }, - { - "subcontrolId": "ma.3.1." - }, - { - "subcontrolId": "ma.3.2." - }, - { - "controlId": "ma.4" - }, - { - "subcontrolId": "ma.4.2." - }, - { - "controlId": "ma.5" - }, - { - "controlId": "ma.6" - }, - { - "controlId": "mp.1" - }, - { - "controlId": "mp.2" - }, - { - "controlId": "mp.3" - }, - { - "controlId": "mp.4" - }, - { - "controlId": "mp.5" - }, - { - "subcontrolId": "mp.5.4." - }, - { - "controlId": "mp.6" - }, - { - "controlId": "mp.7" - }, - { - "subcontrolId": "mp.7.1." - }, - { - "controlId": "pe.1" - }, - { - "controlId": "pe.2" - }, - { - "controlId": "pe.3" - }, - { - "controlId": "pe.4" - }, - { - "controlId": "pe.5" - }, - { - "controlId": "pe.6" - }, - { - "subcontrolId": "pe.6.1." - }, - { - "controlId": "pe.8" - }, - { - "controlId": "pe.9" - }, - { - "controlId": "pe.10" - }, - { - "controlId": "pe.11" - }, - { - "controlId": "pe.12" - }, - { - "controlId": "pe.13" - }, - { - "subcontrolId": "pe.13.3." - }, - { - "controlId": "pe.14" - }, - { - "controlId": "pe.15" - }, - { - "controlId": "pe.16" - }, - { - "controlId": "pe.17" - }, - { - "controlId": "pl.1" - }, - { - "controlId": "pl.2" - }, - { - "subcontrolId": "pl.2.3." - }, - { - "controlId": "pl.4" - }, - { - "subcontrolId": "pl.4.1." - }, - { - "controlId": "pl.8" - }, - { - "controlId": "ps.1" - }, - { - "controlId": "ps.2" - }, - { - "controlId": "ps.3" - }, - { - "controlId": "ps.4" - }, - { - "controlId": "ps.5" - }, - { - "controlId": "ps.6" - }, - { - "controlId": "ps.7" - }, - { - "controlId": "ps.8" - }, - { - "controlId": "ra.1" - }, - { - "controlId": "ra.2" - }, - { - "controlId": "ra.3" - }, - { - "controlId": "ra.5" - }, - { - "subcontrolId": "ra.5.1." - }, - { - "subcontrolId": "ra.5.2." - }, - { - "subcontrolId": "ra.5.5." - }, - { - "controlId": "sa.1" - }, - { - "controlId": "sa.2" - }, - { - "controlId": "sa.3" - }, - { - "controlId": "sa.4" - }, - { - "subcontrolId": "sa.4.1." - }, - { - "subcontrolId": "sa.4.2." - }, - { - "subcontrolId": "sa.4.9." - }, - { - "subcontrolId": "sa.4.10." - }, - { - "controlId": "sa.5" - }, - { - "controlId": "sa.8" - }, - { - "controlId": "sa.9" - }, - { - "subcontrolId": "sa.9.2." - }, - { - "controlId": "sa.10" - }, - { - "controlId": "sa.11" - }, - { - "controlId": "sc.1" - }, - { - "controlId": "sc.2" - }, - { - "controlId": "sc.4" - }, - { - "controlId": "sc.5" - }, - { - "controlId": "sc.7" - }, - { - "subcontrolId": "sc.7.3." - }, - { - "subcontrolId": "sc.7.4." - }, - { - "subcontrolId": "sc.7.5." - }, - { - "subcontrolId": "sc.7.7." - }, - { - "controlId": "sc.8" - }, - { - "subcontrolId": "sc.8.1." - }, - { - "controlId": "sc.10" - }, - { - "controlId": "sc.12" - }, - { - "controlId": "sc.13" - }, - { - "controlId": "sc.15" - }, - { - "controlId": "sc.17" - }, - { - "controlId": "sc.18" - }, - { - "controlId": "sc.19" - }, - { - "controlId": "sc.20" - }, - { - "controlId": "sc.21" - }, - { - "controlId": "sc.22" - }, - { - "controlId": "sc.23" - }, - { - "controlId": "sc.28" - }, - { - "controlId": "sc.39" - }, - { - "controlId": "si.1" - }, - { - "controlId": "si.2" - }, - { - "subcontrolId": "si.2.2." - }, - { - "controlId": "si.3" - }, - { - "subcontrolId": "si.3.1." - }, - { - "subcontrolId": "si.3.2." - }, - { - "controlId": "si.4" - }, - { - "subcontrolId": "si.4.2." - }, - { - "subcontrolId": "si.4.4." - }, - { - "subcontrolId": "si.4.5." - }, - { - "controlId": "si.5" - }, - { - "controlId": "si.7" - }, - { - "subcontrolId": "si.7.1." - }, - { - "subcontrolId": "si.7.7." - }, - { - "controlId": "si.8" - }, - { - "subcontrolId": "si.8.1." - }, - { - "subcontrolId": "si.8.2." - }, - { - "controlId": "si.10" - }, - { - "controlId": "si.11" - }, - { - "controlId": "si.12" - }, - { - "controlId": "si.16" - } - ] - } - } - ] -} \ No newline at end of file diff --git a/working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml b/working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml deleted file mode 100644 index bfbb562aa7..0000000000 --- a/working/SP800-53/rev4/MODERATE-baseline-profile-oscal.xml +++ /dev/null @@ -1,1744 +0,0 @@ - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined information system account types - - - - organization-defined personnel or roles - - - - organization-defined procedures or conditions - - - - organization-defined frequency - - - - - - - - organization-defined time period for each type of account - - - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - - - - - organization-defined information flow control policies - - - - - - organization-defined duties of individuals - - - - - - - - organization-defined security functions (deployed in hardware, software, and - firmware) and security-relevant information - - - - - - organization-defined security functions or security-relevant information - - - - - - organization-defined personnel or roles - - - - - - - - - - organization-defined number - - - - organization-defined time period - - - - organization-defined time period - - - - organization-defined delay algorithm - - - - - - organization-defined system use notification message or banner - - - - organization-defined conditions - - - - - - organization-defined time period - - - - - - - - organization-defined conditions or trigger events requiring session - disconnect - - - - - - organization-defined user actions - - - - - - - - - - - - organization-defined number - - - - - - organization-defined needs - - - - - - - - - - - - organization-defined mobile devices - - - - - - - - - - - - organization-defined information sharing circumstances where user discretion is - required - - - - organization-defined automated mechanisms or manual processes - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined auditable events - - - - organization-defined audited events (the subset of the auditable events defined - in AU-2 a.) along with the frequency of (or situation requiring) auditing for each - identified event - - - - - - organization-defined frequency - - - - - - - - organization-defined additional, more detailed information - - - - - - organization-defined audit record storage requirements - - - - - - organization-defined personnel or roles - - - - organization-defined actions to be taken (e.g., shut down information system, - overwrite oldest audit records, stop generating audit records) - - - - - - organization-defined frequency - - - - organization-defined inappropriate or unusual activity - - - - organization-defined personnel or roles - - - - - - - - - - - - organization-defined audit fields within audit records - - - - - - organization-defined granularity of time measurement - - - - - - organization-defined frequency - - - - organization-defined authoritative time source - - - - organization-defined time period - - - - - - - - organization-defined subset of privileged users - - - - - - organization-defined time period consistent with records retention policy - - - - - - organization-defined information system components - - - - organization-defined personnel or roles - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined individuals or roles - - - - - - organization-defined level of independence - - - - - - organization-defined frequency - - - - - - organization-defined information systems - - - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined metrics - - - - organization-defined frequencies - - - - organization-defined frequencies - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined level of independence - - - - - - organization-defined information system components or classes of - components - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - Assignment organization-defined circumstances - - - - - - organization-defined previous versions of baseline configurations of the - information system - - - - - - organization-defined information systems, system components, or devices - - - - organization-defined configurations - - - - organization-defined security safeguards - - - - - - organization-defined time period - - - - organization-defined configuration change control element (e.g., committee, - board) - - - - organization-defined frequency - - - - organization-defined configuration change conditions - - - - - - - - - - - - organization-defined security configuration checklists - - - - organization-defined information system components - - - - organization-defined operational requirements - - - - - - organization-defined prohibited or restricted functions, ports, protocols, and/or - services - - - - - - organization-defined frequency - - - - organization-defined functions, ports, protocols, and services within the - information system deemed to be unnecessary and/or nonsecure - - - - - - organization-defined policies regarding software program usage and - restrictions - - - - - - organization-defined software programs not authorized to execute on the - information system - - - - organization-defined frequency - - - - - - organization-defined information deemed necessary to achieve effective - information system component accountability - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - organization-defined personnel or roles - - - - - - - - - - - - organization-defined policies - - - - organization-defined methods - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined key contingency personnel (identified by name and/or by - role) and organizational elements - - - - organization-defined frequency - - - - organization-defined key contingency personnel (identified by name and/or by - role) and organizational elements - - - - - - - - organization-defined time period - - - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined tests - - - - - - - - - - - - - - organization-defined information system operations - - - - organization-defined time period consistent with recovery time and recovery point - objectives - - - - - - - - - - - - organization-defined information system operations - - - - organization-defined time period - - - - - - - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - organization-defined frequency consistent with recovery time and recovery point - objectives - - - - - - organization-defined frequency - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - - - - - - - - - organization-defined strength of mechanism requirements - - - - - - - - organization-defined specific and/or types of devices - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - organization-defined time period of inactivity - - - - - - organization-defined time period by authenticator type - - - - - - organization-defined requirements for case sensitivity, number of characters, mix - of upper-case letters, lower-case letters, numbers, and special characters, including - minimum requirements for each type - - - - organization-defined number - - - - organization-defined numbers for lifetime minimum, lifetime maximum - - - - organization-defined number - - - - - - - - organization-defined types of and/or specific authenticators - - - - organization-defined registration authority - - - - organization-defined personnel or roles - - - - - - organization-defined token quality requirements - - - - - - - - - - - - - - - - organization-defined information systems - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined tests - - - - - - - - - - - - - - organization-defined time period - - - - organization-defined authorities - - - - - - - - - - - - organization-defined personnel or roles - - - - organization-defined incident response personnel (identified by name and/or by - role) and organizational elements - - - - organization-defined frequency - - - - organization-defined incident response personnel (identified by name and/or by - role) and organizational elements - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined maintenance-related information - - - - - - - - - - - - - - - - - - organization-defined information system components - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined types of digital and/or non-digital media - - - - organization-defined personnel or roles - - - - - - organization-defined types of information system media - - - - organization-defined controlled areas - - - - - - organization-defined types of digital and/or non-digital media - - - - organization-defined controlled areas - - - - - - organization-defined types of information system media - - - - organization-defined security safeguards - - - - - - - - organization-defined information system media - - - - organization-defined sanitization techniques and procedures - - - - - - organization-defined types of information system media - - - - organization-defined information systems or system components - - - - organization-defined security safeguards - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined entry/exit points to the facility where the information - system resides - - - - organization-defined physical access control systems/devices - - - - organization-defined entry/exit points - - - - organization-defined security safeguards - - - - organization-defined circumstances requiring visitor escorts and - monitoring - - - - organization-defined physical access devices - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined information system distribution and transmission - lines - - - - organization-defined security safeguards - - - - - - - - organization-defined frequency - - - - organization-defined events or potential indications of events - - - - - - - - organization-defined time period - - - - organization-defined frequency - - - - - - - - organization-defined location by information system or system component - - - - - - - - - - - - - - organization-defined acceptable levels - - - - organization-defined frequency - - - - - - - - organization-defined types of information system components - - - - - - organization-defined security controls - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined individuals or groups - - - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - - - organization-defined conditions requiring rescreening and, where rescreening is - so indicated, the frequency of such rescreening - - - - - - organization-defined time period - - - - organization-defined information security topics - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined transfer or reassignment actions - - - - organization-defined time period following the formal transfer action - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined time period - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined document - - - - organization-defined frequency - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - organization-defined frequency and/or randomly in accordance with - organization-defined process - - - - organization-defined response times - - - - organization-defined personnel or roles - - - - - - - - organization-defined frequency - - - - - - organization-identified information system components - - - - organization-defined vulnerability scanning activities - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - organization-defined system development life cycle - - - - - - - - - - organization-defined design/implementation information - - - - organization-defined level of detail - - - - - - - - - - organization-defined actions - - - - organization-defined personnel or roles - - - - - - - - organization-defined security controls - - - - organization-defined processes, methods, and techniques - - - - - - organization-defined external information system services - - - - - - organization-defined configuration items under configuration management - - - - organization-defined personnel - - - - - - organization-defined depth and coverage - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - - - - - organization-defined types of denial of service attacks or references to sources - for such information - - - - organization-defined security safeguards - - - - - - - - - - organization-defined frequency - - - - - - - - - - - - organization-defined alternative physical safeguards - - - - - - organization-defined time period - - - - - - organization-defined requirements for key generation, distribution, storage, - access, and destruction - - - - - - organization-defined cryptographic uses and type of cryptography required for - each use - - - - - - organization-defined exceptions where remote activation is to be allowed - - - - - - organization-defined certificate policy - - - - - - - - - - - - - - - - - - organization-defined information at rest - - - - - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - organization-defined frequency - - - - - - organization-defined time period - - - - - - organization-defined frequency - - - - - - organization-defined frequency - - - - organization-defined action - - - - - - - - - - organization-defined monitoring objectives - - - - organization-defined techniques and methods - - - - organization-defined information system monitoring information - - - - organization-defined personnel or roles - - - - organization-defined frequency - - - - - - - - organization-defined frequency - - - - - - organization-defined personnel or roles - - - - organization-defined compromise indicators - - - - - - organization-defined external organizations - - - - organization-defined personnel or roles - - - - organization-defined elements within the organization - - - - organization-defined external organizations - - - - - - organization-defined software, firmware, and information - - - - - - organization-defined software, firmware, and information - - - - organization-defined transitional states or security-relevant events - - - - organization-defined frequency - - - - - - organization-defined security-relevant changes to the information system - - - - - - - - - - - - organization-defined information inputs - - - - - - organization-defined personnel or roles - - - - - - - - organization-defined security safeguards - - - - diff --git a/working/SP800-53/rev4/SP800-53-HIGH-baseline.xml b/working/SP800-53/rev4/SP800-53-HIGH-baseline.xml new file mode 100644 index 0000000000..7605700d16 --- /dev/null +++ b/working/SP800-53/rev4/SP800-53-HIGH-baseline.xml @@ -0,0 +1,1833 @@ + + + + SP800-53 HIGH BASELINE IMPACT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period for each type of account + organization-defined time period for each type of account + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time-period of expected inactivity or description of when to log out + organization-defined time-period of expected inactivity or description of when to log out + + + organization-defined circumstances and/or usage conditions + organization-defined circumstances and/or usage conditions + + + organization-defined information system accounts + organization-defined information system accounts + + + organization-defined atypical usage + organization-defined atypical usage + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined information flow control policies + organization-defined information flow control policies + + + organization-defined duties of individuals + organization-defined duties of individuals + + + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + + + organization-defined security functions or security-relevant information + organization-defined security functions or security-relevant information + + + organization-defined privileged commands + organization-defined privileged commands + + + organization-defined compelling operational needs + organization-defined compelling operational needs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + + organization-defined account and/or account type + organization-defined account and/or account type + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined conditions or trigger events requiring session disconnect + organization-defined conditions or trigger events requiring session disconnect + + + organization-defined user actions + organization-defined user actions + + + organization-defined number + organization-defined number + + + organization-defined needs + organization-defined needs + + + organization-defined mobile devices + organization-defined mobile devices + + + organization-defined information sharing circumstances where user discretion is required + organization-defined information sharing circumstances where user discretion is required + + + organization-defined automated mechanisms or manual processes + organization-defined automated mechanisms or manual processes + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + + organization-defined frequency + organization-defined frequency + + + organization-defined additional, more detailed information + organization-defined additional, more detailed information + + + organization-defined information system components + organization-defined information system components + + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + + organization-defined personnel, roles, and/or locations + organization-defined personnel, roles, and/or locations + + + organization-defined time period + organization-defined time period + + + organization-defined percentage + organization-defined percentage + + + organization-defined real-time period + organization-defined real-time period + + + organization-defined personnel, roles, and/or locations + organization-defined personnel, roles, and/or locations + + + organization-defined audit failure events requiring real-time alerts + organization-defined audit failure events requiring real-time alerts + + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined data/information collected from other sources + organization-defined data/information collected from other sources + + + organization-defined audit fields within audit records + organization-defined audit fields within audit records + + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + + organization-defined frequency + organization-defined frequency + + + organization-defined authoritative time source + organization-defined authoritative time source + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined subset of privileged users + organization-defined subset of privileged users + + + organization-defined actions to be covered by non-repudiation + organization-defined actions to be covered by non-repudiation + + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail + organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined selectable event criteria + organization-defined selectable event criteria + + + organization-defined time thresholds + organization-defined time thresholds + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined other forms of security assessment + organization-defined other forms of security assessment + + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems + organization-defined information systems + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + Assignment organization-defined circumstances + Assignment organization-defined circumstances + + + organization-defined previous versions of baseline configurations of the information system + organization-defined previous versions of baseline configurations of the information system + + + organization-defined information systems, system components, or devices + organization-defined information systems, system components, or devices + + + organization-defined configurations + organization-defined configurations + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined time period + organization-defined time period + + + organization-defined configuration change control element (e.g., committee, board) + organization-defined configuration change control element (e.g., committee, board) + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration change conditions + organization-defined configuration change conditions + + + organized-defined approval authorities + organized-defined approval authorities + + + organization-defined time period + organization-defined time period + + + organization-defined personnel + organization-defined personnel + + + organization-defined frequency + organization-defined frequency + + + organization-defined circumstances + organization-defined circumstances + + + organization-defined software and firmware components + organization-defined software and firmware components + + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + + organization-defined information system components + organization-defined information system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined configuration settings + organization-defined configuration settings + + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + + organization-defined frequency + organization-defined frequency + + + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + + + organization-defined policies regarding software program usage and restrictions + organization-defined policies regarding software program usage and restrictions + + + organization-defined software programs authorized to execute on the information system + organization-defined software programs authorized to execute on the information system + + + organization-defined frequency + organization-defined frequency + + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period consistent with recovery time and recovery point objectives + organization-defined time period consistent with recovery time and recovery point objectives + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency + organization-defined frequency + + + organization-defined critical information system software and other security-related information + organization-defined critical information system software and other security-related information + + + organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives + organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives + + + organization-defined restoration time-periods + organization-defined restoration time-periods + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined strength of mechanism requirements + organization-defined strength of mechanism requirements + + + organization-defined specific and/or types of devices + organization-defined specific and/or types of devices + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + + organization-defined types of and/or specific authenticators + organization-defined types of and/or specific authenticators + + + organization-defined registration authority + organization-defined registration authority + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined token quality requirements + organization-defined token quality requirements + + + organization-defined information systems + organization-defined information systems + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system components + organization-defined information system components + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + + organization-defined frequency + organization-defined frequency + + + organization-defined circumstances requiring sanitization of portable storage devices + organization-defined circumstances requiring sanitization of portable storage devices + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined physical spaces containing one or more components of the information system + organization-defined physical spaces containing one or more components of the information system + + + organization-defined information system distribution and transmission lines + organization-defined information system distribution and transmission lines + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + + organization-defined physical spaces containing one or more components of the information system + organization-defined physical spaces containing one or more components of the information system + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined location by information system or system component + organization-defined location by information system or system component + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined emergency responders + organization-defined emergency responders + + + organization-defined emergency responders + organization-defined emergency responders + + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined types of information system components + organization-defined types of information system components + + + organization-defined security controls + organization-defined security controls + + + organization-defined physical and environmental hazards + organization-defined physical and environmental hazards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or groups + organization-defined individuals or groups + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined document + organization-defined document + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined corrective actions + organization-defined corrective actions + + + organization-identified information system components + organization-identified information system components + + + organization-defined vulnerability scanning activities + organization-defined vulnerability scanning activities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined system development life cycle + organization-defined system development life cycle + + + organization-defined design/implementation information + organization-defined design/implementation information + + + organization-defined level of detail + organization-defined level of detail + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + + organization-defined external information system services + organization-defined external information system services + + + organization-defined configuration items under configuration management + organization-defined configuration items under configuration management + + + organization-defined personnel + organization-defined personnel + + + organization-defined depth and coverage + organization-defined depth and coverage + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined security requirements + organization-defined security requirements + + + organization-defined training + organization-defined training + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined internal communications traffic + organization-defined internal communications traffic + + + organization-defined external networks + organization-defined external networks + + + organization-defined information system components + organization-defined information system components + + + organization-defined missions and/or business functions + organization-defined missions and/or business functions + + + organization-defined alternative physical safeguards + organization-defined alternative physical safeguards + + + organization-defined time period + organization-defined time period + + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + + organization-defined certificate policy + organization-defined certificate policy + + + organization-defined known-state + organization-defined known-state + + + organization-defined types of failures + organization-defined types of failures + + + organization-defined system state information + organization-defined system state information + + + organization-defined information at rest + organization-defined information at rest + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined compromise indicators + organization-defined compromise indicators + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined security functions + organization-defined security functions + + + organization-defined system transitional states + organization-defined system transitional states + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined alternative action(s) + organization-defined alternative action(s) + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined transitional states or security-relevant events + organization-defined transitional states or security-relevant events + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined security-relevant changes to the information system + organization-defined security-relevant changes to the information system + + + organization-defined information inputs + organization-defined information inputs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security safeguards + organization-defined security safeguards + + + diff --git a/working/SP800-53/rev4/SP800-53-LOW-baseline.xml b/working/SP800-53/rev4/SP800-53-LOW-baseline.xml new file mode 100644 index 0000000000..6277f23dbb --- /dev/null +++ b/working/SP800-53/rev4/SP800-53-LOW-baseline.xml @@ -0,0 +1,938 @@ + + + + SP800-53 LOW BASELINE IMPACT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + + organization-defined user actions + organization-defined user actions + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + + organization-defined token quality requirements + organization-defined token quality requirements + + + organization-defined information systems + organization-defined information systems + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system components + organization-defined types of information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined document + organization-defined document + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined system development life cycle + organization-defined system development life cycle + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + + diff --git a/working/SP800-53/rev4/SP800-53-MODERATE-baseline.xml b/working/SP800-53/rev4/SP800-53-MODERATE-baseline.xml new file mode 100644 index 0000000000..56b45a875e --- /dev/null +++ b/working/SP800-53/rev4/SP800-53-MODERATE-baseline.xml @@ -0,0 +1,1455 @@ + + + + SP800-53 MODERATE BASELINE IMPACT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system account types + organization-defined information system account types + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined procedures or conditions + organization-defined procedures or conditions + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period for each type of account + organization-defined time period for each type of account + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined information flow control policies + organization-defined information flow control policies + + + organization-defined duties of individuals + organization-defined duties of individuals + + + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information + + + organization-defined security functions or security-relevant information + organization-defined security functions or security-relevant information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined number + organization-defined number + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined delay algorithm + organization-defined delay algorithm + + + organization-defined system use notification message or banner + organization-defined system use notification message or banner + + + organization-defined conditions + organization-defined conditions + + + organization-defined time period + organization-defined time period + + + organization-defined conditions or trigger events requiring session disconnect + organization-defined conditions or trigger events requiring session disconnect + + + organization-defined user actions + organization-defined user actions + + + organization-defined number + organization-defined number + + + organization-defined needs + organization-defined needs + + + organization-defined mobile devices + organization-defined mobile devices + + + organization-defined information sharing circumstances where user discretion is required + organization-defined information sharing circumstances where user discretion is required + + + organization-defined automated mechanisms or manual processes + organization-defined automated mechanisms or manual processes + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined auditable events + organization-defined auditable events + + + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event + + + organization-defined frequency + organization-defined frequency + + + organization-defined additional, more detailed information + organization-defined additional, more detailed information + + + organization-defined audit record storage requirements + organization-defined audit record storage requirements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) + + + organization-defined frequency + organization-defined frequency + + + organization-defined inappropriate or unusual activity + organization-defined inappropriate or unusual activity + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined audit fields within audit records + organization-defined audit fields within audit records + + + organization-defined granularity of time measurement + organization-defined granularity of time measurement + + + organization-defined frequency + organization-defined frequency + + + organization-defined authoritative time source + organization-defined authoritative time source + + + organization-defined time period + organization-defined time period + + + organization-defined subset of privileged users + organization-defined subset of privileged users + + + organization-defined time period consistent with records retention policy + organization-defined time period consistent with records retention policy + + + organization-defined information system components + organization-defined information system components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or roles + organization-defined individuals or roles + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined frequency + organization-defined frequency + + + organization-defined information systems + organization-defined information systems + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined metrics + organization-defined metrics + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined frequencies + organization-defined frequencies + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined level of independence + organization-defined level of independence + + + organization-defined information system components or classes of components + organization-defined information system components or classes of components + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + Assignment organization-defined circumstances + Assignment organization-defined circumstances + + + organization-defined previous versions of baseline configurations of the information system + organization-defined previous versions of baseline configurations of the information system + + + organization-defined information systems, system components, or devices + organization-defined information systems, system components, or devices + + + organization-defined configurations + organization-defined configurations + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined time period + organization-defined time period + + + organization-defined configuration change control element (e.g., committee, board) + organization-defined configuration change control element (e.g., committee, board) + + + organization-defined frequency + organization-defined frequency + + + organization-defined configuration change conditions + organization-defined configuration change conditions + + + organization-defined security configuration checklists + organization-defined security configuration checklists + + + organization-defined information system components + organization-defined information system components + + + organization-defined operational requirements + organization-defined operational requirements + + + organization-defined prohibited or restricted functions, ports, protocols, and/or services + organization-defined prohibited or restricted functions, ports, protocols, and/or services + + + organization-defined frequency + organization-defined frequency + + + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure + + + organization-defined policies regarding software program usage and restrictions + organization-defined policies regarding software program usage and restrictions + + + organization-defined software programs not authorized to execute on the information system + organization-defined software programs not authorized to execute on the information system + + + organization-defined frequency + organization-defined frequency + + + organization-defined information deemed necessary to achieve effective information system component accountability + organization-defined information deemed necessary to achieve effective information system component accountability + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined policies + organization-defined policies + + + organization-defined methods + organization-defined methods + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + organization-defined key contingency personnel (identified by name and/or by role) and organizational elements + + + organization-defined time period + organization-defined time period + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period consistent with recovery time and recovery point objectives + organization-defined time period consistent with recovery time and recovery point objectives + + + organization-defined information system operations + organization-defined information system operations + + + organization-defined time period + organization-defined time period + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency consistent with recovery time and recovery point objectives + organization-defined frequency consistent with recovery time and recovery point objectives + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined strength of mechanism requirements + organization-defined strength of mechanism requirements + + + organization-defined specific and/or types of devices + organization-defined specific and/or types of devices + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined time period of inactivity + organization-defined time period of inactivity + + + organization-defined time period by authenticator type + organization-defined time period by authenticator type + + + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type + + + organization-defined number + organization-defined number + + + organization-defined numbers for lifetime minimum, lifetime maximum + organization-defined numbers for lifetime minimum, lifetime maximum + + + organization-defined number + organization-defined number + + + organization-defined types of and/or specific authenticators + organization-defined types of and/or specific authenticators + + + organization-defined registration authority + organization-defined registration authority + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined token quality requirements + organization-defined token quality requirements + + + organization-defined information systems + organization-defined information systems + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined tests + organization-defined tests + + + organization-defined time period + organization-defined time period + + + organization-defined authorities + organization-defined authorities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined frequency + organization-defined frequency + + + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + organization-defined incident response personnel (identified by name and/or by role) and organizational elements + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined maintenance-related information + organization-defined maintenance-related information + + + organization-defined information system components + organization-defined information system components + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of digital and/or non-digital media + organization-defined types of digital and/or non-digital media + + + organization-defined controlled areas + organization-defined controlled areas + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined information system media + organization-defined information system media + + + organization-defined sanitization techniques and procedures + organization-defined sanitization techniques and procedures + + + organization-defined types of information system media + organization-defined types of information system media + + + organization-defined information systems or system components + organization-defined information systems or system components + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined entry/exit points to the facility where the information system resides + organization-defined entry/exit points to the facility where the information system resides + + + organization-defined physical access control systems/devices + organization-defined physical access control systems/devices + + + organization-defined entry/exit points + organization-defined entry/exit points + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined circumstances requiring visitor escorts and monitoring + organization-defined circumstances requiring visitor escorts and monitoring + + + organization-defined physical access devices + organization-defined physical access devices + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined information system distribution and transmission lines + organization-defined information system distribution and transmission lines + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined events or potential indications of events + organization-defined events or potential indications of events + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined location by information system or system component + organization-defined location by information system or system component + + + organization-defined acceptable levels + organization-defined acceptable levels + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of information system components + organization-defined types of information system components + + + organization-defined security controls + organization-defined security controls + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined individuals or groups + organization-defined individuals or groups + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening + + + organization-defined time period + organization-defined time period + + + organization-defined information security topics + organization-defined information security topics + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined transfer or reassignment actions + organization-defined transfer or reassignment actions + + + organization-defined time period following the formal transfer action + organization-defined time period following the formal transfer action + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined time period + organization-defined time period + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined document + organization-defined document + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency and/or randomly in accordance with organization-defined process + organization-defined frequency and/or randomly in accordance with organization-defined process + + + organization-defined response times + organization-defined response times + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-identified information system components + organization-identified information system components + + + organization-defined vulnerability scanning activities + organization-defined vulnerability scanning activities + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined system development life cycle + organization-defined system development life cycle + + + organization-defined design/implementation information + organization-defined design/implementation information + + + organization-defined level of detail + organization-defined level of detail + + + organization-defined actions + organization-defined actions + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security controls + organization-defined security controls + + + organization-defined processes, methods, and techniques + organization-defined processes, methods, and techniques + + + organization-defined external information system services + organization-defined external information system services + + + organization-defined configuration items under configuration management + organization-defined configuration items under configuration management + + + organization-defined personnel + organization-defined personnel + + + organization-defined depth and coverage + organization-defined depth and coverage + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined types of denial of service attacks or references to sources for such information + organization-defined types of denial of service attacks or references to sources for such information + + + organization-defined security safeguards + organization-defined security safeguards + + + organization-defined frequency + organization-defined frequency + + + organization-defined alternative physical safeguards + organization-defined alternative physical safeguards + + + organization-defined time period + organization-defined time period + + + organization-defined requirements for key generation, distribution, storage, access, and destruction + organization-defined requirements for key generation, distribution, storage, access, and destruction + + + organization-defined cryptographic uses and type of cryptography required for each use + organization-defined cryptographic uses and type of cryptography required for each use + + + organization-defined exceptions where remote activation is to be allowed + organization-defined exceptions where remote activation is to be allowed + + + organization-defined certificate policy + organization-defined certificate policy + + + organization-defined information at rest + organization-defined information at rest + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined time period + organization-defined time period + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined action + organization-defined action + + + organization-defined monitoring objectives + organization-defined monitoring objectives + + + organization-defined techniques and methods + organization-defined techniques and methods + + + organization-defined information system monitoring information + organization-defined information system monitoring information + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined frequency + organization-defined frequency + + + organization-defined frequency + organization-defined frequency + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined compromise indicators + organization-defined compromise indicators + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined elements within the organization + organization-defined elements within the organization + + + organization-defined external organizations + organization-defined external organizations + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined software, firmware, and information + organization-defined software, firmware, and information + + + organization-defined transitional states or security-relevant events + organization-defined transitional states or security-relevant events + + + organization-defined frequency + organization-defined frequency + + + organization-defined security-relevant changes to the information system + organization-defined security-relevant changes to the information system + + + organization-defined information inputs + organization-defined information inputs + + + organization-defined personnel or roles + organization-defined personnel or roles + + + organization-defined security safeguards + organization-defined security safeguards + + + diff --git a/working/SP800-53/rev4/SP800-53-declarations.xml b/working/SP800-53/rev4/SP800-53-declarations.xml index 3599d054f8..3269a7cb4c 100644 --- a/working/SP800-53/rev4/SP800-53-declarations.xml +++ b/working/SP800-53/rev4/SP800-53-declarations.xml @@ -1,7 +1,6 @@ - @@ -57,10 +56,10 @@ - + - + @@ -78,10 +77,10 @@ (1) - + - + diff --git a/working/SP800-53/simple-profile.xsl b/working/SP800-53/simple-profile.xsl index a169959a07..44f6cd4a53 100644 --- a/working/SP800-53/simple-profile.xsl +++ b/working/SP800-53/simple-profile.xsl @@ -25,11 +25,11 @@ - + - + diff --git a/working/lib/CSS/oscal-grid.css b/working/lib/CSS/oscal-grid.css new file mode 100644 index 0000000000..239ae7eee7 --- /dev/null +++ b/working/lib/CSS/oscal-grid.css @@ -0,0 +1,6 @@ +@import 'oscal.css'; + +@namespace "http://csrc.nist.gov/ns/oscal/1.0"; + +catalog { font-size: 15% } +control, subcontrol, component, part { display: inline-grid } \ No newline at end of file diff --git a/working/lib/XSLT/HTML/oscal-with-nav-display.xsl b/working/lib/XSLT/HTML/oscal-with-nav-display.xsl index 4f7d78b0e1..11acb2bcd0 100644 --- a/working/lib/XSLT/HTML/oscal-with-nav-display.xsl +++ b/working/lib/XSLT/HTML/oscal-with-nav-display.xsl @@ -36,18 +36,18 @@

                                    - +
                                    - +
                                    - +
                                    - +
                                    @@ -512,7 +512,7 @@
                                    - +

                                    @@ -522,36 +522,36 @@

                                    - + Included: - + Excluded: - + ALL - + Control - + Subcontrol - + Parameter diff --git a/working/lib/XSLT/literalizer.xsl b/working/lib/XSLT/literalizer.xsl index 3565fd7626..3f75e3cf03 100644 --- a/working/lib/XSLT/literalizer.xsl +++ b/working/lib/XSLT/literalizer.xsl @@ -2,19 +2,18 @@ + version="3.0"> - \ No newline at end of file diff --git a/working/lib/XSLT/profile-basic-display.xsl b/working/lib/XSLT/profile-basic-display.xsl index add004952a..e57a702250 100644 --- a/working/lib/XSLT/profile-basic-display.xsl +++ b/working/lib/XSLT/profile-basic-display.xsl @@ -6,7 +6,7 @@ - + diff --git a/working/lib/XSLT/profile-resolver-old.xsl b/working/lib/XSLT/profile-resolver-old.xsl new file mode 100644 index 0000000000..be78494d9e --- /dev/null +++ b/working/lib/XSLT/profile-resolver-old.xsl @@ -0,0 +1,263 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + invoking a { $authority/*/local-name() } + + + + + + + + + + + + + + + + Can't resolve profile against {$authorityURI}, already invoked in this chain: {string-join($authorities-so-far,' / ')} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/working/lib/XSLT/profile-resolver-sprint6.xsl b/working/lib/XSLT/profile-resolver-sprint6.xsl new file mode 100644 index 0000000000..2e62a2f944 --- /dev/null +++ b/working/lib/XSLT/profile-resolver-sprint6.xsl @@ -0,0 +1,434 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Can't resolve profile against {$authorityURI}, already imported in this chain: + {string-join($authorities-so-far,' / ')} + + + + + + + + + + + + + + + + + + + + + + + + + importing { $authority/*/local-name() } + + + + + + + + + + + + + + + + Bah! matched profile unexpectedly + + + + + + + + + + + + + + + + + + + + + + + + + [included in + + ] + + + + + + + + + + + + + + + invoked by { $invocation/../title } { document-uri($invocation/root()) } + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/working/lib/XSLT/profile-resolver.xsl b/working/lib/XSLT/profile-resolver.xsl index be78494d9e..6bce337eb6 100644 --- a/working/lib/XSLT/profile-resolver.xsl +++ b/working/lib/XSLT/profile-resolver.xsl @@ -6,129 +6,176 @@ xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0" xpath-default-namespace="http://csrc.nist.gov/ns/oscal/1.0" - exclude-result-prefixes="#all" - > - + exclude-result-prefixes="#all"> - - - + + + + + + + - + + - + + - + - + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + - - - - - - - invoking a { $authority/*/local-name() } - + + + + - + + + + + + + - + + - - - - - - Can't resolve profile against {$authorityURI}, already invoked in this chain: {string-join($authorities-so-far,' / ')} - - - - - - - - - - + + + + + + Can't resolve profile against {$authorityURI}, already imported in this chain: + {string-join($authorities-so-far,' / ')} + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + + + importing { $authority/*/local-name() } + - - + - - + - - - + - - - + + + Bah! matched profile unexpectedly + + + + + + + + + - + --> - - - - + + + + + + + + + + + + + + + + + + + + - - - - - - + + + + invoked by { $invocation/../title } { document-uri($invocation/root()) } + + + + + - + - + @@ -173,82 +239,238 @@ - - - - - - + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + - - - - + - - + + - + - - + - - + - + - + - + - - - - + @@ -259,5 +481,11 @@ + + + + + + diff --git a/working/lib/XSLT/readme.md b/working/lib/XSLT/readme.md index 37d3539001..70bcf407c0 100644 --- a/working/lib/XSLT/readme.md +++ b/working/lib/XSLT/readme.md @@ -4,7 +4,7 @@ The subdirectory contains core XSLT stylesheets for processing OSCAL. Production stylesheets, which map each of our sample control sets into OSCAL, are kept elsewhere (in the subdirectories with the samples). The stylesheets in here are a mix of utilities, starter stylesheets, and generic processors. See inline comments per stylesheet to get an idea what it does. -Note that XSLT stylesheets may sometimes be version 1.0 - this was done *only* so that XML documents invoking those stylesheets using the W3C-specified PI ``, would be able to apply the stylesheet so invoked. YMMV. Works in Firefox, at least sometimes. In any case, when it does work, it is very handy to have XSLT in the browser natively. +Note that XSLT stylesheets may sometimes be version 1.0 - this was done *only* so that XML documents invoking those stylesheets using the W3C-specified PI ``, would be able to apply the stylesheet so provided. YMMV. Works in Firefox, at least sometimes. In any case, when it does work, it is very handy to have XSLT in the browser natively. More commonly, XSLT stylesheets are version 2.0 or 3.0 and assume a modern processor to run. Tested under Saxon. diff --git a/working/lib/XSLT/svg-rasterize-fo.xsl b/working/lib/XSLT/svg-rasterize-fo.xsl new file mode 100644 index 0000000000..a3600f675e --- /dev/null +++ b/working/lib/XSLT/svg-rasterize-fo.xsl @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/lib/profile-mockup.xml b/working/lib/profile-mockup.xml index 1c98e67988..021d1b42aa 100644 --- a/working/lib/profile-mockup.xml +++ b/working/lib/profile-mockup.xml @@ -1,14 +1,14 @@ - + - - + --> \ No newline at end of file diff --git a/working/lib/sketch/OSCAL-extract.xsl b/working/lib/sketch/OSCAL-extract.xsl new file mode 100644 index 0000000000..6a2e46e6a2 --- /dev/null +++ b/working/lib/sketch/OSCAL-extract.xsl @@ -0,0 +1,107 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + <xsl:apply-templates/> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/lib/sketch/docsketch-svg.xpl b/working/lib/sketch/docsketch-svg.xpl new file mode 100644 index 0000000000..3560a09409 --- /dev/null +++ b/working/lib/sketch/docsketch-svg.xpl @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/lib/sketch/oscal-docsketch-map.xsl b/working/lib/sketch/oscal-docsketch-map.xsl new file mode 100644 index 0000000000..613323d217 --- /dev/null +++ b/working/lib/sketch/oscal-docsketch-map.xsl @@ -0,0 +1,109 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + call + + + + + + all + + + + + + + + + + + + import + + + + + + + + + + + \ No newline at end of file diff --git a/working/lib/sketch/oscal-docsketch-svg.xsl b/working/lib/sketch/oscal-docsketch-svg.xsl new file mode 100644 index 0000000000..ef53704ce1 --- /dev/null +++ b/working/lib/sketch/oscal-docsketch-svg.xsl @@ -0,0 +1,187 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + black + 1 + white + 1.0 + + + + + + + gold + 0.5 + + + + maroon + 0.3 + + + + skyblue + 0.3 + + + + pink + 0.3 + + + + lavender + + + + + + 2 1 + + + + + + lightgreen + + + + green + + + + + \ No newline at end of file diff --git a/working/lib/sketch/svg-rasterize.xpl b/working/lib/sketch/svg-rasterize.xpl new file mode 100644 index 0000000000..7ad5234c2d --- /dev/null +++ b/working/lib/sketch/svg-rasterize.xpl @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/working/oscal-basic-display.xsl b/working/oscal-basic-display.xsl deleted file mode 100644 index 6aa06b0d34..0000000000 --- a/working/oscal-basic-display.xsl +++ /dev/null @@ -1,244 +0,0 @@ - - - - - - - - - - - - - - - - -
                                    - -
                                    -
                                    - - -

                                    - -

                                    -
                                    - - - - - - - - - -
                                    - -
                                    -
                                    - - - - - - -
                                    - - - - -
                                    -
                                    - - - - - - -

                                    - - - - -

                                    -
                                    - - - - - - - - - -

                                    - - - - - : - - -

                                    - -
                                    - - -

                                    - - - : - - -

                                    -
                                    - - - - - - -

                                    - -

                                    -
                                    - - - - - - - - - - - - - - - - - - -
                                      - -
                                    -
                                    - -
                                  10. - -
                                  11. - - - -
                                    - - -
                                    -
                                    - - - - - - - - - -
                                    - -
                                    -
                                    - - -
                                    - -
                                    -
                                    - -

                                    - -

                                    -
                                    - -
                                    - -
                                    -
                                    - - - - - - - - - - - -
                                    - -
                                    -
                                    - -

                                    - -

                                    -
                                    - -

                                    - -

                                    -
                                    - -
                                    - -
                                    -
                                    - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/working/profile-basic-display.xsl b/working/profile-basic-display.xsl deleted file mode 100644 index f4e482611a..0000000000 --- a/working/profile-basic-display.xsl +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/working/profile-demo.xml b/working/profile-demo.xml deleted file mode 100644 index 0e943e6be8..0000000000 --- a/working/profile-demo.xml +++ /dev/null @@ -1,4064 +0,0 @@ - - - - - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - Every TOTAL ECLIPSE OF THE SUN! - - - - organization-defined information system account types - organization-defined information system account types - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined procedures or conditions - organization-defined procedures or conditions - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined time period for each type of account - organization-defined time period for each type of account - - - - organization-defined time period - organization-defined time period - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined time-period of expected inactivity or description of when to log out - organization-defined time-period of expected inactivity or description of when to log out - - - - organization-defined list of dynamic privilege management capabilities - organization-defined list of dynamic privilege management capabilities - - - - organization-defined actions - organization-defined actions - - - - organization-defined information system accounts - organization-defined information system accounts - - - - organization-defined conditions for establishing shared/group accounts - organization-defined conditions for establishing shared/group accounts - - - - - organization-defined circumstances and/or usage conditions - organization-defined circumstances and/or usage conditions - - - organization-defined information system accounts - organization-defined information system accounts - - - - organization-defined atypical usage OH NO! - organization-defined atypical usage - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined time period - organization-defined time period - - - - - - organization-defined privileged commands and/or other organization-defined actions - organization-defined privileged commands and/or other organization-defined actions - - - - organization-defined mandatory access control policy - organization-defined mandatory access control policy - - - organization-defined subjects - organization-defined subjects - - - organization-defined privileges (i.e., they are trusted subjects) - organization-defined privileges (i.e., they are trusted subjects) - - - - organization-defined discretionary access control policy - organization-defined discretionary access control policy - - - - organization-defined security-relevant information - organization-defined security-relevant information - - - - - organization-defined roles and users authorized to assume such roles - organization-defined roles and users authorized to assume such roles - - - - organization-defined rules governing the timing of revocations of access authorizations - organization-defined rules governing the timing of revocations of access authorizations - - - - organization-defined information system or system component - organization-defined information system or system component - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined security safeguards - organization-defined security safeguards - - - - organization-defined conditions - organization-defined conditions - - - - organization-defined information flow control policies - organization-defined information flow control policies - - - - organization-defined security attributes - organization-defined security attributes - - - organization-defined information, source, and destination objects - organization-defined information, source, and destination objects - - - organization-defined information flow control policies - organization-defined information flow control policies - - - - organization-defined information flow control policies - organization-defined information flow control policies - - - - organization-defined policies - organization-defined policies - - - - organization-defined procedure or method - organization-defined procedure or method - - - - organization-defined limitations - organization-defined limitations - - - - organization-defined metadata - organization-defined metadata - - - - organization-defined one-way information flows - organization-defined one-way information flows - - - - organization-defined security policy filters - organization-defined security policy filters - - - organization-defined information flows - organization-defined information flows - - - - organization-defined information flows - organization-defined information flows - - - organization-defined conditions - organization-defined conditions - - - - organization-defined security policy filters - organization-defined security policy filters - - - organization-defined conditions - organization-defined conditions - - - - organization-defined security policy filters - organization-defined security policy filters - - - - organization-defined data type identifiers - organization-defined data type identifiers - - - - organization-defined policy-relevant subcomponents - organization-defined policy-relevant subcomponents - - - - organization-defined security policy filters - organization-defined security policy filters - - - - organized-defined unsanctioned information - organized-defined unsanctioned information - - - organization-defined security policy - organization-defined security policy - - - - - - organization-defined binding techniques - organization-defined binding techniques - - - - - organization-defined solutions in approved configurations - organization-defined solutions in approved configurations - - - organization-defined information - organization-defined information - - - - organization-defined mechanisms and/or techniques - organization-defined mechanisms and/or techniques - - - organization-defined required separations by types of information - organization-defined required separations by types of information - - - - - organization-defined duties of individuals - organization-defined duties of individuals - - - - - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information - organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information - - - - organization-defined security functions or security-relevant information - organization-defined security functions or security-relevant information - - - - organization-defined privileged commands - organization-defined privileged commands - - - organization-defined compelling operational needs - organization-defined compelling operational needs - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined roles or classes of users - organization-defined roles or classes of users - - - - organization-defined software - organization-defined software - - - - - - organization-defined number - organization-defined number - - - organization-defined time period - organization-defined time period - - - organization-defined time period - organization-defined time period - - - organization-defined delay algorithm - organization-defined delay algorithm - - - - - organization-defined mobile devices - organization-defined mobile devices - - - organization-defined purging/wiping requirements/techniques - organization-defined purging/wiping requirements/techniques - - - organization-defined number - organization-defined number - - - - organization-defined system use notification message or banner - organization-defined system use notification message or banner - - - organization-defined conditions - organization-defined conditions - - - - - - organization-defined time period - organization-defined time period - - - - organization-defined security-related characteristics/parameters of the user�s account - organization-defined security-related characteristics/parameters of the user�s account - - - organization-defined time period - organization-defined time period - - - - organization-defined information to be included in addition to the date and time of the last logon (access) - organization-defined information to be included in addition to the date and time of the last logon (access) - - - - organization-defined account and/or account type - organization-defined account and/or account type - - - organization-defined number - organization-defined number - - - - organization-defined time period - organization-defined time period - - - - - organization-defined conditions or trigger events requiring session disconnect - organization-defined conditions or trigger events requiring session disconnect - - - - organization-defined information resources - organization-defined information resources - - - - - organization-defined user actions - organization-defined user actions - - - - - - organization-defined types of security attributes - organization-defined types of security attributes - - - organization-defined security attribute values - organization-defined security attribute values - - - organization-defined security attributes - organization-defined security attributes - - - organization-defined information systems - organization-defined information systems - - - organization-defined values or ranges - organization-defined values or ranges - - - - organization-defined subjects and objects - organization-defined subjects and objects - - - organization-defined security policies - organization-defined security policies - - - - - organization-defined security attributes - organization-defined security attributes - - - organization-defined subjects and objects - organization-defined subjects and objects - - - - organization-defined security attributes - organization-defined security attributes - - - organization-defined subjects and objects - organization-defined subjects and objects - - - - organization-identified special dissemination, handling, or distribution instructions - organization-identified special dissemination, handling, or distribution instructions - - - organization-identified human-readable, standard naming conventions - organization-identified human-readable, standard naming conventions - - - - organization-defined security attributes - organization-defined security attributes - - - organization-defined subjects and objects - organization-defined subjects and objects - - - organization-defined security policies - organization-defined security policies - - - - - organization-defined techniques or technologies - organization-defined techniques or technologies - - - organization-defined level of assurance - organization-defined level of assurance - - - - organization-defined techniques or procedures - organization-defined techniques or procedures - - - - - - - - organization-defined number - organization-defined number - - - - organization-defined needs - organization-defined needs - - - - - - - - organization-defined time period - organization-defined time period - - - - - - - - - - - - - - organization-defined security officials - organization-defined security officials - - - organization-defined security policies - organization-defined security policies - - - - organization-defined mobile devices - organization-defined mobile devices - - - - - - - - organization-defined network accessible storage devices - organization-defined network accessible storage devices - - - - organization-defined information sharing circumstances where user discretion is required - organization-defined information sharing circumstances where user discretion is required - - - organization-defined automated mechanisms or manual processes - organization-defined automated mechanisms or manual processes - - - - - organization-defined information sharing restrictions - organization-defined information sharing restrictions - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined data mining prevention and detection techniques - organization-defined data mining prevention and detection techniques - - - organization-defined data storage objects - organization-defined data storage objects - - - - organization-defined access control decisions - organization-defined access control decisions - - - - organization-defined access authorization information - organization-defined access authorization information - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined information systems - organization-defined information systems - - - - organization-defined security attributes - organization-defined security attributes - - - - organization-defined access control policies - organization-defined access control policies - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined frequency - organization-defined frequency - - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined indicators of malicious code - organization-defined indicators of malicious code - - - - organization-defined time period - organization-defined time period - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined auditable events - organization-defined auditable events - - - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event - - - - - - organization-defined frequency - organization-defined frequency - - - - - - organization-defined additional, more detailed information - organization-defined additional, more detailed information - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined audit record storage requirements - organization-defined audit record storage requirements - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records) - - - - organization-defined personnel, roles, and/or locations - organization-defined personnel, roles, and/or locations - - - organization-defined time period - organization-defined time period - - - organization-defined percentage - organization-defined percentage - - - - organization-defined real-time period - organization-defined real-time period - - - organization-defined personnel, roles, and/or locations - organization-defined personnel, roles, and/or locations - - - organization-defined audit failure events requiring real-time alerts - organization-defined audit failure events requiring real-time alerts - - - - - organization-defined audit failures - organization-defined audit failures - - - - organization-defined frequency - organization-defined frequency - - - organization-defined inappropriate or unusual activity - organization-defined inappropriate or unusual activity - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - - - organization-defined data/information collected from other sources - organization-defined data/information collected from other sources - - - - - - - - - - organization-defined audit fields within audit records - organization-defined audit fields within audit records - - - - organization-defined audit fields within audit records - organization-defined audit fields within audit records - - - - organization-defined granularity of time measurement - organization-defined granularity of time measurement - - - - organization-defined frequency - organization-defined frequency - - - organization-defined authoritative time source - organization-defined authoritative time source - - - organization-defined time period - organization-defined time period - - - - - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined subset of privileged users - organization-defined subset of privileged users - - - - organization-defined audit information - organization-defined audit information - - - - organization-defined subset of privileged users - organization-defined subset of privileged users - - - - organization-defined actions to be covered by non-repudiation - organization-defined actions to be covered by non-repudiation - - - - organization-defined strength of binding - organization-defined strength of binding - - - - organization-defined frequency - organization-defined frequency - - - organization-defined actions - organization-defined actions - - - - - organization-defined security domains - organization-defined security domains - - - organization-defined actions - organization-defined actions - - - - - organization-defined time period consistent with records retention policy - organization-defined time period consistent with records retention policy - - - - organization-defined measures - organization-defined measures - - - - organization-defined information system components - organization-defined information system components - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined information system components - organization-defined information system components - - - organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail - - - - - organization-defined individuals or roles - organization-defined individuals or roles - - - organization-defined information system components - organization-defined information system components - - - organization-defined selectable event criteria - organization-defined selectable event criteria - - - organization-defined time thresholds - organization-defined time thresholds - - - - organization-defined open source information and/or information sites - organization-defined open source information and/or information sites - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined frequency - organization-defined frequency - - - - - - - - organization-defined alternate audit functionality - organization-defined alternate audit functionality - - - - organization-defined methods - organization-defined methods - - - organization-defined audit information - organization-defined audit information - - - - - organization-defined organizations - organization-defined organizations - - - organization-defined cross-organizational sharing agreements - organization-defined cross-organizational sharing agreements - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined frequency - organization-defined frequency - - - organization-defined individuals or roles - organization-defined individuals or roles - - - - organization-defined level of independence - organization-defined level of independence - - - - organization-defined frequency - organization-defined frequency - - - organization-defined other forms of security assessment - organization-defined other forms of security assessment - - - - organization-defined information system - organization-defined information system - - - organization-defined external organization - organization-defined external organization - - - organization-defined requirements - organization-defined requirements - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined unclassified, national security system - organization-defined unclassified, national security system - - - organization-defined boundary protection device - organization-defined boundary protection device - - - - organization-defined boundary protection device - organization-defined boundary protection device - - - - organization-defined unclassified, non-national security system - organization-defined unclassified, non-national security system - - - Assignment; organization-defined boundary protection device - Assignment; organization-defined boundary protection device - - - - organization-defined information system - organization-defined information system - - - - organization-defined information systems - organization-defined information systems - - - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined metrics - organization-defined metrics - - - organization-defined frequencies - organization-defined frequencies - - - organization-defined frequencies - organization-defined frequencies - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - - organization-defined level of independence - organization-defined level of independence - - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined information systems or system components - organization-defined information systems or system components - - - - - organization-defined red team exercises - organization-defined red team exercises - - - organization-defined rules of engagement - organization-defined rules of engagement - - - - organization-defined information system components or classes of components - organization-defined information system components or classes of components - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined frequency - organization-defined frequency - - - Assignment organization-defined circumstances - Assignment organization-defined circumstances - - - - - organization-defined previous versions of baseline configurations of the information system - organization-defined previous versions of baseline configurations of the information system - - - - - - - organization-defined information systems, system components, or devices - organization-defined information systems, system components, or devices - - - organization-defined configurations - organization-defined configurations - - - organization-defined security safeguards - organization-defined security safeguards - - - - organization-defined time period - organization-defined time period - - - organization-defined configuration change control element (e.g., committee, board) - organization-defined configuration change control element (e.g., committee, board) - - - organization-defined frequency - organization-defined frequency - - - organization-defined configuration change conditions - organization-defined configuration change conditions - - - - organized-defined approval authorities - organized-defined approval authorities - - - organization-defined time period - organization-defined time period - - - organization-defined personnel - organization-defined personnel - - - - - - organization-defined configuration change control element - organization-defined configuration change control element - - - - organization-defined security responses - organization-defined security responses - - - - organization-defined security safeguards - organization-defined security safeguards - - - - - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined circumstances - organization-defined circumstances - - - - organization-defined software and firmware components - organization-defined software and firmware components - - - - organization-defined information system components and system-level information - organization-defined information system components and system-level information - - - - organization-defined frequency - organization-defined frequency - - - - - - organization-defined security configuration checklists - organization-defined security configuration checklists - - - organization-defined information system components - organization-defined information system components - - - organization-defined operational requirements - organization-defined operational requirements - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined configuration settings - organization-defined configuration settings - - - - - - organization-defined prohibited or restricted functions, ports, protocols, and/or services - organization-defined prohibited or restricted functions, ports, protocols, and/or services - - - - organization-defined frequency - organization-defined frequency - - - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure - - - - organization-defined policies regarding software program usage and restrictions - organization-defined policies regarding software program usage and restrictions - - - - organization-defined registration requirements for functions, ports, protocols, and services - organization-defined registration requirements for functions, ports, protocols, and services - - - - organization-defined software programs not authorized to execute on the information system - organization-defined software programs not authorized to execute on the information system - - - organization-defined frequency - organization-defined frequency - - - - organization-defined software programs authorized to execute on the information system - organization-defined software programs authorized to execute on the information system - - - organization-defined frequency - organization-defined frequency - - - - organization-defined information deemed necessary to achieve effective information system component accountability - organization-defined information deemed necessary to achieve effective information system component accountability - - - organization-defined frequency - organization-defined frequency - - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - - - - organization-defined acquired information system components - organization-defined acquired information system components - - - - - - - organization-defined restrictions - organization-defined restrictions - - - - organization-defined policies - organization-defined policies - - - organization-defined methods - organization-defined methods - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - - - organization-defined frequency - organization-defined frequency - - - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - organization-defined key contingency personnel (identified by name and/or by role) and organizational elements - - - - - - organization-defined time period - organization-defined time period - - - - organization-defined time period - organization-defined time period - - - - - - - - organization-defined time period - organization-defined time period - - - organization-defined frequency - organization-defined frequency - - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined tests - organization-defined tests - - - - - - - - - - - - - organization-defined information system operations - organization-defined information system operations - - - organization-defined time period consistent with recovery time and recovery point objectives - organization-defined time period consistent with recovery time and recovery point objectives - - - - - - - - - - organization-defined information system operations - organization-defined information system operations - - - organization-defined time period - organization-defined time period - - - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - - - organization-defined frequency consistent with recovery time and recovery point objectives - organization-defined frequency consistent with recovery time and recovery point objectives - - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined critical information system software and other security-related information - organization-defined critical information system software and other security-related information - - - - - organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives - organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives - - - - - organization-defined backup information - organization-defined backup information - - - - - - - - organization-defined restoration time-periods - organization-defined restoration time-periods - - - - - - organization-defined alternative communications protocols - organization-defined alternative communications protocols - - - - organization-defined conditions - organization-defined conditions - - - organization-defined restrictions of safe mode of operation - organization-defined restrictions of safe mode of operation - - - - organization-defined alternative or supplemental security mechanisms - organization-defined alternative or supplemental security mechanisms - - - organization-defined security functions - organization-defined security functions - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - - - - - - - organization-defined strength of mechanism requirements - organization-defined strength of mechanism requirements - - - - organization-defined strength of mechanism requirements - organization-defined strength of mechanism requirements - - - - - - organization-defined information system accounts and services - organization-defined information system accounts and services - - - - organization-defined strength of mechanism requirements - organization-defined strength of mechanism requirements - - - - - organization-defined out-of-band authentication - organization-defined out-of-band authentication - - - organization-defined conditions - organization-defined conditions - - - - organization-defined specific and/or types of devices - organization-defined specific and/or types of devices - - - - organization-defined specific devices and/or types of devices - organization-defined specific devices and/or types of devices - - - - - organization-defined lease information and lease duration - organization-defined lease information and lease duration - - - - organization-defined configuration management process - organization-defined configuration management process - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined time period - organization-defined time period - - - organization-defined time period of inactivity - organization-defined time period of inactivity - - - - - - - organization-defined characteristic identifying individual status - organization-defined characteristic identifying individual status - - - - - organization-defined external organizations - organization-defined external organizations - - - - - organization-defined time period by authenticator type - organization-defined time period by authenticator type - - - - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type - - - organization-defined number - organization-defined number - - - organization-defined numbers for lifetime minimum, lifetime maximum - organization-defined numbers for lifetime minimum, lifetime maximum - - - organization-defined number - organization-defined number - - - - - organization-defined types of and/or specific authenticators - organization-defined types of and/or specific authenticators - - - organization-defined registration authority - organization-defined registration authority - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined requirements - organization-defined requirements - - - - - - - organization-defined security safeguards - organization-defined security safeguards - - - - organization-defined external organizations - organization-defined external organizations - - - - - organization-defined token quality requirements - organization-defined token quality requirements - - - - organization-defined biometric quality requirements - organization-defined biometric quality requirements - - - - organization-defined time period - organization-defined time period - - - - - - - - - - - organization-defined information systems - organization-defined information systems - - - - - - organization-defined information system services - organization-defined information system services - - - organization-defined security safeguards - organization-defined security safeguards - - - - - organization-defined services - organization-defined services - - - - organization-defined supplemental authentication techniques or mechanisms - organization-defined supplemental authentication techniques or mechanisms - - - organization-defined circumstances or situations - organization-defined circumstances or situations - - - - organization-defined circumstances or situations requiring re-authentication - organization-defined circumstances or situations requiring re-authentication - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined time period - organization-defined time period - - - organization-defined frequency - organization-defined frequency - - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined tests - organization-defined tests - - - - - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined classes of incidents - organization-defined classes of incidents - - - organization-defined actions to take in response to classes of incidents - organization-defined actions to take in response to classes of incidents - - - - - organization-defined security violations - organization-defined security violations - - - - - organization-defined components or elements of the organization - organization-defined components or elements of the organization - - - - organization-defined external organizations - organization-defined external organizations - - - organization-defined incident information - organization-defined incident information - - - - organization-defined dynamic response capabilities - organization-defined dynamic response capabilities - - - - - - - organization-defined time period - organization-defined time period - - - organization-defined authorities - organization-defined authorities - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - - organization-defined frequency - organization-defined frequency - - - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - organization-defined incident response personnel (identified by name and/or by role) and organizational elements - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined actions - organization-defined actions - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined procedures - organization-defined procedures - - - - organization-defined security safeguards - organization-defined security safeguards - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined maintenance-related information - organization-defined maintenance-related information - - - - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - organization-defined audit events - organization-defined audit events - - - - - - organization-defined authenticators that are replay resistant - organization-defined authenticators that are replay resistant - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - - - - - - - organization-defined information system components - organization-defined information system components - - - organization-defined time period - organization-defined time period - - - - organization-defined information system components - organization-defined information system components - - - organization-defined time intervals - organization-defined time intervals - - - - organization-defined information system components - organization-defined information system components - - - organization-defined time intervals - organization-defined time intervals - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - organization-defined types of information system media - organization-defined types of information system media - - - organization-defined controlled areas - organization-defined controlled areas - - - - organization-defined types of digital and/or non-digital media - organization-defined types of digital and/or non-digital media - - - organization-defined controlled areas - organization-defined controlled areas - - - - - - organization-defined types of information system media - organization-defined types of information system media - - - organization-defined security safeguards - organization-defined security safeguards - - - - - - - - organization-defined information system media - organization-defined information system media - - - organization-defined sanitization techniques and procedures - organization-defined sanitization techniques and procedures - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined circumstances requiring sanitization of portable storage devices - organization-defined circumstances requiring sanitization of portable storage devices - - - - - - - organization-defined information system media - organization-defined information system media - - - - organization-defined information systems, system components, or devices - organization-defined information systems, system components, or devices - - - organization-defined conditions - organization-defined conditions - - - - organization-defined types of information system media - organization-defined types of information system media - - - organization-defined information systems or system components - organization-defined information systems or system components - - - organization-defined security safeguards - organization-defined security safeguards - - - - - - organization-defined information system media downgrading process - organization-defined information system media downgrading process - - - organization-defined strength and integrity - organization-defined strength and integrity - - - organization-defined information system media requiring downgrading - organization-defined information system media requiring downgrading - - - - - organization-defined tests - organization-defined tests - - - organization-defined frequency - organization-defined frequency - - - - organization-defined Controlled Unclassified Information (CUI) - organization-defined Controlled Unclassified Information (CUI) - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined list of acceptable forms of identification - organization-defined list of acceptable forms of identification - - - - organization-defined credentials - organization-defined credentials - - - - organization-defined entry/exit points to the facility where the information system resides - organization-defined entry/exit points to the facility where the information system resides - - - organization-defined physical access control systems/devices - organization-defined physical access control systems/devices - - - organization-defined entry/exit points - organization-defined entry/exit points - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined circumstances requiring visitor escorts and monitoring - organization-defined circumstances requiring visitor escorts and monitoring - - - organization-defined physical access devices - organization-defined physical access devices - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined physical spaces containing one or more components of the information system - organization-defined physical spaces containing one or more components of the information system - - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined hardware components - organization-defined hardware components - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined information system distribution and transmission lines - organization-defined information system distribution and transmission lines - - - organization-defined security safeguards - organization-defined security safeguards - - - - - organization-defined output devices - organization-defined output devices - - - - organization-defined output devices - organization-defined output devices - - - - organization-defined information system output devices - organization-defined information system output devices - - - - organization-defined frequency - organization-defined frequency - - - organization-defined events or potential indications of events - organization-defined events or potential indications of events - - - - - organization-defined classes/types of intrusions - organization-defined classes/types of intrusions - - - organization-defined response actions - organization-defined response actions - - - - organization-defined operational areas - organization-defined operational areas - - - organization-defined time period - organization-defined time period - - - - organization-defined physical spaces containing one or more components of the information system - organization-defined physical spaces containing one or more components of the information system - - - - - organization-defined time period - organization-defined time period - - - organization-defined frequency - organization-defined frequency - - - - - - - organization-defined distance - organization-defined distance - - - - organization-defined critical information system components - organization-defined critical information system components - - - - organization-defined location by information system or system component - organization-defined location by information system or system component - - - - - - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined emergency responders - organization-defined emergency responders - - - - organization-defined emergency responders - organization-defined emergency responders - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined time period - organization-defined time period - - - - organization-defined acceptable levels - organization-defined acceptable levels - - - organization-defined frequency - organization-defined frequency - - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined types of information system components - organization-defined types of information system components - - - - organization-defined security controls - organization-defined security controls - - - - organization-defined physical and environmental hazards - organization-defined physical and environmental hazards - - - - - - - organization-defined asset location technologies - organization-defined asset location technologies - - - organization-defined assets - organization-defined assets - - - organization-defined controlled areas - organization-defined controlled areas - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - - - - organization-defined individuals or groups - organization-defined individuals or groups - - - - - organization-defined frequency - organization-defined frequency - - - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined locations and architectural layers - organization-defined locations and architectural layers - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined locations and architectural layers - organization-defined locations and architectural layers - - - - organization-defined security controls and related processes - organization-defined security controls and related processes - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening - - - - - - organization-defined additional personnel screening criteria - organization-defined additional personnel screening criteria - - - - organization-defined time period - organization-defined time period - - - organization-defined information security topics - organization-defined information security topics - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined time period - organization-defined time period - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined transfer or reassignment actions - organization-defined transfer or reassignment actions - - - organization-defined time period following the formal transfer action - organization-defined time period following the formal transfer action - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined time period - organization-defined time period - - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined time period - organization-defined time period - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined time period - organization-defined time period - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined document - organization-defined document - - - organization-defined frequency - organization-defined frequency - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined frequency and/or randomly in accordance with organization-defined process - organization-defined frequency and/or randomly in accordance with organization-defined process - - - organization-defined response times - organization-defined response times - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined corrective actions - organization-defined corrective actions - - - - organization-identified information system components - organization-identified information system components - - - organization-defined vulnerability scanning activities - organization-defined vulnerability scanning activities - - - - - - - - - organization-defined locations - organization-defined locations - - - organization-defined frequency - organization-defined frequency - - - organization-defined events or indicators occur - organization-defined events or indicators occur - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined system development life cycle - organization-defined system development life cycle - - - - - - organization-defined design/implementation information - organization-defined design/implementation information - - - organization-defined level of detail - organization-defined level of detail - - - - organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes - organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes - - - - - organization-defined security configurations - organization-defined security configurations - - - - - - organization-defined level of detail - organization-defined level of detail - - - - - - organization-defined actions - organization-defined actions - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - - - - - - - organization-defined security controls - organization-defined security controls - - - organization-defined processes, methods, and techniques - organization-defined processes, methods, and techniques - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined external information system services - organization-defined external information system services - - - - organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships - organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined external service providers - organization-defined external service providers - - - - organization-defined locations - organization-defined locations - - - organization-defined requirements or conditions - organization-defined requirements or conditions - - - - organization-defined configuration items under configuration management - organization-defined configuration items under configuration management - - - organization-defined personnel - organization-defined personnel - - - - - - - - - - organization-defined depth and coverage - organization-defined depth and coverage - - - - - - organization-defined independence criteria - organization-defined independence criteria - - - - organization-defined specific code - organization-defined specific code - - - organization-defined processes, procedures, and/or techniques - organization-defined processes, procedures, and/or techniques - - - - organization-defined breadth/depth - organization-defined breadth/depth - - - organization-defined constraints - organization-defined constraints - - - - - organization-defined depth of testing/evaluation - organization-defined depth of testing/evaluation - - - - - organization-defined security safeguards - organization-defined security safeguards - - - - organization-defined tailored acquisition strategies, contract tools, and procurement methods - organization-defined tailored acquisition strategies, contract tools, and procurement methods - - - - - - - organization-defined security safeguards - organization-defined security safeguards - - - - - - - organization-defined Operations Security (OPSEC) safeguards - organization-defined Operations Security (OPSEC) safeguards - - - - organization-defined security safeguards - organization-defined security safeguards - - - - organization-defined supply chain elements, processes, and actors - organization-defined supply chain elements, processes, and actors - - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined critical information system components - organization-defined critical information system components - - - - organization-defined supply chain elements, processes, and actors - organization-defined supply chain elements, processes, and actors - - - - - organization-defined information system, information system component, or information system service - organization-defined information system, information system component, or information system service - - - organization-defined assurance overlay - organization-defined assurance overlay - - - - organization-defined information systems, information system components, or information system services - organization-defined information systems, information system components, or information system services - - - organization-defined decision points in the system development life cycle - organization-defined decision points in the system development life cycle - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined security requirements - organization-defined security requirements - - - - organization-defined frequency - organization-defined frequency - - - organization-defined program review milestones - organization-defined program review milestones - - - - - organization-defined breadth/depth - organization-defined breadth/depth - - - organization-defined decision points in the system development life cycle - organization-defined decision points in the system development life cycle - - - - organization-defined breadth/depth - organization-defined breadth/depth - - - organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels - organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels - - - organization-defined tools and methods - organization-defined tools and methods - - - organization-defined acceptance criteria - organization-defined acceptance criteria - - - - organization-defined thresholds - organization-defined thresholds - - - - - organization-defined tools - organization-defined tools - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - - - organization-defined training - organization-defined training - - - - - organization-defined elements of organizational security policy - organization-defined elements of organizational security policy - - - - - - - - - - - - organization-defined information systems, system components, or devices - organization-defined information systems, system components, or devices - - - organization-defined frequency - organization-defined frequency - - - organization-defined indications of need for inspection - organization-defined indications of need for inspection - - - - organization-defined external reporting organizations - organization-defined external reporting organizations - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined techniques and methods - organization-defined techniques and methods - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined critical information system components - organization-defined critical information system components - - - - organization-defined information system, system component, or information system service - organization-defined information system, system component, or information system service - - - organization-defined official government duties - organization-defined official government duties - - - organization-defined additional personnel screening criteria - organization-defined additional personnel screening criteria - - - - organization-defined actions - organization-defined actions - - - - - organization-defined support from external providers - organization-defined support from external providers - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - - - - - - - - - - - organization-defined procedures - organization-defined procedures - - - - organization-defined types of denial of service attacks or references to sources for such information - organization-defined types of denial of service attacks or references to sources for such information - - - organization-defined security safeguards - organization-defined security safeguards - - - - organization-defined denial of service attacks - organization-defined denial of service attacks - - - - - organization-defined monitoring tools - organization-defined monitoring tools - - - organization-defined information system resources - organization-defined information system resources - - - - organization-defined resources - organization-defined resources - - - organization-defined security safeguards - organization-defined security safeguards - - - - - - - - organization-defined frequency - organization-defined frequency - - - - - - - organization-defined internal communications traffic - organization-defined internal communications traffic - - - organization-defined external networks - organization-defined external networks - - - - - - organization-defined authorized sources - organization-defined authorized sources - - - organization-defined authorized destinations - organization-defined authorized destinations - - - - organization-defined host-based boundary protection mechanisms - organization-defined host-based boundary protection mechanisms - - - organization-defined information system components - organization-defined information system components - - - - organization-defined information security tools, mechanisms, and support components - organization-defined information security tools, mechanisms, and support components - - - - organization-defined managed interfaces - organization-defined managed interfaces - - - - - - - - organization-defined communication clients - organization-defined communication clients - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined information system components - organization-defined information system components - - - organization-defined missions and/or business functions - organization-defined missions and/or business functions - - - - - - - organization-defined alternative physical safeguards - organization-defined alternative physical safeguards - - - - - organization-defined alternative physical safeguards - organization-defined alternative physical safeguards - - - - organization-defined alternative physical safeguards - organization-defined alternative physical safeguards - - - - - organization-defined time period - organization-defined time period - - - - organization-defined security functions to include at a minimum, information system authentication and re-authentication - organization-defined security functions to include at a minimum, information system authentication and re-authentication - - - - - organization-defined requirements for key generation, distribution, storage, access, and destruction - organization-defined requirements for key generation, distribution, storage, access, and destruction - - - - - - - - - organization-defined cryptographic uses and type of cryptography required for each use - organization-defined cryptographic uses and type of cryptography required for each use - - - - - - - - - organization-defined exceptions where remote activation is to be allowed - organization-defined exceptions where remote activation is to be allowed - - - - - - organization-defined information systems or information system components - organization-defined information systems or information system components - - - organization-defined secure work areas - organization-defined secure work areas - - - - organization-defined online meetings and teleconferences - organization-defined online meetings and teleconferences - - - - organization-defined security attributes - organization-defined security attributes - - - - - organization-defined certificate policy - organization-defined certificate policy - - - - - organization-defined unacceptable mobile code - organization-defined unacceptable mobile code - - - organization-defined corrective actions - organization-defined corrective actions - - - - organization-defined mobile code requirements - organization-defined mobile code requirements - - - - organization-defined unacceptable mobile code - organization-defined unacceptable mobile code - - - - organization-defined software applications - organization-defined software applications - - - organization-defined actions - organization-defined actions - - - - - - - - - - - - - - - organization-defined randomness requirements - organization-defined randomness requirements - - - - - organization-defined certificate authorities - organization-defined certificate authorities - - - - organization-defined known-state - organization-defined known-state - - - organization-defined types of failures - organization-defined types of failures - - - organization-defined system state information - organization-defined system state information - - - - organization-defined information system components - organization-defined information system components - - - - - - organization-defined platform-independent applications - organization-defined platform-independent applications - - - - organization-defined information at rest - organization-defined information at rest - - - - organization-defined information - organization-defined information - - - organization-defined information system components - organization-defined information system components - - - - organization-defined information - organization-defined information - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined concealment and misdirection techniques - organization-defined concealment and misdirection techniques - - - organization-defined information systems - organization-defined information systems - - - organization-defined time periods - organization-defined time periods - - - - - organization-defined techniques - organization-defined techniques - - - - organization-defined processing and/or storage - organization-defined processing and/or storage - - - organization-defined time frequency - organization-defined time frequency - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined techniques - organization-defined techniques - - - organization-defined information system components - organization-defined information system components - - - - - - organization-defined values - organization-defined values - - - - organization-defined subset of identified covert channels - organization-defined subset of identified covert channels - - - - organization-defined information system components - organization-defined information system components - - - organization-defined circumstances for physical separation of components - organization-defined circumstances for physical separation of components - - - - - organization-defined information system components - organization-defined information system components - - - organization-defined applications - organization-defined applications - - - - organization-defined information system components - organization-defined information system components - - - - - organization-defined information system firmware components - organization-defined information system firmware components - - - organization-defined authorized individuals - organization-defined authorized individuals - - - - - organization-defined processing and storage - organization-defined processing and storage - - - - organization-defined distributed processing and storage components - organization-defined distributed processing and storage components - - - - organization-defined out-of-band channels - organization-defined out-of-band channels - - - organization-defined information, information system components, or devices - organization-defined information, information system components, or devices - - - organization-defined individuals or information systems - organization-defined individuals or information systems - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined individuals or information systems - organization-defined individuals or information systems - - - organization-defined information, information system components, or devices - organization-defined information, information system components, or devices - - - - organization-defined operations security safeguards - organization-defined operations security safeguards - - - - - - organization-defined multi-threaded processing - organization-defined multi-threaded processing - - - - organization-defined wireless links - organization-defined wireless links - - - organization-defined types of signal parameter attacks or references to sources for such attacks - organization-defined types of signal parameter attacks or references to sources for such attacks - - - - organization-defined level of protection - organization-defined level of protection - - - - organization-defined level of reduction - organization-defined level of reduction - - - - - organization-defined wireless transmitters - organization-defined wireless transmitters - - - - organization-defined connection ports or input/output devices - organization-defined connection ports or input/output devices - - - organization-defined information systems or information system components - organization-defined information systems or information system components - - - - organization-defined exceptions where remote activation of sensors is allowed - organization-defined exceptions where remote activation of sensors is allowed - - - organization-defined class of users - organization-defined class of users - - - - organization-defined sensors - organization-defined sensors - - - - organization-defined measures - organization-defined measures - - - organization-defined sensors - organization-defined sensors - - - - organization-defined environmental sensing capabilities - organization-defined environmental sensing capabilities - - - organization-defined facilities, areas, or systems - organization-defined facilities, areas, or systems - - - - organization-defined information system components - organization-defined information system components - - - - organization-defined information system, system component, or location - organization-defined information system, system component, or location - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - organization-defined frequency - organization-defined frequency - - - - organization-defined time period - organization-defined time period - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined benchmarks - organization-defined benchmarks - - - - - organization-defined security-relevant software and firmware updates - organization-defined security-relevant software and firmware updates - - - organization-defined information system components - organization-defined information system components - - - - organization-defined software and firmware components - organization-defined software and firmware components - - - - organization-defined frequency - organization-defined frequency - - - organization-defined action - organization-defined action - - - - - - - - - organization-defined frequency - organization-defined frequency - - - - - organization-defined unauthorized operating system commands - organization-defined unauthorized operating system commands - - - organization-defined information system hardware components - organization-defined information system hardware components - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined remote commands - organization-defined remote commands - - - - organization-defined tools and techniques - organization-defined tools and techniques - - - - organization-defined monitoring objectives - organization-defined monitoring objectives - - - organization-defined techniques and methods - organization-defined techniques and methods - - - organization-defined information system monitoring information - organization-defined information system monitoring information - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - organization-defined frequency - - - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined compromise indicators - organization-defined compromise indicators - - - - - organization-defined incident response personnel (identified by name and/or by role) - organization-defined incident response personnel (identified by name and/or by role) - - - organization-defined least-disruptive actions to terminate suspicious events - organization-defined least-disruptive actions to terminate suspicious events - - - - - organization-defined frequency - organization-defined frequency - - - - organization-defined encrypted communications traffic - organization-defined encrypted communications traffic - - - organization-defined information system monitoring tools - organization-defined information system monitoring tools - - - - organization-defined interior points within the system (e.g., subnetworks, subsystems) - organization-defined interior points within the system (e.g., subnetworks, subsystems) - - - - organization-defined activities that trigger alerts - organization-defined activities that trigger alerts - - - - - - - - - organization-defined interior points within the system (e.g., subsystems, subnetworks) - organization-defined interior points within the system (e.g., subsystems, subnetworks) - - - - organization-defined additional monitoring - organization-defined additional monitoring - - - organization-defined sources - organization-defined sources - - - - organization-defined additional monitoring - organization-defined additional monitoring - - - - organization-defined additional monitoring - organization-defined additional monitoring - - - organization-defined probationary period - organization-defined probationary period - - - - organization-defined authorization or approval processes - organization-defined authorization or approval processes - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined host-based monitoring mechanisms - organization-defined host-based monitoring mechanisms - - - organization-defined information system components - organization-defined information system components - - - - - organization-defined external organizations - organization-defined external organizations - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined elements within the organization - organization-defined elements within the organization - - - organization-defined external organizations - organization-defined external organizations - - - - - organization-defined security functions - organization-defined security functions - - - organization-defined system transitional states - organization-defined system transitional states - - - organization-defined frequency - organization-defined frequency - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined alternative action(s) - organization-defined alternative action(s) - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - - - - organization-defined software, firmware, and information - organization-defined software, firmware, and information - - - organization-defined transitional states or security-relevant events - organization-defined transitional states or security-relevant events - - - organization-defined frequency - organization-defined frequency - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - - organization-defined security safeguards - organization-defined security safeguards - - - - - organization-defined security-relevant changes to the information system - organization-defined security-relevant changes to the information system - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined other actions - organization-defined other actions - - - - organization-defined devices - organization-defined devices - - - - organization-defined security safeguards - organization-defined security safeguards - - - organization-defined devices - organization-defined devices - - - - organization-defined user-installed software - organization-defined user-installed software - - - - organization-defined user-installed software - organization-defined user-installed software - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - organization-defined software or firmware components - organization-defined software or firmware components - - - - organization-defined time period - organization-defined time period - - - - - - - - - organization-defined information inputs - organization-defined information inputs - - - - organization-defined inputs - organization-defined inputs - - - organization-defined authorized individuals - organization-defined authorized individuals - - - - organization-defined time period - organization-defined time period - - - - - - organization-defined trusted sources - organization-defined trusted sources - - - organization-defined formats - organization-defined formats - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - - - organization-defined information system components - organization-defined information system components - - - organization-defined MTTF substitution criteria - organization-defined MTTF substitution criteria - - - - organization-defined fraction or percentage - organization-defined fraction or percentage - - - - - organization-defined frequency - organization-defined frequency - - - organization-defined time period - organization-defined time period - - - - organization-defined time period - organization-defined time period - - - organization-defined alarm - organization-defined alarm - - - - organization-defined failover capability - organization-defined failover capability - - - - organization-defined information system components and services - organization-defined information system components and services - - - organization-defined frequency - organization-defined frequency - - - - organization-defined trusted sources - organization-defined trusted sources - - - - organization-defined software programs and/or applications - organization-defined software programs and/or applications - - - - organization-defined security safeguards - organization-defined security safeguards - - - - organization-defined fail-safe procedures - organization-defined fail-safe procedures - - - organization-defined failure conditions occur - organization-defined failure conditions occur - - - - organization-defined frequency - organization-defined frequency - - - - - - - - - - - organization-defined frequency - organization-defined frequency - - - - - - - - - - - diff --git a/working/profile-demo2.xml b/working/profile-demo2.xml deleted file mode 100644 index e504ec5ecf..0000000000 --- a/working/profile-demo2.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/working/profile-test.xml b/working/profile-test.xml deleted file mode 100644 index d250eff0b3..0000000000 --- a/working/profile-test.xml +++ /dev/null @@ -1,41 +0,0 @@ - - - - - - - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined frequency - Every TOTAL ECLIPSE OF THE SUN! - - - - organization-defined information system account types - organization-defined information system account types - - - organization-defined personnel or roles - organization-defined personnel or roles - - - organization-defined procedures or conditions - organization-defined procedures or conditions - - - organization-defined frequency - organization-defined frequency - - - - organization-defined time period for each type of account - organization-defined time period for each type of account - - - - -